From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Willem de Bruijn <willemb@google.com>,
syzbot <syzkaller@googlegroups.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.16 41/43] af_packet: fix data-race in packet_setsockopt / packet_setsockopt
Date: Fri, 4 Feb 2022 10:22:48 +0100 [thread overview]
Message-ID: <20220204091918.496128137@linuxfoundation.org> (raw)
In-Reply-To: <20220204091917.166033635@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit e42e70ad6ae2ae511a6143d2e8da929366e58bd9 upstream.
When packet_setsockopt( PACKET_FANOUT_DATA ) reads po->fanout,
no lock is held, meaning that another thread can change po->fanout.
Given that po->fanout can only be set once during the socket lifetime
(it is only cleared from fanout_release()), we can use
READ_ONCE()/WRITE_ONCE() to document the race.
BUG: KCSAN: data-race in packet_setsockopt / packet_setsockopt
write to 0xffff88813ae8e300 of 8 bytes by task 14653 on cpu 0:
fanout_add net/packet/af_packet.c:1791 [inline]
packet_setsockopt+0x22fe/0x24a0 net/packet/af_packet.c:3931
__sys_setsockopt+0x209/0x2a0 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff88813ae8e300 of 8 bytes by task 14654 on cpu 1:
packet_setsockopt+0x691/0x24a0 net/packet/af_packet.c:3935
__sys_setsockopt+0x209/0x2a0 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0x0000000000000000 -> 0xffff888106f8c000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 14654 Comm: syz-executor.3 Not tainted 5.16.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes: 47dceb8ecdc1 ("packet: add classic BPF fanout mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20220201022358.330621-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1788,7 +1788,10 @@ static int fanout_add(struct sock *sk, s
err = -ENOSPC;
if (refcount_read(&match->sk_ref) < match->max_num_members) {
__dev_remove_pack(&po->prot_hook);
- po->fanout = match;
+
+ /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */
+ WRITE_ONCE(po->fanout, match);
+
po->rollover = rollover;
rollover = NULL;
refcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1);
@@ -3941,7 +3944,8 @@ packet_setsockopt(struct socket *sock, i
}
case PACKET_FANOUT_DATA:
{
- if (!po->fanout)
+ /* Paired with the WRITE_ONCE() in fanout_add() */
+ if (!READ_ONCE(po->fanout))
return -EINVAL;
return fanout_set_data(po, optval, optlen);
next prev parent reply other threads:[~2022-02-04 9:29 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-04 9:22 [PATCH 5.16 00/43] 5.16.6-rc1 review Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 01/43] PCI: pciehp: Fix infinite loop in IRQ handler upon power fault Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 02/43] selftests: mptcp: fix ipv6 routing setup Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 03/43] net: ipa: use a bitmap for endpoint replenish_enabled Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 04/43] net: ipa: prevent concurrent replenish Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 05/43] drm/vc4: hdmi: Make sure the device is powered with CEC Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 06/43] cgroup-v1: Require capabilities to set release_agent Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 07/43] Revert "mm/gup: small refactoring: simplify try_grab_page()" Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 08/43] net: phy: Fix qca8081 with speeds lower than 2.5Gb/s Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 09/43] ovl: dont fail copy up if no fileattr support on upper Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 10/43] lockd: fix server crash on reboot of client holding lock Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 11/43] lockd: fix failure to cleanup client locks Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 12/43] net/mlx5e: IPsec: Fix crypto offload for non TCP/UDP encapsulated traffic Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 13/43] net/mlx5e: IPsec: Fix tunnel mode crypto offload for non TCP/UDP traffic Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 14/43] net/mlx5e: TC, Reject rules with drop and modify hdr action Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 15/43] net/mlx5: Bridge, take rtnl lock in init error handler Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 16/43] net/mlx5: Bridge, ensure dev_name is null-terminated Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 17/43] net/mlx5e: Fix handling of wrong devices during bond netevent Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 18/43] net/mlx5: Use del_timer_sync in fw reset flow of halting poll Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 19/43] net/mlx5e: Fix module EEPROM query Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 20/43] net/mlx5e: TC, Reject rules with forward and drop actions Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 21/43] net/mlx5: Fix offloading with ESWITCH_IPV4_TTL_MODIFY_ENABLE Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 22/43] net/mlx5e: Dont treat small ceil values as unlimited in HTB offload Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 23/43] net/mlx5: Bridge, Fix devlink deadlock on net namespace deletion Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 24/43] net/mlx5e: Avoid field-overflowing memcpy() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 25/43] net/mlx5e: Fix wrong calculation of header index in HW_GRO Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 26/43] net/mlx5e: Fix broken SKB allocation in HW-GRO Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 27/43] net/mlx5: E-Switch, Fix uninitialized variable modact Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 28/43] net/mlx5e: Avoid implicit modify hdr for decap drop rule Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 29/43] ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 30/43] i40e: Fix reset bw limit when DCB enabled with 1 TC Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 31/43] i40e: Fix reset path while removing the driver Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 32/43] net: amd-xgbe: ensure to reset the tx_timer_active flag Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 33/43] net: amd-xgbe: Fix skb data length underflow Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 34/43] fanotify: Fix stale file descriptor in copy_event_to_user() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 35/43] net: sched: fix use-after-free in tc_new_tfilter() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 36/43] rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 37/43] net: ipa: request IPA register values be retained Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 38/43] bpf: Fix possible race in inc_misses_counter Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 39/43] cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 40/43] e1000e: Handshake with CSME starts from ADL platforms Greg Kroah-Hartman
2022-02-04 9:22 ` Greg Kroah-Hartman [this message]
2022-02-04 9:22 ` [PATCH 5.16 42/43] tcp: fix mem under-charging with zerocopy sendmsg() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 43/43] tcp: add missing tcp_skb_can_collapse() test in tcp_shift_skb_data() Greg Kroah-Hartman
2022-02-04 15:20 ` [PATCH 5.16 00/43] 5.16.6-rc1 review Jon Hunter
2022-02-04 18:15 ` Florian Fainelli
2022-02-04 20:31 ` Shuah Khan
2022-02-04 22:55 ` Justin Forbes
2022-02-04 23:41 ` Guenter Roeck
2022-02-05 4:40 ` Rudi Heitbaum
2022-02-05 5:14 ` Slade Watkins
2022-02-05 6:28 ` Naresh Kamboju
2022-02-05 6:50 ` Scott Bruce
2022-02-05 8:14 ` Bagas Sanjaya
2022-02-05 9:08 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220204091918.496128137@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.