Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp2933207iog; Mon, 20 Jun 2022 07:46:37 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uSdwjebzViWOqcrPDvWq4f8Tgx7GkQKXqMuLSTP6OWqiG4f4rwP/vPGpUuXniu2kwHw+vd X-Received: by 2002:a63:3fcb:0:b0:40c:4da1:555a with SMTP id m194-20020a633fcb000000b0040c4da1555amr16612199pga.3.1655736397046; Mon, 20 Jun 2022 07:46:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655736397; cv=none; d=google.com; s=arc-20160816; b=N7DgTrQvb0zN+1Wh+K4gHG9pXu+E1BXo7skiO9IRSRHUmyuUyOyQRgdsVmYVurnQ1T BcKqFULaHLBlB5GGS5f7hfqgmba0ggDazBkx4t+So5wLaqQ3bSC/UQih0p3eA18H8M3F zxhkWzGzNs1rEIs4T0lDGU2lcA4pe8BQ7syg4wRX/h8iAuFB3DDkhTcgkBxNUkGctp2j o7ISjAPbvdp8gGiuwevcHHPGsPkjeZXpAx4NHlCDCd+/dO7wrAjlWQvxhKUOXXfgFX8B 6Wtvu/gFzCsCpsCLQ0sHzhAs8cWWLbh76xXwda1hnFfDzVIWEJ8bJHQAFcOLnuQGmPxv A5Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0ckaTtd/u34Hih5fX0L2uCZpEqht/eqrHMrT/wZlZ3w=; b=mPl3A1uYkEdfLe9qqXtRHJLuFT/UCcBMnYIg6NrZQU8m8oSGxdfLwWeZZoPb8v0s16 Nv38SZK9BFWNOgGBnpisp1lYauemZbB6I1m8mvTVqP8UD3512Xe1ecvYNovuUYNG7rFA J3AIrl9+xgBSiUtJYbxy2rwGS1J/lHKRomaQnVeOpMk5IoocepjfvZHj6r8A4TSzfFM5 ZPXv1VermkixwVwTVZDyglnaAAyq2cQe12lRT/2uRhjpKNZj3C84mNMpiGV465F6HFZ+ p5jx2CEQeT6gQ3YSmRoAqit8E5aK7dLBp63n0HOX1aUfDQsYCgwhtU8sVQRdPOmg/37G pEdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JZl0Fwvw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d6-20020aa78e46000000b0051bcd7f3cd6si14054227pfr.278.2022.06.20.07.46.24; Mon, 20 Jun 2022 07:46:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JZl0Fwvw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245007AbiFTNGa (ORCPT + 99 others); Mon, 20 Jun 2022 09:06:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47384 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244877AbiFTNEF (ORCPT ); Mon, 20 Jun 2022 09:04:05 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C94D7186E2; Mon, 20 Jun 2022 05:59:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6719761449; Mon, 20 Jun 2022 12:59:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B15EC3411B; Mon, 20 Jun 2022 12:59:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1655729944; bh=kl2Jl8pVtdaCtWOSZU8we4FgOpLKBGnuHHnJ27uLujE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JZl0FwvwmpvVSpUlsp2PcRdWDMw236l1urPyz+4fX+UQBj5thvzZEV7+Oz7YxbaN2 yFyIVXb3n5Zal2nWwoLpWzof+RBur+wm1NUxjxWzto5FkKEoIcNACAdtv7sYiHRlhO z9sKlCd6bXw8FA0Qge3eliZHXx+25BQvUOF4SBpM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thomas Osterried , Duoming Zhou , Paolo Abeni , Eric Dumazet , "David S. Miller" , Sasha Levin Subject: [PATCH 5.18 082/141] net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg Date: Mon, 20 Jun 2022 14:50:20 +0200 Message-Id: <20220620124731.963247984@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220620124729.509745706@linuxfoundation.org> References: <20220620124729.509745706@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Duoming Zhou [ Upstream commit 219b51a6f040fa5367adadd7d58c4dda0896a01d ] The skb_recv_datagram() in ax25_recvmsg() will hold lock_sock and block until it receives a packet from the remote. If the client doesn`t connect to server and calls read() directly, it will not receive any packets forever. As a result, the deadlock will happen. The fail log caused by deadlock is shown below: [ 369.606973] INFO: task ax25_deadlock:157 blocked for more than 245 seconds. [ 369.608919] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 369.613058] Call Trace: [ 369.613315] [ 369.614072] __schedule+0x2f9/0xb20 [ 369.615029] schedule+0x49/0xb0 [ 369.615734] __lock_sock+0x92/0x100 [ 369.616763] ? destroy_sched_domains_rcu+0x20/0x20 [ 369.617941] lock_sock_nested+0x6e/0x70 [ 369.618809] ax25_bind+0xaa/0x210 [ 369.619736] __sys_bind+0xca/0xf0 [ 369.620039] ? do_futex+0xae/0x1b0 [ 369.620387] ? __x64_sys_futex+0x7c/0x1c0 [ 369.620601] ? fpregs_assert_state_consistent+0x19/0x40 [ 369.620613] __x64_sys_bind+0x11/0x20 [ 369.621791] do_syscall_64+0x3b/0x90 [ 369.622423] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 369.623319] RIP: 0033:0x7f43c8aa8af7 [ 369.624301] RSP: 002b:00007f43c8197ef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 [ 369.625756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f43c8aa8af7 [ 369.626724] RDX: 0000000000000010 RSI: 000055768e2021d0 RDI: 0000000000000005 [ 369.628569] RBP: 00007f43c8197f00 R08: 0000000000000011 R09: 00007f43c8198700 [ 369.630208] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff845e6afe [ 369.632240] R13: 00007fff845e6aff R14: 00007f43c8197fc0 R15: 00007f43c8198700 This patch replaces skb_recv_datagram() with an open-coded variant of it releasing the socket lock before the __skb_wait_for_more_packets() call and re-acquiring it after such call in order that other functions that need socket lock could be executed. what's more, the socket lock will be released only when recvmsg() will block and that should produce nicer overall behavior. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Suggested-by: Thomas Osterried Signed-off-by: Duoming Zhou Reported-by: Thomas Habets Acked-by: Paolo Abeni Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ax25/af_ax25.c | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 95393bb2760b..4c7030ed8d33 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1661,9 +1661,12 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, int flags) { struct sock *sk = sock->sk; - struct sk_buff *skb; + struct sk_buff *skb, *last; + struct sk_buff_head *sk_queue; int copied; int err = 0; + int off = 0; + long timeo; lock_sock(sk); /* @@ -1675,10 +1678,29 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, goto out; } - /* Now we can treat all alike */ - skb = skb_recv_datagram(sk, flags, &err); - if (skb == NULL) - goto out; + /* We need support for non-blocking reads. */ + sk_queue = &sk->sk_receive_queue; + skb = __skb_try_recv_datagram(sk, sk_queue, flags, &off, &err, &last); + /* If no packet is available, release_sock(sk) and try again. */ + if (!skb) { + if (err != -EAGAIN) + goto out; + release_sock(sk); + timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + while (timeo && !__skb_wait_for_more_packets(sk, sk_queue, &err, + &timeo, last)) { + skb = __skb_try_recv_datagram(sk, sk_queue, flags, &off, + &err, &last); + if (skb) + break; + + if (err != -EAGAIN) + goto done; + } + if (!skb) + goto done; + lock_sock(sk); + } if (!sk_to_ax25(sk)->pidincl) skb_pull(skb, 1); /* Remove PID */ @@ -1725,6 +1747,7 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, out: release_sock(sk); +done: return err; } -- 2.35.1