archive mirror
 help / color / mirror / Atom feed
From: Jakub Sitnicki <>
To: Tetsuo Handa <>
Cc:, "David S. Miller" <>,
	Eric Dumazet <>,
	Jakub Kicinski <>, Paolo Abeni <>,
	Tom Parkin <>,,,
Subject: Re: [PATCH net] l2tp: Don't sleep and disable BH under writer-side sk_callback_lock
Date: Mon, 21 Nov 2022 22:55:44 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Mon, Nov 21, 2022 at 07:03 PM +09, Tetsuo Handa wrote:
> On 2022/11/21 18:00, Jakub Sitnicki wrote:
>>> Is it safe to temporarily set a dummy pointer like below?
>>> If it is not safe, what makes assignments done by
>>> setup_udp_tunnel_sock() safe?
>> Yes, I think so. Great idea. I've used it in v2.
> So, you are sure that e.g.
> 	udp_sk(sk)->gro_receive = cfg->gro_receive;
> in setup_udp_tunnel_sock() (where the caller is passing cfg->gro_receive == NULL)
> never races with e.g. below check (because the socket might be sending/receiving
> in progress since the socket is retrieved via user-specified file descriptor) ?
> Then, v2 patch would be OK for fixing this regression. (But I think we still should
> avoid retrieving a socket from user-specified file descriptor in order to avoid
> lockdep race window.)
> struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb,
>                                 struct udphdr *uh, struct sock *sk)
> {
> 	(...snipped...)
>         if (!sk || !udp_sk(sk)->gro_receive) {
> 		(...snipped...)
>                 /* no GRO, be sure flush the current packet */
>                 goto out;
>         }
> 	(...snipped...)
>         pp = call_gro_receive_sk(udp_sk(sk)->gro_receive, sk, head, skb);
> out:
>         skb_gro_flush_final(skb, pp, flush);
>         return pp;
> }

First, let me say, that I get the impression that setup_udp_tunnel_sock
was not really meant to be used on pre-existing sockets created by
user-space. Even though l2tp and gtp seem to be doing that.

That is because, I don't see how it could be used properly. Given that
we need to check-and-set sk_user_data under sk_callback_lock, which
setup_udp_tunnel_sock doesn't grab itself. At the same time it might
sleep. There is no way to apply it without resorting to tricks, like we
did here.

So - yeah - there may be other problems. But if there are, they are not
related to the faulty commit b68777d54fac ("l2tp: Serialize access to
sk_user_data with sk_callback_lock"), which we're trying to fix. There
was no locking present in l2tp_tunnel_register before that point.

>> We can check & assign sk_user_data under sk_callback_lock, and then just
>> let setup_udp_tunnel_sock overwrite it with the same value, without
>> holding the lock.
> Given that sk_user_data is RCU-protected on reader-side, don't we need to
> wait for RCU grace period after resetting to NULL?

Who would be the reader?

If you have l2tp_udp_encap_recv in mind - the encap_rcv callback has not
been set yet, if we are on the error handling path in

In general, though, yes - I think you are right. We must synchronize_rcu
before we kfree the tunnel.

However, that is also not related to the race to check-and-set
sk_user_data, which commit b68777d54fac is trying to fix.

  reply	other threads:[~2022-11-21 23:16 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-19 13:03 [PATCH net] l2tp: Don't sleep and disable BH under writer-side sk_callback_lock Jakub Sitnicki
2022-11-19 13:52 ` Tetsuo Handa
2022-11-19 14:27   ` Tetsuo Handa
2022-11-21  9:00     ` Jakub Sitnicki
2022-11-21 10:03       ` Tetsuo Handa
2022-11-21 21:55         ` Jakub Sitnicki [this message]
2022-11-22  9:48           ` Tetsuo Handa
2022-11-22 10:46             ` Jakub Sitnicki
2022-11-22 11:14               ` Tetsuo Handa
2022-11-22 14:10                 ` Guillaume Nault
2022-11-22 14:28                   ` Tetsuo Handa
2022-11-23 15:24                     ` Guillaume Nault
2022-11-24 10:07                       ` Tom Parkin
2022-11-24 10:27                         ` Guillaume Nault
2022-11-21  9:00   ` Jakub Sitnicki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).