From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 36/84] tcp: add annotations around sk->sk_shutdown accesses
Date: Tue, 27 Feb 2024 14:27:03 +0100 [thread overview]
Message-ID: <20240227131554.044499554@linuxfoundation.org> (raw)
In-Reply-To: <20240227131552.864701583@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e14cadfd80d76f01bfaa1a8d745b1db19b57d6be ]
Now sk->sk_shutdown is no longer a bitfield, we can add
standard READ_ONCE()/WRITE_ONCE() annotations to silence
KCSAN reports like the following:
BUG: KCSAN: data-race in tcp_disconnect / tcp_poll
write to 0xffff88814588582c of 1 bytes by task 3404 on cpu 1:
tcp_disconnect+0x4d6/0xdb0 net/ipv4/tcp.c:3121
__inet_stream_connect+0x5dd/0x6e0 net/ipv4/af_inet.c:715
inet_stream_connect+0x48/0x70 net/ipv4/af_inet.c:727
__sys_connect_file net/socket.c:2001 [inline]
__sys_connect+0x19b/0x1b0 net/socket.c:2018
__do_sys_connect net/socket.c:2028 [inline]
__se_sys_connect net/socket.c:2025 [inline]
__x64_sys_connect+0x41/0x50 net/socket.c:2025
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88814588582c of 1 bytes by task 3374 on cpu 0:
tcp_poll+0x2e6/0x7d0 net/ipv4/tcp.c:562
sock_poll+0x253/0x270 net/socket.c:1383
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:281 [inline]
io_poll_task_func+0x15a/0x820 io_uring/poll.c:333
handle_tw_list io_uring/io_uring.c:1184 [inline]
tctx_task_work+0x1fe/0x4d0 io_uring/io_uring.c:1246
task_work_run+0x123/0x160 kernel/task_work.c:179
get_signal+0xe64/0xff0 kernel/signal.c:2635
arch_do_signal_or_restart+0x89/0x2a0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop+0x6f/0xe0 kernel/entry/common.c:168
exit_to_user_mode_prepare+0x6c/0xb0 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:297
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x03 -> 0x00
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/af_inet.c | 2 +-
net/ipv4/tcp.c | 14 ++++++++------
net/ipv4/tcp_input.c | 4 ++--
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index e05cdc6088507..d7ebee3c048d5 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -876,7 +876,7 @@ int inet_shutdown(struct socket *sock, int how)
EPOLLHUP, even on eg. unconnected UDP sockets -- RR */
/* fall through */
default:
- sk->sk_shutdown |= how;
+ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | how);
if (sk->sk_prot->shutdown)
sk->sk_prot->shutdown(sk, how);
break;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e45c09977c600..8d7933989de0e 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -505,6 +505,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
__poll_t mask;
struct sock *sk = sock->sk;
const struct tcp_sock *tp = tcp_sk(sk);
+ u8 shutdown;
int state;
sock_poll_wait(file, sock, wait);
@@ -547,9 +548,10 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
* NOTE. Check for TCP_CLOSE is added. The goal is to prevent
* blocking on fresh not-connected or disconnected socket. --ANK
*/
- if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
+ shutdown = READ_ONCE(sk->sk_shutdown);
+ if (shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
mask |= EPOLLHUP;
- if (sk->sk_shutdown & RCV_SHUTDOWN)
+ if (shutdown & RCV_SHUTDOWN)
mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
/* Connected or passive Fast Open socket? */
@@ -565,7 +567,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
if (tcp_stream_is_readable(tp, target, sk))
mask |= EPOLLIN | EPOLLRDNORM;
- if (!(sk->sk_shutdown & SEND_SHUTDOWN)) {
+ if (!(shutdown & SEND_SHUTDOWN)) {
if (__sk_stream_is_writeable(sk, 1)) {
mask |= EPOLLOUT | EPOLLWRNORM;
} else { /* send SIGIO later */
@@ -2357,7 +2359,7 @@ void __tcp_close(struct sock *sk, long timeout)
int data_was_unread = 0;
int state;
- sk->sk_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
if (sk->sk_state == TCP_LISTEN) {
tcp_set_state(sk, TCP_CLOSE);
@@ -2629,7 +2631,7 @@ int tcp_disconnect(struct sock *sk, int flags)
if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
inet_reset_saddr(sk);
- sk->sk_shutdown = 0;
+ WRITE_ONCE(sk->sk_shutdown, 0);
sock_reset_flag(sk, SOCK_DONE);
tp->srtt_us = 0;
tp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT);
@@ -3905,7 +3907,7 @@ void tcp_done(struct sock *sk)
if (req)
reqsk_fastopen_remove(sk, req, false);
- sk->sk_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
if (!sock_flag(sk, SOCK_DEAD))
sk->sk_state_change(sk);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 982fe464156a4..61243531a7f4c 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4216,7 +4216,7 @@ void tcp_fin(struct sock *sk)
inet_csk_schedule_ack(sk);
- sk->sk_shutdown |= RCV_SHUTDOWN;
+ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN);
sock_set_flag(sk, SOCK_DONE);
switch (sk->sk_state) {
@@ -6354,7 +6354,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
break;
tcp_set_state(sk, TCP_FIN_WAIT2);
- sk->sk_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | SEND_SHUTDOWN);
sk_dst_confirm(sk);
--
2.43.0
next prev parent reply other threads:[~2024-02-27 14:23 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-27 13:26 [PATCH 5.4 00/84] 5.4.270-rc1 review Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 01/84] KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 02/84] KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 03/84] net/sched: Retire CBQ qdisc Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 04/84] net/sched: Retire ATM qdisc Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 05/84] net/sched: Retire dsmark qdisc Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 06/84] sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 07/84] memcg: add refcnt for pcpu stock to avoid UAF problem in drain_all_stock() Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 08/84] nilfs2: replace WARN_ONs for invalid DAT metadata block requests Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 09/84] userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 10/84] sched/rt: Fix sysctl_sched_rr_timeslice intial value Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 11/84] sched/rt: Disallow writing invalid values to sched_rt_period_us Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 12/84] scsi: target: core: Add TMF to tmr_list handling Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 13/84] dmaengine: shdma: increase size of dev_id Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 14/84] dmaengine: fsl-qdma: increase size of irq_name Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 15/84] wifi: cfg80211: fix missing interfaces when dumping Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 16/84] wifi: mac80211: fix race condition on enabling fast-xmit Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 17/84] fbdev: savage: Error out if pixclock equals zero Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 18/84] fbdev: sis: " Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 19/84] ahci: asm1166: correct count of reported ports Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 20/84] ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 21/84] ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 22/84] ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 23/84] regulator: pwm-regulator: Add validity checks in continuous .get_voltage Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 24/84] nvmet-tcp: fix nvme tcp ida memory leak Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 25/84] ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616 Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 26/84] netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 27/84] nvmet-fc: abort command when there is no binding Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 28/84] hwmon: (coretemp) Enlarge per package core count limit Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 29/84] scsi: lpfc: Use unsigned type for num_sge Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 30/84] firewire: core: send bus reset promptly on gap count error Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 31/84] virtio-blk: Ensure no requests in virtqueues before deleting vqs Greg Kroah-Hartman
2024-02-27 13:26 ` [PATCH 5.4 32/84] s390/qeth: Fix potential loss of L3-IP@ in case of network issues Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 33/84] pmdomain: renesas: r8a77980-sysc: CR7 must be always on Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 34/84] tcp: factor out __tcp_close() helper Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 35/84] tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit Greg Kroah-Hartman
2024-02-27 13:27 ` Greg Kroah-Hartman [this message]
2024-02-27 13:27 ` [PATCH 5.4 37/84] pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours Greg Kroah-Hartman
2024-02-27 13:27 ` Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 38/84] pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 39/84] driver core: Set deferred_probe_timeout to a longer default if CONFIG_MODULES is set Greg Kroah-Hartman
2024-02-27 19:38 ` John Stultz
2024-02-28 7:07 ` Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 40/84] spi: mt7621: Fix an error message in mt7621_spi_probe() Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 41/84] net: bridge: clear bridges private skb space on xmit Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 42/84] selftests/bpf: Avoid running unprivileged tests with alignment requirements Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 43/84] ALSA: hda/realtek - Enable micmute LED on and HP system Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 44/84] Revert "drm/sun4i: dsi: Change the start delay calculation" Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 45/84] drm/amdgpu: Check for valid number of registers to read Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 46/84] x86/alternatives: Disable KASAN in apply_alternatives() Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 47/84] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 48/84] iomap: Set all uptodate bits for an Uptodate page Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 49/84] drm/amdgpu: Fix type of second parameter in trans_msg() callback Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 50/84] arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 51/84] PCI: tegra: Fix reporting GPIO error value Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 52/84] PCI: tegra: Fix OF node reference leak Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 53/84] IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 54/84] dm-crypt: dont modify the data when using authenticated encryption Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 55/84] gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 56/84] PCI/MSI: Prevent MSI hardware interrupt number truncation Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 57/84] l2tp: pass correct message length to ip6_append_data Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 58/84] ARM: ep93xx: Add terminator to gpiod_lookup_table Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 59/84] usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 60/84] usb: cdns3: fix memory double free when handle zero packet Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 61/84] usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 62/84] usb: roles: dont get/set_role() when usb_role_switch is unregistered Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 63/84] IB/hfi1: Fix a memleak in init_credit_return Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 64/84] RDMA/bnxt_re: Return error for SRQ resize Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 65/84] RDMA/srpt: Make debug output more detailed Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 66/84] RDMA/srpt: fix function pointer cast warnings Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 67/84] scripts/bpf: teach bpf_helpers_doc.py to dump BPF helper definitions Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 68/84] bpf, scripts: Correct GPL license name Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 69/84] scsi: jazz_esp: Only build if SCSI core is builtin Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 70/84] nouveau: fix function cast warnings Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 71/84] ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 72/84] ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 73/84] afs: Increase buffer size in afs_update_volume_status() Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 74/84] ipv6: sr: fix possible use-after-free and null-ptr-deref Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 75/84] packet: move from strlcpy with unused retval to strscpy Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 76/84] s390: use the correct count for __iowrite64_copy() Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 77/84] tls: rx: jump to a more appropriate label Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 78/84] tls: rx: drop pointless else after goto Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 79/84] tls: stop recv() if initial process_rx_list gave us non-DATA Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 80/84] netfilter: nf_tables: set dormant flag on hook register failure Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 81/84] drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3 Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 82/84] drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 83/84] fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio Greg Kroah-Hartman
2024-02-27 13:27 ` [PATCH 5.4 84/84] scripts/bpf: Fix xdp_md forward declaration typo Greg Kroah-Hartman
2024-02-27 18:26 ` [PATCH 5.4 00/84] 5.4.270-rc1 review Florian Fainelli
2024-02-28 13:38 ` Jon Hunter
2024-02-28 16:57 ` Shuah Khan
2024-02-28 17:20 ` Naresh Kamboju
2024-02-28 18:18 ` Harshit Mogalapalli
2024-02-29 10:57 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240227131554.044499554@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.