LVS
lvs-devel
Google
 
Web LinuxVirtualServer.org

Re: [PATCH net] ipvs: fix rtnl_lock lockups caused by start_sync_thread

To: Simon Horman <horms@xxxxxxxxxxxx>
Subject: Re: [PATCH net] ipvs: fix rtnl_lock lockups caused by start_sync_thread
Cc: Julian Anastasov <ja@xxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Mon, 9 Apr 2018 16:53:22 +0200
On Mon, Apr 09, 2018 at 10:20:18AM +0300, Simon Horman wrote:
> On Sat, Apr 07, 2018 at 03:50:47PM +0300, Julian Anastasov wrote:
> > syzkaller reports for wrong rtnl_lock usage in sync code [1] and [2]
> > 
> > We have 2 problems in start_sync_thread if error path is
> > taken, eg. on memory allocation error or failure to configure
> > sockets for mcast group or addr/port binding:
> > 
> > 1. recursive locking: holding rtnl_lock while calling sock_release
> > which in turn calls again rtnl_lock in ip_mc_drop_socket to leave
> > the mcast group, as noticed by Florian Westphal. Additionally,
> > sock_release can not be called while holding sync_mutex (ABBA
> > deadlock).
> > 
> > 2. task hung: holding rtnl_lock while calling kthread_stop to
> > stop the running kthreads. As the kthreads do the same to leave
> > the mcast group (sock_release -> ip_mc_drop_socket -> rtnl_lock)
> > they hang.
> > 
> > Fix the problems by calling rtnl_unlock early in the error path,
> > now sock_release is called after unlocking both mutexes.
> > 
> > Problem 3 (task hung reported by syzkaller [2]) is variant of
> > problem 2: use _trylock to prevent one user to call rtnl_lock and
> > then while waiting for sync_mutex to block kthreads that execute
> > sock_release when they are stopped by stop_sync_thread.
> 
> ...
> 
> > Reported-and-tested-by: 
> > syzbot+a46d6abf9d56b1365a72@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Reported-and-tested-by: 
> > syzbot+5fe074c01b2032ce9618@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Fixes: e0b26cc997d5 ("ipvs: call rtnl_lock early")
> > Signed-off-by: Julian Anastasov <ja@xxxxxx>
> 
> Signed-off-by: Simon Horman <horms@xxxxxxxxxxxx>
> 
> Pablo, could you take this directly into nf and then onwards to net?

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread] Current Thread [Next in Thread>