diff mbox series

[bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg()

Message ID 20210723183630.5088-1-xiyou.wangcong@gmail.com (mailing list archive)
State Accepted
Delegated to: BPF
Headers show
Series [bpf-next] unix_bpf: fix a potential deadlock in unix_dgram_bpf_recvmsg() | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for bpf-next
netdev/subject_prefix success Link
netdev/cc_maintainers fail 1 blamed authors not CCed: ast@kernel.org; 9 maintainers not CCed: yhs@fb.com kpsingh@kernel.org bpf@vger.kernel.org andrii@kernel.org kafai@fb.com ast@kernel.org songliubraving@fb.com davem@davemloft.net kuba@kernel.org
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 27 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link

Commit Message

Cong Wang July 23, 2021, 6:36 p.m. UTC 
From: Cong Wang <cong.wang@bytedance.com>

As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
too, so we have to release it before calling this function.

Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jakub Sitnicki <jakub@cloudflare.com>
Cc: Lorenz Bauer <lmb@cloudflare.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 net/unix/unix_bpf.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

Comments

John Fastabend July 27, 2021, 4:12 p.m. UTC | #1 
Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
> 
> As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> too, so we have to release it before calling this function.
> 
> Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Jakub Sitnicki <jakub@cloudflare.com>
> Cc: Lorenz Bauer <lmb@cloudflare.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
>  net/unix/unix_bpf.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> index db0cda29fb2f..b07cb30e87b1 100644
> --- a/net/unix/unix_bpf.c
> +++ b/net/unix/unix_bpf.c
> @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  	mutex_lock(&u->iolock);
>  	if (!skb_queue_empty(&sk->sk_receive_queue) &&
>  	    sk_psock_queue_empty(psock)) {
> -		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -		goto out;
> +		mutex_unlock(&u->iolock);
> +		sk_psock_put(sk, psock);
> +		return __unix_dgram_recvmsg(sk, msg, len, flags);
>  	}

Is there a reason to grab the mutex_lock(u->iolock) above the
skb_queue_emptyaand sk_psock_queue_empty checks?

Could it be move here just above the msg_bytes_ready label?

>  
>  msg_bytes_ready:
> @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  		if (data) {
>  			if (!sk_psock_queue_empty(psock))
>  				goto msg_bytes_ready;
> -			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -			goto out;
> +			mutex_unlock(&u->iolock);
> +			sk_psock_put(sk, psock);
> +			return __unix_dgram_recvmsg(sk, msg, len, flags);
>  		}
>  		copied = -EAGAIN;
>  	}
>  	ret = copied;
> -out:
>  	mutex_unlock(&u->iolock);
>  	sk_psock_put(sk, psock);
>  	return ret;
> -- 
> 2.27.0
>
Cong Wang July 28, 2021, 3:06 a.m. UTC | #2 
On Tue, Jul 27, 2021 at 9:12 AM John Fastabend <john.fastabend@gmail.com> wrote:
>
> Is there a reason to grab the mutex_lock(u->iolock) above the
> skb_queue_emptyaand sk_psock_queue_empty checks?
>
> Could it be move here just above the msg_bytes_ready label?

The check of the receive queue is more accurate with lock.

Thanks.
Jakub Sitnicki July 28, 2021, 10:12 a.m. UTC | #3 
On Fri, Jul 23, 2021 at 08:36 PM CEST, Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
>
> As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> too, so we have to release it before calling this function.
>
> Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Jakub Sitnicki <jakub@cloudflare.com>
> Cc: Lorenz Bauer <lmb@cloudflare.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
>  net/unix/unix_bpf.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> index db0cda29fb2f..b07cb30e87b1 100644
> --- a/net/unix/unix_bpf.c
> +++ b/net/unix/unix_bpf.c
> @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  	mutex_lock(&u->iolock);
>  	if (!skb_queue_empty(&sk->sk_receive_queue) &&
>  	    sk_psock_queue_empty(psock)) {
> -		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -		goto out;
> +		mutex_unlock(&u->iolock);
> +		sk_psock_put(sk, psock);
> +		return __unix_dgram_recvmsg(sk, msg, len, flags);
>  	}
>  
>  msg_bytes_ready:
> @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
>  		if (data) {
>  			if (!sk_psock_queue_empty(psock))
>  				goto msg_bytes_ready;
> -			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> -			goto out;
> +			mutex_unlock(&u->iolock);
> +			sk_psock_put(sk, psock);
> +			return __unix_dgram_recvmsg(sk, msg, len, flags);
>  		}
>  		copied = -EAGAIN;
>  	}
>  	ret = copied;
> -out:
>  	mutex_unlock(&u->iolock);
>  	sk_psock_put(sk, psock);
>  	return ret;

Nit: Can be just `return copied`. `ret` became useless.

Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
John Fastabend July 28, 2021, 6:52 p.m. UTC | #4 
Jakub Sitnicki wrote:
> On Fri, Jul 23, 2021 at 08:36 PM CEST, Cong Wang wrote:
> > From: Cong Wang <cong.wang@bytedance.com>
> >
> > As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> > too, so we have to release it before calling this function.
> >
> > Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> > Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> > Cc: John Fastabend <john.fastabend@gmail.com>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Jakub Sitnicki <jakub@cloudflare.com>
> > Cc: Lorenz Bauer <lmb@cloudflare.com>
> > Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> > ---
> >  net/unix/unix_bpf.c | 11 ++++++-----
> >  1 file changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> > index db0cda29fb2f..b07cb30e87b1 100644
> > --- a/net/unix/unix_bpf.c
> > +++ b/net/unix/unix_bpf.c
> > @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> >  	mutex_lock(&u->iolock);
> >  	if (!skb_queue_empty(&sk->sk_receive_queue) &&
> >  	    sk_psock_queue_empty(psock)) {
> > -		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > -		goto out;
> > +		mutex_unlock(&u->iolock);
> > +		sk_psock_put(sk, psock);
> > +		return __unix_dgram_recvmsg(sk, msg, len, flags);
> >  	}
> >  
> >  msg_bytes_ready:
> > @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> >  		if (data) {
> >  			if (!sk_psock_queue_empty(psock))
> >  				goto msg_bytes_ready;
> > -			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > -			goto out;
> > +			mutex_unlock(&u->iolock);
> > +			sk_psock_put(sk, psock);
> > +			return __unix_dgram_recvmsg(sk, msg, len, flags);
> >  		}
> >  		copied = -EAGAIN;
> >  	}
> >  	ret = copied;
> > -out:
> >  	mutex_unlock(&u->iolock);
> >  	sk_psock_put(sk, psock);
> >  	return ret;
> 
> Nit: Can be just `return copied`. `ret` became useless.
> 
> Acked-by: Jakub Sitnicki <jakub@cloudflare.com>

Worth doing the small cleanup pointed out by Jakub but feel free to add
my ack.

Acked-by: John Fastabend <john.fastabend@gmail.com>
Andrii Nakryiko July 30, 2021, 7:45 p.m. UTC | #5 
On Wed, Jul 28, 2021 at 11:53 AM John Fastabend
<john.fastabend@gmail.com> wrote:
>
> Jakub Sitnicki wrote:
> > On Fri, Jul 23, 2021 at 08:36 PM CEST, Cong Wang wrote:
> > > From: Cong Wang <cong.wang@bytedance.com>
> > >
> > > As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
> > > too, so we have to release it before calling this function.
> > >
> > > Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
> > > Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> > > Cc: John Fastabend <john.fastabend@gmail.com>
> > > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > > Cc: Jakub Sitnicki <jakub@cloudflare.com>
> > > Cc: Lorenz Bauer <lmb@cloudflare.com>
> > > Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> > > ---
> > >  net/unix/unix_bpf.c | 11 ++++++-----
> > >  1 file changed, 6 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> > > index db0cda29fb2f..b07cb30e87b1 100644
> > > --- a/net/unix/unix_bpf.c
> > > +++ b/net/unix/unix_bpf.c
> > > @@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> > >     mutex_lock(&u->iolock);
> > >     if (!skb_queue_empty(&sk->sk_receive_queue) &&
> > >         sk_psock_queue_empty(psock)) {
> > > -           ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > > -           goto out;
> > > +           mutex_unlock(&u->iolock);
> > > +           sk_psock_put(sk, psock);
> > > +           return __unix_dgram_recvmsg(sk, msg, len, flags);
> > >     }
> > >
> > >  msg_bytes_ready:
> > > @@ -68,13 +69,13 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> > >             if (data) {
> > >                     if (!sk_psock_queue_empty(psock))
> > >                             goto msg_bytes_ready;
> > > -                   ret = __unix_dgram_recvmsg(sk, msg, len, flags);
> > > -                   goto out;
> > > +                   mutex_unlock(&u->iolock);
> > > +                   sk_psock_put(sk, psock);
> > > +                   return __unix_dgram_recvmsg(sk, msg, len, flags);
> > >             }
> > >             copied = -EAGAIN;
> > >     }
> > >     ret = copied;
> > > -out:
> > >     mutex_unlock(&u->iolock);
> > >     sk_psock_put(sk, psock);
> > >     return ret;
> >
> > Nit: Can be just `return copied`. `ret` became useless.
> >
> > Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
>
> Worth doing the small cleanup pointed out by Jakub but feel free to add
> my ack.
>

I cleaned it up while applying. Applied to bpf-next, thanks.

> Acked-by: John Fastabend <john.fastabend@gmail.com>
diff mbox series

Patch

diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
index db0cda29fb2f..b07cb30e87b1 100644
--- a/net/unix/unix_bpf.c
+++ b/net/unix/unix_bpf.c
@@ -53,8 +53,9 @@  static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
 	mutex_lock(&u->iolock);
 	if (!skb_queue_empty(&sk->sk_receive_queue) &&
 	    sk_psock_queue_empty(psock)) {
-		ret = __unix_dgram_recvmsg(sk, msg, len, flags);
-		goto out;
+		mutex_unlock(&u->iolock);
+		sk_psock_put(sk, psock);
+		return __unix_dgram_recvmsg(sk, msg, len, flags);
 	}
 
 msg_bytes_ready:
@@ -68,13 +69,13 @@  static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
 		if (data) {
 			if (!sk_psock_queue_empty(psock))
 				goto msg_bytes_ready;
-			ret = __unix_dgram_recvmsg(sk, msg, len, flags);
-			goto out;
+			mutex_unlock(&u->iolock);
+			sk_psock_put(sk, psock);
+			return __unix_dgram_recvmsg(sk, msg, len, flags);
 		}
 		copied = -EAGAIN;
 	}
 	ret = copied;
-out:
 	mutex_unlock(&u->iolock);
 	sk_psock_put(sk, psock);
 	return ret;