[net,2/4] tcp: fix race in tcp_write_err()

Message ID	20240524193630.2007563-3-edumazet@google.com (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 499C27D417 for <netdev@vger.kernel.org>; Fri, 24 May 2024 19:36:37 +0000 (UTC) Date: Fri, 24 May 2024 19:36:28 +0000 In-Reply-To: <20240524193630.2007563-1-edumazet@google.com> Precedence: bulk Mime-Version: 1.0 References: <20240524193630.2007563-1-edumazet@google.com> Message-ID: <20240524193630.2007563-3-edumazet@google.com> Subject: [PATCH net 2/4] tcp: fix race in tcp_write_err() From: Eric Dumazet <edumazet@google.com> To: "David S . Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com> Cc: Neal Cardwell <ncardwell@google.com>, netdev@vger.kernel.org, eric.dumazet@gmail.com, Eric Dumazet <edumazet@google.com> Content-Type: text/plain; charset="UTF-8"
Series	tcp: fix tcp_poll() races \| expand [net,0/4] tcp: fix tcp_poll() races [net,1/4] tcp: add tcp_done_with_error() helper [net,2/4] tcp: fix race in tcp_write_err() [net,3/4] tcp: fix races in tcp_abort() [net,4/4] tcp: fix races in tcp_v[46]_err()

Context	Check	Description
netdev/series_format	success	Posting correctly formatted
netdev/tree_selection	success	Clearly marked for net, async
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	fail	Errors and warnings before: 45 this patch: 45
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	warning	1 maintainers not CCed: dsahern@kernel.org
netdev/build_clang	fail	Errors and warnings before: 36 this patch: 36
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	fail	Errors and warnings before: 45 this patch: 45
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 3 this patch: 3
netdev/source_inline	success	Was 0 now: 0

Eric Dumazet May 24, 2024, 7:36 p.m. UTC

I noticed flakes in a packetdrill test, expecting an epoll_wait()
to return EPOLLERR | EPOLLHUP on a failed connect() attempt,
after multiple SYN retransmits. It sometimes return EPOLLERR only.

The issue is that tcp_write_err():
 1) writes an error in sk->sk_err,
 2) calls sk_error_report(),
 3) then calls tcp_done().

tcp_done() is writing SHUTDOWN_MASK into sk->sk_shutdown,
among other things.

Problem is that the awaken user thread (from 2) sk_error_report())
might call tcp_poll() before tcp_done() has written sk->sk_shutdown.

tcp_poll() only sees a non zero sk->sk_err and returns EPOLLERR.

This patch fixes the issue by making sure to call sk_error_report()
after tcp_done().

tcp_write_err() also lacks an smp_wmb().

We can reuse tcp_done_with_error() to factor out the details,
as Neal suggested.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv4/tcp_timer.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

David Laight May 28, 2024, 9:19 a.m. UTC | #1

From: Eric Dumazet
> Sent: 24 May 2024 20:36
> 
> I noticed flakes in a packetdrill test, expecting an epoll_wait()
> to return EPOLLERR | EPOLLHUP on a failed connect() attempt,
> after multiple SYN retransmits. It sometimes return EPOLLERR only.
> 
> The issue is that tcp_write_err():
>  1) writes an error in sk->sk_err,
>  2) calls sk_error_report(),
>  3) then calls tcp_done().
> 
> tcp_done() is writing SHUTDOWN_MASK into sk->sk_shutdown,
> among other things.
> 
> Problem is that the awaken user thread (from 2) sk_error_report())
> might call tcp_poll() before tcp_done() has written sk->sk_shutdown.
> 
> tcp_poll() only sees a non zero sk->sk_err and returns EPOLLERR.
> 
> This patch fixes the issue by making sure to call sk_error_report()
> after tcp_done().

Isn't there still the potential for a program to call poll() at
'just the wrong time' and still see an unexpected status?

...
>  	WRITE_ONCE(sk->sk_err, READ_ONCE(sk->sk_err_soft) ? : ETIMEDOUT);
> -	sk_error_report(sk);
> 
> -	tcp_write_queue_purge(sk);
> -	tcp_done(sk);
> +	tcp_done_with_error(sk);

Is there scope for moving the write to sk->sk_err inside the function?
Looks like it'll need a larger change to tcp_reset().

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Paolo Abeni May 28, 2024, 10:35 a.m. UTC | #2

On Tue, 2024-05-28 at 09:19 +0000, David Laight wrote:
> From: Eric Dumazet
> > Sent: 24 May 2024 20:36
> > 
> > I noticed flakes in a packetdrill test, expecting an epoll_wait()
> > to return EPOLLERR | EPOLLHUP on a failed connect() attempt,
> > after multiple SYN retransmits. It sometimes return EPOLLERR only.
> > 
> > The issue is that tcp_write_err():
> >  1) writes an error in sk->sk_err,
> >  2) calls sk_error_report(),
> >  3) then calls tcp_done().
> > 
> > tcp_done() is writing SHUTDOWN_MASK into sk->sk_shutdown,
> > among other things.
> > 
> > Problem is that the awaken user thread (from 2) sk_error_report())
> > might call tcp_poll() before tcp_done() has written sk->sk_shutdown.
> > 
> > tcp_poll() only sees a non zero sk->sk_err and returns EPOLLERR.
> > 
> > This patch fixes the issue by making sure to call sk_error_report()
> > after tcp_done().
> 
> Isn't there still the potential for a program to call poll() at
> 'just the wrong time' and still see an unexpected status?
> 
> ...
> >  	WRITE_ONCE(sk->sk_err, READ_ONCE(sk->sk_err_soft) ? : ETIMEDOUT);
> > -	sk_error_report(sk);
> > 
> > -	tcp_write_queue_purge(sk);
> > -	tcp_done(sk);
> > +	tcp_done_with_error(sk);
> 
> Is there scope for moving the write to sk->sk_err inside the function?

Do you mean that the compiler or the CPU can reorder the WRITE_ONCE wrt
tcp_done_with_error()? I think the function call prevents that.

Cheers,

Paolo

David Laight May 28, 2024, 10:43 a.m. UTC | #3

From: Paolo Abeni
> Sent: 28 May 2024 11:36
> 
> On Tue, 2024-05-28 at 09:19 +0000, David Laight wrote:
> > From: Eric Dumazet
> > > Sent: 24 May 2024 20:36
> > >
> > > I noticed flakes in a packetdrill test, expecting an epoll_wait()
> > > to return EPOLLERR | EPOLLHUP on a failed connect() attempt,
> > > after multiple SYN retransmits. It sometimes return EPOLLERR only.
> > >
> > > The issue is that tcp_write_err():
> > >  1) writes an error in sk->sk_err,
> > >  2) calls sk_error_report(),
> > >  3) then calls tcp_done().
> > >
> > > tcp_done() is writing SHUTDOWN_MASK into sk->sk_shutdown,
> > > among other things.
> > >
> > > Problem is that the awaken user thread (from 2) sk_error_report())
> > > might call tcp_poll() before tcp_done() has written sk->sk_shutdown.
> > >
> > > tcp_poll() only sees a non zero sk->sk_err and returns EPOLLERR.
> > >
> > > This patch fixes the issue by making sure to call sk_error_report()
> > > after tcp_done().
> >
> > Isn't there still the potential for a program to call poll() at
> > 'just the wrong time' and still see an unexpected status?
> >
> > ...
> > >  	WRITE_ONCE(sk->sk_err, READ_ONCE(sk->sk_err_soft) ? : ETIMEDOUT);
> > > -	sk_error_report(sk);
> > >
> > > -	tcp_write_queue_purge(sk);
> > > -	tcp_done(sk);
> > > +	tcp_done_with_error(sk);
> >
> > Is there scope for moving the write to sk->sk_err inside the function?
> 
> Do you mean that the compiler or the CPU can reorder the WRITE_ONCE wrt
> tcp_done_with_error()? I think the function call prevents that.

No, just that the code would be easier to read with (say):
	tcp_done_with_error(sk, ETIMEDOUT);
rather than requiring the caller do a WRITE_ONCE() prior to the call.

This might also be needed in order to ensure that both POLLERR and POLLHUP
always get reported.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Eric Dumazet May 28, 2024, 11:27 a.m. UTC | #4

On Tue, May 28, 2024 at 11:20 AM David Laight <David.Laight@aculab.com> wrote:
>
> From: Eric Dumazet
> > Sent: 24 May 2024 20:36
> >
> > I noticed flakes in a packetdrill test, expecting an epoll_wait()
> > to return EPOLLERR | EPOLLHUP on a failed connect() attempt,
> > after multiple SYN retransmits. It sometimes return EPOLLERR only.
> >
> > The issue is that tcp_write_err():
> >  1) writes an error in sk->sk_err,
> >  2) calls sk_error_report(),
> >  3) then calls tcp_done().
> >
> > tcp_done() is writing SHUTDOWN_MASK into sk->sk_shutdown,
> > among other things.
> >
> > Problem is that the awaken user thread (from 2) sk_error_report())
> > might call tcp_poll() before tcp_done() has written sk->sk_shutdown.
> >
> > tcp_poll() only sees a non zero sk->sk_err and returns EPOLLERR.
> >
> > This patch fixes the issue by making sure to call sk_error_report()
> > after tcp_done().
>
> Isn't there still the potential for a program to call poll() at
> 'just the wrong time' and still see an unexpected status?

This patch does not cope with poll() results being volatile.

Only epoll, because epoll logic intercepts sk_error_report() and wakes
up a thread,
this thread is calling back tcp_poll() shortly after.

The 'after' starts really at sk_error_report().

>
> ...
> >       WRITE_ONCE(sk->sk_err, READ_ONCE(sk->sk_err_soft) ? : ETIMEDOUT);
> > -     sk_error_report(sk);
> >
> > -     tcp_write_queue_purge(sk);
> > -     tcp_done(sk);
> > +     tcp_done_with_error(sk);
>
> Is there scope for moving the write to sk->sk_err inside the function?
> Looks like it'll need a larger change to tcp_reset().

This seems feasible, yes.

[net,2/4] tcp: fix race in tcp_write_err()

Checks

Commit Message

Comments

Patch