Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
* [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg()
@ 2021-07-23 18:36 Cong Wang
  2021-07-27 16:12 ` John Fastabend
  2021-07-28 10:12 ` Jakub Sitnicki
  0 siblings, 2 replies; 6+ messages in thread
From: Cong Wang @ 2021-07-23 18:36 UTC (permalink / raw)
  To: netdev
  Cc: Cong Wang, Eric Dumazet, John Fastabend, Daniel Borkmann,
	Jakub Sitnicki, Lorenz Bauer

From: Cong Wang <cong.wang@bytedance.com>

As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
too, so we have to release it before calling this function.

Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jakub Sitnicki <jakub@cloudflare.com>
Cc: Lorenz Bauer <lmb@cloudflare.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 net/unix/unix_bpf.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
index db0cda29fb2f..b07cb30e87b1 100644
--- a/net/unix/unix_bpf.c
+++ b/net/unix/unix_bpf.c
@@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
 	mutex_lock(&u->iolock);
 	if (!skb_queue_empty(&sk->sk_receive_queue) &&
 	    sk_psock_queue_empty(psock)) {
-		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
-		goto out;
+		mutex_unlock(&u->iolock);
+		sk_psock_put(sk, psock);
+		return __unix_dgram_recvmsg(sk, msg, len, flags);
 	}
 
 msg_bytes_ready:
@@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
 		if (data) {
 			if (!sk_psock_queue_empty(psock))
 				goto msg_bytes_ready;
-			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
-			goto out;
+			mutex_unlock(&u->iolock);
+			sk_psock_put(sk, psock);
+			return __unix_dgram_recvmsg(sk, msg, len, flags);
 		}
 		copied = -EAGAIN;
 	}
 	ret = copied;
-out:
 	mutex_unlock(&u->iolock);
 	sk_psock_put(sk, psock);
 	return ret;
-- 
2.27.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg()
  2021-07-23 18:36 [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg() Cong Wang
@ 2021-07-27 16:12 ` John Fastabend
  2021-07-28  3:06   ` Cong Wang
  2021-07-28 10:12 ` Jakub Sitnicki
  1 sibling, 1 reply; 6+ messages in thread
From: John Fastabend @ 2021-07-27 16:12 UTC (permalink / raw)
  To: Cong Wang, netdev
  Cc: Cong Wang, Eric Dumazet, John Fastabend, Daniel Borkmann,
	Jakub Sitnicki, Lorenz Bauer

Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
> 
> As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> too, so we have to release it before calling this function.
> 
> Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Jakub Sitnicki <jakub@cloudflare.com>
> Cc: Lorenz Bauer <lmb@cloudflare.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
>  net/unix/unix_bpf.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> index db0cda29fb2f..b07cb30e87b1 100644
> --- a/net/unix/unix_bpf.c
> +++ b/net/unix/unix_bpf.c
> @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  	mutex_lock(&u->iolock);
>  	if (!skb_queue_empty(&sk->sk_receive_queue) &&
>  	    sk_psock_queue_empty(psock)) {
> -		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -		goto out;
> +		mutex_unlock(&u->iolock);
> +		sk_psock_put(sk, psock);
> +		return __unix_dgram_recvmsg(sk, msg, len, flags);
>  	}

Is there a reason to grab the mutex_lock(u->iolock) above the
skb_queue_emptyaand sk_psock_queue_empty checks?

Could it be move here just above the msg_bytes_ready label?

>  
>  msg_bytes_ready:
> @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  		if (data) {
>  			if (!sk_psock_queue_empty(psock))
>  				goto msg_bytes_ready;
> -			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -			goto out;
> +			mutex_unlock(&u->iolock);
> +			sk_psock_put(sk, psock);
> +			return __unix_dgram_recvmsg(sk, msg, len, flags);
>  		}
>  		copied = -EAGAIN;
>  	}
>  	ret = copied;
> -out:
>  	mutex_unlock(&u->iolock);
>  	sk_psock_put(sk, psock);
>  	return ret;
> -- 
> 2.27.0
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg()
  2021-07-27 16:12 ` John Fastabend
@ 2021-07-28  3:06   ` Cong Wang
  0 siblings, 0 replies; 6+ messages in thread
From: Cong Wang @ 2021-07-28  3:06 UTC (permalink / raw)
  To: John Fastabend
  Cc: Linux Kernel Network Developers, Cong Wang, Eric Dumazet,
	Daniel Borkmann, Jakub Sitnicki, Lorenz Bauer

On Tue, Jul 27, 2021 at 9:12 AM John Fastabend <john.fastabend@gmail.com> wrote:
>
> Is there a reason to grab the mutex_lock(u->iolock) above the
> skb_queue_emptyaand sk_psock_queue_empty checks?
>
> Could it be move here just above the msg_bytes_ready label?

The check of the receive queue is more accurate with lock.

Thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg()
  2021-07-23 18:36 [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg() Cong Wang
  2021-07-27 16:12 ` John Fastabend
@ 2021-07-28 10:12 ` Jakub Sitnicki
  2021-07-28 18:52   ` John Fastabend
  1 sibling, 1 reply; 6+ messages in thread
From: Jakub Sitnicki @ 2021-07-28 10:12 UTC (permalink / raw)
  To: Cong Wang
  Cc: netdev, Cong Wang, Eric Dumazet, John Fastabend, Daniel Borkmann,
	Lorenz Bauer

On Fri, Jul 23, 2021 at 08:36 PM CEST, Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
>
> As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> too, so we have to release it before calling this function.
>
> Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Jakub Sitnicki <jakub@cloudflare.com>
> Cc: Lorenz Bauer <lmb@cloudflare.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
>  net/unix/unix_bpf.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> index db0cda29fb2f..b07cb30e87b1 100644
> --- a/net/unix/unix_bpf.c
> +++ b/net/unix/unix_bpf.c
> @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  	mutex_lock(&u->iolock);
>  	if (!skb_queue_empty(&sk->sk_receive_queue) &&
>  	    sk_psock_queue_empty(psock)) {
> -		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -		goto out;
> +		mutex_unlock(&u->iolock);
> +		sk_psock_put(sk, psock);
> +		return __unix_dgram_recvmsg(sk, msg, len, flags);
>  	}
>  
>  msg_bytes_ready:
> @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  		if (data) {
>  			if (!sk_psock_queue_empty(psock))
>  				goto msg_bytes_ready;
> -			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -			goto out;
> +			mutex_unlock(&u->iolock);
> +			sk_psock_put(sk, psock);
> +			return __unix_dgram_recvmsg(sk, msg, len, flags);
>  		}
>  		copied = -EAGAIN;
>  	}
>  	ret = copied;
> -out:
>  	mutex_unlock(&u->iolock);
>  	sk_psock_put(sk, psock);
>  	return ret;

Nit: Can be just `return copied`. `ret` became useless.

Acked-by: Jakub Sitnicki <jakub@cloudflare.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg()
  2021-07-28 10:12 ` Jakub Sitnicki
@ 2021-07-28 18:52   ` John Fastabend
  2021-07-30 19:45     ` Andrii Nakryiko
  0 siblings, 1 reply; 6+ messages in thread
From: John Fastabend @ 2021-07-28 18:52 UTC (permalink / raw)
  To: Jakub Sitnicki, Cong Wang
  Cc: netdev, Cong Wang, Eric Dumazet, John Fastabend, Daniel Borkmann,
	Lorenz Bauer

Jakub Sitnicki wrote:
> On Fri, Jul 23, 2021 at 08:36 PM CEST, Cong Wang wrote:
> > From: Cong Wang <cong.wang@bytedance.com>
> >
> > As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> > too, so we have to release it before calling this function.
> >
> > Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> > Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> > Cc: John Fastabend <john.fastabend@gmail.com>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Jakub Sitnicki <jakub@cloudflare.com>
> > Cc: Lorenz Bauer <lmb@cloudflare.com>
> > Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> > ---
> >  net/unix/unix_bpf.c | 11 ++++++-----
> >  1 file changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> > index db0cda29fb2f..b07cb30e87b1 100644
> > --- a/net/unix/unix_bpf.c
> > +++ b/net/unix/unix_bpf.c
> > @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> >  	mutex_lock(&u->iolock);
> >  	if (!skb_queue_empty(&sk->sk_receive_queue) &&
> >  	    sk_psock_queue_empty(psock)) {
> > -		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > -		goto out;
> > +		mutex_unlock(&u->iolock);
> > +		sk_psock_put(sk, psock);
> > +		return __unix_dgram_recvmsg(sk, msg, len, flags);
> >  	}
> >  
> >  msg_bytes_ready:
> > @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> >  		if (data) {
> >  			if (!sk_psock_queue_empty(psock))
> >  				goto msg_bytes_ready;
> > -			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > -			goto out;
> > +			mutex_unlock(&u->iolock);
> > +			sk_psock_put(sk, psock);
> > +			return __unix_dgram_recvmsg(sk, msg, len, flags);
> >  		}
> >  		copied = -EAGAIN;
> >  	}
> >  	ret = copied;
> > -out:
> >  	mutex_unlock(&u->iolock);
> >  	sk_psock_put(sk, psock);
> >  	return ret;
> 
> Nit: Can be just `return copied`. `ret` became useless.
> 
> Acked-by: Jakub Sitnicki <jakub@cloudflare.com>

Worth doing the small cleanup pointed out by Jakub but feel free to add
my ack.

Acked-by: John Fastabend <john.fastabend@gmail.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg()
  2021-07-28 18:52   ` John Fastabend
@ 2021-07-30 19:45     ` Andrii Nakryiko
  0 siblings, 0 replies; 6+ messages in thread
From: Andrii Nakryiko @ 2021-07-30 19:45 UTC (permalink / raw)
  To: John Fastabend
  Cc: Jakub Sitnicki, Cong Wang, Networking, Cong Wang, Eric Dumazet,
	Daniel Borkmann, Lorenz Bauer

On Wed, Jul 28, 2021 at 11:53 AM John Fastabend
<john.fastabend@gmail.com> wrote:
>
> Jakub Sitnicki wrote:
> > On Fri, Jul 23, 2021 at 08:36 PM CEST, Cong Wang wrote:
> > > From: Cong Wang <cong.wang@bytedance.com>
> > >
> > > As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> > > too, so we have to release it before calling this function.
> > >
> > > Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> > > Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> > > Cc: John Fastabend <john.fastabend@gmail.com>
> > > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > > Cc: Jakub Sitnicki <jakub@cloudflare.com>
> > > Cc: Lorenz Bauer <lmb@cloudflare.com>
> > > Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> > > ---
> > >  net/unix/unix_bpf.c | 11 ++++++-----
> > >  1 file changed, 6 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> > > index db0cda29fb2f..b07cb30e87b1 100644
> > > --- a/net/unix/unix_bpf.c
> > > +++ b/net/unix/unix_bpf.c
> > > @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> > >     mutex_lock(&u->iolock);
> > >     if (!skb_queue_empty(&sk->sk_receive_queue) &&
> > >         sk_psock_queue_empty(psock)) {
> > > -           ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > > -           goto out;
> > > +           mutex_unlock(&u->iolock);
> > > +           sk_psock_put(sk, psock);
> > > +           return __unix_dgram_recvmsg(sk, msg, len, flags);
> > >     }
> > >
> > >  msg_bytes_ready:
> > > @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> > >             if (data) {
> > >                     if (!sk_psock_queue_empty(psock))
> > >                             goto msg_bytes_ready;
> > > -                   ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > > -                   goto out;
> > > +                   mutex_unlock(&u->iolock);
> > > +                   sk_psock_put(sk, psock);
> > > +                   return __unix_dgram_recvmsg(sk, msg, len, flags);
> > >             }
> > >             copied = -EAGAIN;
> > >     }
> > >     ret = copied;
> > > -out:
> > >     mutex_unlock(&u->iolock);
> > >     sk_psock_put(sk, psock);
> > >     return ret;
> >
> > Nit: Can be just `return copied`. `ret` became useless.
> >
> > Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
>
> Worth doing the small cleanup pointed out by Jakub but feel free to add
> my ack.
>

I cleaned it up while applying. Applied to bpf-next, thanks.

> Acked-by: John Fastabend <john.fastabend@gmail.com>

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-07-30 19:45 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-23 18:36 [Patch bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg() Cong Wang
2021-07-27 16:12 ` John Fastabend
2021-07-28  3:06   ` Cong Wang
2021-07-28 10:12 ` Jakub Sitnicki
2021-07-28 18:52   ` John Fastabend
2021-07-30 19:45     ` Andrii Nakryiko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).