net/sctp/diag.c | 4 ++++ 1 file changed, 4 insertions(+)
With CONFIG_PROVE_RCU_LIST=y and by executing
$ netcat -l --sctp &
$ netcat --sctp localhost &
$ ss --sctp
one can trigger the following Lockdep-RCU splat(s):
WARNING: suspicious RCU usage
6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted
-----------------------------
net/sctp/diag.c:76 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by ss/215:
#0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0
#1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200
stack backtrace:
CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x90
lockdep_rcu_suspicious.cold+0x4e/0xa3
inet_sctp_diag_fill.isra.0+0x4b1/0x5d0
sctp_sock_dump+0x131/0x200
sctp_transport_traverse_process+0x170/0x1b0
? __pfx_sctp_sock_filter+0x10/0x10
? __pfx_sctp_sock_dump+0x10/0x10
sctp_diag_dump+0x103/0x140
__inet_diag_dump+0x70/0xb0
netlink_dump+0x148/0x490
__netlink_dump_start+0x1f3/0x2b0
inet_diag_handler_cmd+0xcd/0x100
? __pfx_inet_diag_dump_start+0x10/0x10
? __pfx_inet_diag_dump+0x10/0x10
? __pfx_inet_diag_dump_done+0x10/0x10
sock_diag_rcv_msg+0x18e/0x320
? __pfx_sock_diag_rcv_msg+0x10/0x10
netlink_rcv_skb+0x4d/0x100
netlink_unicast+0x1d7/0x2b0
netlink_sendmsg+0x203/0x450
____sys_sendmsg+0x30c/0x340
___sys_sendmsg+0x94/0xf0
__sys_sendmsg+0x83/0xf0
do_syscall_64+0xbb/0x390
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
</TASK>
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
---
It might be sufficient to add a check for one of the already held locks,
but I lack the domain knowledge to be sure about that...
---
net/sctp/diag.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sctp/diag.c b/net/sctp/diag.c
index 996c2018f0e6..1a8761f87bf1 100644
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
struct nlattr *attr;
void *info = NULL;
+ rcu_read_lock();
list_for_each_entry_rcu(laddr, address_list, list)
addrcnt++;
+ rcu_read_unlock();
attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt);
if (!attr)
return -EMSGSIZE;
info = nla_data(attr);
+ rcu_read_lock();
list_for_each_entry_rcu(laddr, address_list, list) {
memcpy(info, &laddr->a, sizeof(laddr->a));
memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
info += addrlen;
}
+ rcu_read_unlock();
return 0;
}
--
2.51.0From: Stefan Wiehler <stefan.wiehler@nokia.com>
Date: Thu, 23 Oct 2025 21:18:08 +0200
> With CONFIG_PROVE_RCU_LIST=y and by executing
>
> $ netcat -l --sctp &
> $ netcat --sctp localhost &
> $ ss --sctp
>
> one can trigger the following Lockdep-RCU splat(s):
>
> WARNING: suspicious RCU usage
> 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted
> -----------------------------
> net/sctp/diag.c:76 RCU-list traversed in non-reader section!!
>
> other info that might help us debug this:
>
> rcu_scheduler_active = 2, debug_locks = 1
> 2 locks held by ss/215:
> #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0
> #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200
>
> stack backtrace:
> CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x90
> lockdep_rcu_suspicious.cold+0x4e/0xa3
> inet_sctp_diag_fill.isra.0+0x4b1/0x5d0
> sctp_sock_dump+0x131/0x200
> sctp_transport_traverse_process+0x170/0x1b0
> ? __pfx_sctp_sock_filter+0x10/0x10
> ? __pfx_sctp_sock_dump+0x10/0x10
> sctp_diag_dump+0x103/0x140
> __inet_diag_dump+0x70/0xb0
> netlink_dump+0x148/0x490
> __netlink_dump_start+0x1f3/0x2b0
> inet_diag_handler_cmd+0xcd/0x100
> ? __pfx_inet_diag_dump_start+0x10/0x10
> ? __pfx_inet_diag_dump+0x10/0x10
> ? __pfx_inet_diag_dump_done+0x10/0x10
> sock_diag_rcv_msg+0x18e/0x320
> ? __pfx_sock_diag_rcv_msg+0x10/0x10
> netlink_rcv_skb+0x4d/0x100
> netlink_unicast+0x1d7/0x2b0
> netlink_sendmsg+0x203/0x450
> ____sys_sendmsg+0x30c/0x340
> ___sys_sendmsg+0x94/0xf0
> __sys_sendmsg+0x83/0xf0
> do_syscall_64+0xbb/0x390
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> ...
> </TASK>
>
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
> ---
> It might be sufficient to add a check for one of the already held locks,
> but I lack the domain knowledge to be sure about that...
> ---
> net/sctp/diag.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/sctp/diag.c b/net/sctp/diag.c
> index 996c2018f0e6..1a8761f87bf1 100644
> --- a/net/sctp/diag.c
> +++ b/net/sctp/diag.c
> @@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
> struct nlattr *attr;
> void *info = NULL;
>
> + rcu_read_lock();
> list_for_each_entry_rcu(laddr, address_list, list)
> addrcnt++;
> + rcu_read_unlock();
>
> attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt);
> if (!attr)
> return -EMSGSIZE;
>
> info = nla_data(attr);
> + rcu_read_lock();
> list_for_each_entry_rcu(laddr, address_list, list) {
> memcpy(info, &laddr->a, sizeof(laddr->a));
> memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
> info += addrlen;
looks like TOCTOU issue exists here, we should check
the boundary like this:
if (!--addrcnt)
break;
Otherwise KASAN would complain about an out-of-bound write.
> }
> + rcu_read_unlock();
>
> return 0;
> }
> --
> 2.51.0
On Thu, Oct 23, 2025 at 4:53 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> From: Stefan Wiehler <stefan.wiehler@nokia.com>
> Date: Thu, 23 Oct 2025 21:18:08 +0200
> > With CONFIG_PROVE_RCU_LIST=y and by executing
> >
> > $ netcat -l --sctp &
> > $ netcat --sctp localhost &
> > $ ss --sctp
> >
> > one can trigger the following Lockdep-RCU splat(s):
> >
> > WARNING: suspicious RCU usage
> > 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted
> > -----------------------------
> > net/sctp/diag.c:76 RCU-list traversed in non-reader section!!
> >
> > other info that might help us debug this:
> >
> > rcu_scheduler_active = 2, debug_locks = 1
> > 2 locks held by ss/215:
> > #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0
> > #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200
> >
> > stack backtrace:
> > CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary)
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x5d/0x90
> > lockdep_rcu_suspicious.cold+0x4e/0xa3
> > inet_sctp_diag_fill.isra.0+0x4b1/0x5d0
> > sctp_sock_dump+0x131/0x200
> > sctp_transport_traverse_process+0x170/0x1b0
> > ? __pfx_sctp_sock_filter+0x10/0x10
> > ? __pfx_sctp_sock_dump+0x10/0x10
> > sctp_diag_dump+0x103/0x140
> > __inet_diag_dump+0x70/0xb0
> > netlink_dump+0x148/0x490
> > __netlink_dump_start+0x1f3/0x2b0
> > inet_diag_handler_cmd+0xcd/0x100
> > ? __pfx_inet_diag_dump_start+0x10/0x10
> > ? __pfx_inet_diag_dump+0x10/0x10
> > ? __pfx_inet_diag_dump_done+0x10/0x10
> > sock_diag_rcv_msg+0x18e/0x320
> > ? __pfx_sock_diag_rcv_msg+0x10/0x10
> > netlink_rcv_skb+0x4d/0x100
> > netlink_unicast+0x1d7/0x2b0
> > netlink_sendmsg+0x203/0x450
> > ____sys_sendmsg+0x30c/0x340
> > ___sys_sendmsg+0x94/0xf0
> > __sys_sendmsg+0x83/0xf0
> > do_syscall_64+0xbb/0x390
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > ...
> > </TASK>
> >
> > Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> > Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
> > ---
> > It might be sufficient to add a check for one of the already held locks,
> > but I lack the domain knowledge to be sure about that...
> > ---
> > net/sctp/diag.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/net/sctp/diag.c b/net/sctp/diag.c
> > index 996c2018f0e6..1a8761f87bf1 100644
> > --- a/net/sctp/diag.c
> > +++ b/net/sctp/diag.c
> > @@ -73,19 +73,23 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
> > struct nlattr *attr;
> > void *info = NULL;
> >
> > + rcu_read_lock();
> > list_for_each_entry_rcu(laddr, address_list, list)
> > addrcnt++;
> > + rcu_read_unlock();
> >
> > attr = nla_reserve(skb, INET_DIAG_LOCALS, addrlen * addrcnt);
> > if (!attr)
> > return -EMSGSIZE;
> >
> > info = nla_data(attr);
> > + rcu_read_lock();
> > list_for_each_entry_rcu(laddr, address_list, list) {
> > memcpy(info, &laddr->a, sizeof(laddr->a));
> > memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
> > info += addrlen;
>
> looks like TOCTOU issue exists here, we should check
> the boundary like this:
>
> if (!--addrcnt)
> break;
>
> Otherwise KASAN would complain about an out-of-bound write.
Or if lock_sock() is enough, we should use the plain
list_for_each_entry(), or list_for_each_entry_rcu() with
lockdep_sock_is_held() as the 4th arg.
> Or if lock_sock() is enough, we should use the plain > list_for_each_entry(), or list_for_each_entry_rcu() with > lockdep_sock_is_held() as the 4th arg. Right, I've already hinted in the commit comment that lock_sock() might be enough, but I'm not sure about it... @Xin Long, as you're the author and have already acked, I suppose we actually need to hold the RCU read lock?
On Fri, Oct 24, 2025 at 4:51 AM Stefan Wiehler <stefan.wiehler@nokia.com> wrote:
>
> > Or if lock_sock() is enough, we should use the plain
> > list_for_each_entry(), or list_for_each_entry_rcu() with
> > lockdep_sock_is_held() as the 4th arg.
>
> Right, I've already hinted in the commit comment that lock_sock() might be
> enough, but I'm not sure about it...
>
> @Xin Long, as you're the author and have already acked, I suppose we actually
> need to hold the RCU read lock?
Yes, there's a path not holding sock lock:
sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()
Kuniyuki is right about the TOCTOU issue, we do need a check there:
if (!--addrcnt)
break;
BTW, there is another addrcnt thing in inet_assoc_attr_size(), I think you
can fix it in another patch, like moving nlmsg_new(inet_assoc_attr_size(assoc))
under the lock_sock() in sctp_sock_dump_one() and delete _rcu?
Thanks.
> Yes, there's a path not holding sock lock: > > sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() Ok, thanks for the clarification. > Kuniyuki is right about the TOCTOU issue, we do need a check there: > > if (!--addrcnt) > break; > > BTW, there is another addrcnt thing in inet_assoc_attr_size(), I think you > can fix it in another patch, like moving nlmsg_new(inet_assoc_attr_size(assoc)) > under the lock_sock() in sctp_sock_dump_one() and delete _rcu? I've sent out two separate patches for these issues.
On Thu, Oct 23, 2025 at 3:20 PM Stefan Wiehler <stefan.wiehler@nokia.com> wrote:
>
> With CONFIG_PROVE_RCU_LIST=y and by executing
>
> $ netcat -l --sctp &
> $ netcat --sctp localhost &
> $ ss --sctp
>
> one can trigger the following Lockdep-RCU splat(s):
>
> WARNING: suspicious RCU usage
> 6.18.0-rc1-00093-g7f864458e9a6 #5 Not tainted
> -----------------------------
> net/sctp/diag.c:76 RCU-list traversed in non-reader section!!
>
> other info that might help us debug this:
>
> rcu_scheduler_active = 2, debug_locks = 1
> 2 locks held by ss/215:
> #0: ffff9c740828bec0 (nlk_cb_mutex-SOCK_DIAG){+.+.}-{4:4}, at: __netlink_dump_start+0x84/0x2b0
> #1: ffff9c7401d72cd0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_sock_dump+0x38/0x200
>
> stack backtrace:
> CPU: 0 UID: 0 PID: 215 Comm: ss Not tainted 6.18.0-rc1-00093-g7f864458e9a6 #5 PREEMPT(voluntary)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x90
> lockdep_rcu_suspicious.cold+0x4e/0xa3
> inet_sctp_diag_fill.isra.0+0x4b1/0x5d0
> sctp_sock_dump+0x131/0x200
> sctp_transport_traverse_process+0x170/0x1b0
> ? __pfx_sctp_sock_filter+0x10/0x10
> ? __pfx_sctp_sock_dump+0x10/0x10
> sctp_diag_dump+0x103/0x140
> __inet_diag_dump+0x70/0xb0
> netlink_dump+0x148/0x490
> __netlink_dump_start+0x1f3/0x2b0
> inet_diag_handler_cmd+0xcd/0x100
> ? __pfx_inet_diag_dump_start+0x10/0x10
> ? __pfx_inet_diag_dump+0x10/0x10
> ? __pfx_inet_diag_dump_done+0x10/0x10
> sock_diag_rcv_msg+0x18e/0x320
> ? __pfx_sock_diag_rcv_msg+0x10/0x10
> netlink_rcv_skb+0x4d/0x100
> netlink_unicast+0x1d7/0x2b0
> netlink_sendmsg+0x203/0x450
> ____sys_sendmsg+0x30c/0x340
> ___sys_sendmsg+0x94/0xf0
> __sys_sendmsg+0x83/0xf0
> do_syscall_64+0xbb/0x390
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> ...
> </TASK>
>
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
© 2016 - 2026 Red Hat, Inc.