On Wed, Apr 24, 2019 at 11:21 AM Guillaume Nault <gna...@redhat.com> wrote:
> It seems that callers of rcu_assign_sk_user_data() can indeed sleep. > > But I think we have more problems. Not all code paths treat > ->sk_user_data as RCU pointers (IIUC that's why we created the > __sk_user_data() macro, instead of just redefining ->sk_user_data as > "void __rcu *"). But even if RCU rules were respected for all accesses, > we'd need to ensure consistent protection for the update side. Sure. > > And then, we'd need to make sure that ->sk_user_data is in sync with > the encap_rcv() callback (or whatever actually uses the data pointed > to). Otherwise a module could treat ->sk_user_data as a struct foo > pointer while it actually points to a struct bar. > > For example, a quick look at net/sunrpc/svcsock.c seems to indicate > that svc_addsock() would accept any (unconnected) UDP socket and pass > it to svc_addsock(), which in turn would override ->sk_user_data with > a struct svc_sock pointer. If the socket was previously set up by L2TP, > then we'd end up with ->sk_user_data pointing to a svc_sock structure, > but ->encap_rcv still pointing to l2tp_udp_encap_recv(). That's going > to give unexpected results when l2tp_udp_encap_recv() will dereference > ->sk_user_data to access (what it believes to be) its tunnel structure. A full audit is needed, and I have started it. If you want to help just send a patch ;) I have looked at this l2tp code only after fixing another issue in RXRPC, and would have looked later at SUNRPC.
