Fix mutual exclusion issues in multicast socket option handling.
ClosedPublic
Actions

Authored by markj on Apr 26 2019, 7:19 AM.

Details

Reviewers

Group Reviewers

network

Commits

rS347582: Close some races in multicast socket option handling.

Summary

r333175 converted the global multicast lock to a sleepable sx lock, so
the lock order wrt the (non-sleepable) inp lock changed. To handle this,
r333175 and r333505 introduced a pattern of

in_pcbref(inp);
INP_WUNLOCK(inp);
IN_MULTI_LOCK();

However, this means that inp_join_group() and inp_leave_group() aren't
properly serialized against each other. Concurrent attempts to add a
souce address to a group and leave a group can leave things in an
inconsistent state and trigger panics. Also, the handling for the case
where we release the last inp ref was broken.

Fix the problem by simply acquiring the global multicast lock earlier.
I also fixed some lingering LORs that were not covered by r333505. I am
not convinced that the global lock is actually required anymore
(especially since it is used differently between IPv4 and IPv6), but I
need to study the code further. In the meantime, the change fixes
several races, present in 12.0, found by syzkaller.

Diff Detail

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 23968
Build 22876: arc lint + arc unit

Event Timeline

markj created this revision.Apr 26 2019, 7:19 AM

Herald added a subscriber: ae. · View Herald TranscriptApr 26 2019, 7:19 AM

Harbormaster completed remote builds in B23918: Diff 56690.Apr 26 2019, 7:19 AM

markj added a reviewer: network.Apr 26 2019, 7:27 AM

I'm not quite familiar with this code. Is it safe enough to make INP_WUNLOCK(); /* some code */ INP_WLOCK(); without holding extra reference to PCB? Is is it impossible, that another thread can destroy PCB when we release lock?

sys/netinet/in_mcast.c
2674	Is this change intentional?

Remove unintended changes.

Harbormaster completed remote builds in B23968: Diff 56803.Apr 29 2019, 1:03 PM

In D20070#431564, @ae wrote:

I'm not quite familiar with this code. Is it safe enough to make INP_WUNLOCK(); /* some code */ INP_WLOCK(); without holding extra reference to PCB? Is is it impossible, that another thread can destroy PCB when we release lock?

Sorry, I don't see where the question is coming from. In general, no, you have to acquire a reference before dropping the lock. That's what the old version of the diff did, in order to acquire the sleepable IN_MULTI lock. But dropping the PCB lock introduces races. I changed the code to acquire the IN_MULTI lock first, so we don't have to drop the PCB lock anymore.

sys/netinet/in_mcast.c
2674	No, I uploaded a stale diff by mistake.

In D20070#432259, @markj wrote:

I'm not quite familiar with this code. Is it safe enough to make INP_WUNLOCK(); /* some code */ INP_WLOCK(); without holding extra reference to PCB? Is is it impossible, that another thread can destroy PCB when we release lock?

Sorry, I don't see where the question is coming from. In general, no, you have to acquire a reference before dropping the lock. That's what the old version of the diff did, in order to acquire the sleepable IN_MULTI lock. But dropping the PCB lock introduces races. I changed the code to acquire the IN_MULTI lock first, so we don't have to drop the PCB lock anymore.

The question is not related to your changes, but these files contains several places where such trick happen. :)

In D20070#432274, @ae wrote:

In D20070#432259, @markj wrote:

I'm not quite familiar with this code. Is it safe enough to make INP_WUNLOCK(); /* some code */ INP_WLOCK(); without holding extra reference to PCB? Is is it impossible, that another thread can destroy PCB when we release lock?

Sorry, I don't see where the question is coming from. In general, no, you have to acquire a reference before dropping the lock. That's what the old version of the diff did, in order to acquire the sleepable IN_MULTI lock. But dropping the PCB lock introduces races. I changed the code to acquire the IN_MULTI lock first, so we don't have to drop the PCB lock anymore.

The question is not related to your changes, but these files contains several places where such trick happen. :)

Ah. My knowledge of the area is limited, but I believe the socket reference is sufficient to ensure that this is not a problem for e.g., inp_findmoptions(). In other words, so long as a thread is in inp_setmoptions(), a reference is held on the socket, and the socket references prevents the inp from being detached and freed. I did not do an exhaustive audit though.

mmacy added a subscriber: mmacy.Apr 29 2019, 7:05 PM

emaste added a subscriber: emaste.Apr 29 2019, 8:50 PM

freqlabs added a subscriber: freqlabs.Apr 30 2019, 7:46 PM

freqlabs mentioned this in D20168: Start testing cloned interfaces.May 6 2019, 6:59 AM

Is anyone interested in reviewing this further?

I have no objection. This subsystem is currently broken, but nobody wants to fix it. So, if you tested this patch and it helps to solve your problem, I'm ok, since description looks reasonable.

This revision is now accepted and ready to land.May 8 2019, 5:16 PM

Closed by commit rS347582: Close some races in multicast socket option handling. (authored by markj). · Explain WhyMay 14 2019, 9:31 PM

This revision was automatically updated to reflect the committed changes.

Herald added subscribers: bz, imp. · View Herald TranscriptMay 14 2019, 9:31 PM