Re: [PATCH] net/smc: fix TCP fallback socket release
Hi Myungho, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on net-next/master] [also build test WARNING on v4.20-rc7 next-20181214] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Myungho-Jung/net-smc-fix-TCP-fallback-socket-release/20181217-122513 config: x86_64-randconfig-x015-201850 (attached as .config) compiler: gcc-7 (Debian 7.3.0-1) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=x86_64 Note: it may well be a FALSE warning. FWIW you are at least aware of it now. http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings All warnings (new ones prefixed by >>): net/smc/af_smc.c: In function 'smc_tcp_listen_work': >> net/smc/af_smc.c:1318:6: warning: 'rc' may be used uninitialized in this >> function [-Wmaybe-uninitialized] if (rc) ^ vim +/rc +1318 net/smc/af_smc.c a046d57d Ursula Braun 2017-01-09 1306 a046d57d Ursula Braun 2017-01-09 1307 static void smc_tcp_listen_work(struct work_struct *work) a046d57d Ursula Braun 2017-01-09 1308 { a046d57d Ursula Braun 2017-01-09 1309 struct smc_sock *lsmc = container_of(work, struct smc_sock, a046d57d Ursula Braun 2017-01-09 1310 tcp_listen_work); 3163c507 Ursula Braun 2018-01-24 1311 struct sock *lsk = >sk; a046d57d Ursula Braun 2017-01-09 1312 struct smc_sock *new_smc; a046d57d Ursula Braun 2017-01-09 1313 int rc = 0; a046d57d Ursula Braun 2017-01-09 1314 3163c507 Ursula Braun 2018-01-24 1315 lock_sock(lsk); 3163c507 Ursula Braun 2018-01-24 1316 while (lsk->sk_state == SMC_LISTEN) { a046d57d Ursula Braun 2017-01-09 1317 rc = smc_clcsock_accept(lsmc, _smc); a046d57d Ursula Braun 2017-01-09 @1318 if (rc) a046d57d Ursula Braun 2017-01-09 1319 goto out; a046d57d Ursula Braun 2017-01-09 1320 if (!new_smc) a046d57d Ursula Braun 2017-01-09 1321 continue; a046d57d Ursula Braun 2017-01-09 1322 a046d57d Ursula Braun 2017-01-09 1323 new_smc->listen_smc = lsmc; ee9dfbef Ursula Braun 2018-04-26 1324 new_smc->use_fallback = lsmc->use_fallback; 603cc149 Karsten Graul 2018-07-25 1325 new_smc->fallback_rsn = lsmc->fallback_rsn; 3163c507 Ursula Braun 2018-01-24 1326 sock_hold(lsk); /* sock_put in smc_listen_work */ a046d57d Ursula Braun 2017-01-09 1327 INIT_WORK(_smc->smc_listen_work, smc_listen_work); a046d57d Ursula Braun 2017-01-09 1328 smc_copy_sock_settings_to_smc(new_smc); bd58c7e0 Ursula Braun 2018-08-08 1329 new_smc->sk.sk_sndbuf = lsmc->sk.sk_sndbuf; bd58c7e0 Ursula Braun 2018-08-08 1330 new_smc->sk.sk_rcvbuf = lsmc->sk.sk_rcvbuf; 51f1de79 Ursula Braun 2018-01-26 1331 sock_hold(_smc->sk); /* sock_put in passive closing */ 51f1de79 Ursula Braun 2018-01-26 1332 if (!schedule_work(_smc->smc_listen_work)) 51f1de79 Ursula Braun 2018-01-26 1333 sock_put(_smc->sk); a046d57d Ursula Braun 2017-01-09 1334 } a046d57d Ursula Braun 2017-01-09 1335 a046d57d Ursula Braun 2017-01-09 1336 out: 3163c507 Ursula Braun 2018-01-24 1337 release_sock(lsk); 51f1de79 Ursula Braun 2018-01-26 1338 sock_put(>sk); /* sock_hold in smc_listen */ a046d57d Ursula Braun 2017-01-09 1339 } a046d57d Ursula Braun 2017-01-09 1340 :: The code at line 1318 was first introduced by commit :: a046d57da19f812216f393e7c535f5858f793ac3 smc: CLC handshake (incl. preparation steps) :: TO: Ursula Braun :: CC: David S. Miller --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
[PATCH] net/smc: fix TCP fallback socket release
clcsock can be released while kernel_accept() references it in TCP listen worker. Also, clcsock needs to wake up before released if TCP fallback is used and the clcsock is blocked by accept. Add a lock to safely release clcsock and call kernel_sock_shutdown() to wake up clcsock from accept in smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 12 +++- net/smc/smc.h| 2 ++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c index 5fbaf1901571..a127a13689c3 100644 --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -147,8 +147,14 @@ static int smc_release(struct socket *sock) sk->sk_shutdown |= SHUTDOWN_MASK; } if (smc->clcsock) { + if (smc->use_fallback && sk->sk_state == SMC_LISTEN) { + /* wake up clcsock accept */ + rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); + } + mutex_lock(>clcsock_release_lock); sock_release(smc->clcsock); smc->clcsock = NULL; + mutex_unlock(>clcsock_release_lock); } if (smc->use_fallback) { if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT) @@ -205,6 +211,7 @@ static struct sock *smc_sock_alloc(struct net *net, struct socket *sock, spin_lock_init(>conn.send_lock); sk->sk_prot->hash(sk); sk_refcnt_debug_inc(sk); + mutex_init(>clcsock_release_lock); return sk; } @@ -834,7 +841,10 @@ static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc) } *new_smc = smc_sk(new_sk); - rc = kernel_accept(lsmc->clcsock, _clcsock, 0); + mutex_lock(>clcsock_release_lock); + if (lsmc->clcsock) + rc = kernel_accept(lsmc->clcsock, _clcsock, 0); + mutex_unlock(>clcsock_release_lock); lock_sock(lsk); if (rc < 0) lsk->sk_err = -rc; diff --git a/net/smc/smc.h b/net/smc/smc.h index 08786ace6010..9a2795cf5d30 100644 --- a/net/smc/smc.h +++ b/net/smc/smc.h @@ -219,6 +219,8 @@ struct smc_sock { /* smc sock container */ * started, waiting for unsent * data to be sent */ + struct mutexclcsock_release_lock; + /* protects clcsock */ }; static inline struct smc_sock *smc_sk(const struct sock *sk) -- 2.17.1