From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
Simon Horman <simon.horman@corigine.com>,
Jakub Kicinski <kuba@kernel.org>,
"yenchia.chen" <yenchia.chen@mediatek.com>
Subject: [PATCH 5.15 13/23] netlink: annotate lockless accesses to nlk->max_recvmsg_len
Date: Thu, 23 May 2024 15:13:09 +0200 [thread overview]
Message-ID: <20240523130328.455931434@linuxfoundation.org> (raw)
In-Reply-To: <20240523130327.956341021@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit a1865f2e7d10dde00d35a2122b38d2e469ae67ed upstream.
syzbot reported a data-race in data-race in netlink_recvmsg() [1]
Indeed, netlink_recvmsg() can be run concurrently,
and netlink_dump() also needs protection.
[1]
BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0:
netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194
__do_sys_recvfrom net/socket.c:2212 [inline]
__se_sys_recvfrom net/socket.c:2208 [inline]
__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1:
netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
____sys_recvmsg+0x156/0x310 net/socket.c:2720
___sys_recvmsg net/socket.c:2762 [inline]
do_recvmmsg+0x2e5/0x710 net/socket.c:2856
__sys_recvmmsg net/socket.c:2935 [inline]
__do_sys_recvmmsg net/socket.c:2958 [inline]
__se_sys_recvmmsg net/socket.c:2951 [inline]
__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x0000000000000000 -> 0x0000000000001000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Fixes: 9063e21fb026 ("netlink: autosize skb lengthes")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230403214643.768555-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: yenchia.chen <yenchia.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netlink/af_netlink.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1935,7 +1935,7 @@ static int netlink_recvmsg(struct socket
struct sock *sk = sock->sk;
struct netlink_sock *nlk = nlk_sk(sk);
int noblock = flags & MSG_DONTWAIT;
- size_t copied;
+ size_t copied, max_recvmsg_len;
struct sk_buff *skb, *data_skb;
int err, ret;
@@ -1968,9 +1968,10 @@ static int netlink_recvmsg(struct socket
#endif
/* Record the max length of recvmsg() calls for future allocations */
- nlk->max_recvmsg_len = max(nlk->max_recvmsg_len, len);
- nlk->max_recvmsg_len = min_t(size_t, nlk->max_recvmsg_len,
- SKB_WITH_OVERHEAD(32768));
+ max_recvmsg_len = max(READ_ONCE(nlk->max_recvmsg_len), len);
+ max_recvmsg_len = min_t(size_t, max_recvmsg_len,
+ SKB_WITH_OVERHEAD(32768));
+ WRITE_ONCE(nlk->max_recvmsg_len, max_recvmsg_len);
copied = data_skb->len;
if (len < copied) {
@@ -2219,6 +2220,7 @@ static int netlink_dump(struct sock *sk)
struct netlink_ext_ack extack = {};
struct netlink_callback *cb;
struct sk_buff *skb = NULL;
+ size_t max_recvmsg_len;
struct module *module;
int err = -ENOBUFS;
int alloc_min_size;
@@ -2241,8 +2243,9 @@ static int netlink_dump(struct sock *sk)
cb = &nlk->cb;
alloc_min_size = max_t(int, cb->min_dump_alloc, NLMSG_GOODSIZE);
- if (alloc_min_size < nlk->max_recvmsg_len) {
- alloc_size = nlk->max_recvmsg_len;
+ max_recvmsg_len = READ_ONCE(nlk->max_recvmsg_len);
+ if (alloc_min_size < max_recvmsg_len) {
+ alloc_size = max_recvmsg_len;
skb = alloc_skb(alloc_size,
(GFP_KERNEL & ~__GFP_DIRECT_RECLAIM) |
__GFP_NOWARN | __GFP_NORETRY);
next prev parent reply other threads:[~2024-05-23 13:18 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-23 13:12 [PATCH 5.15 00/23] 5.15.160-rc1 review Greg Kroah-Hartman
2024-05-23 13:12 ` [PATCH 5.15 01/23] drm/amd/display: Fix division by zero in setup_dsc_config Greg Kroah-Hartman
2024-05-23 13:12 ` [PATCH 5.15 02/23] pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Greg Kroah-Hartman
2024-05-23 13:12 ` [PATCH 5.15 03/23] nfsd: dont allow nfsd threads to be signalled Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 04/23] KEYS: trusted: Fix memory leak in tpm2_key_encode() Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 05/23] Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 06/23] net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 07/23] net: bcmgenet: synchronize UMAC_CMD access Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 08/23] tls: rx: simplify async wait Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 09/23] tls: extract context alloc/initialization out of tls_set_sw_offload Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 10/23] net: tls: factor out tls_*crypt_async_wait() Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 11/23] tls: fix race between async notify and socket close Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 12/23] net: tls: handle backlogging of crypto requests Greg Kroah-Hartman
2024-05-23 13:13 ` Greg Kroah-Hartman [this message]
2024-05-23 13:13 ` [PATCH 5.15 14/23] netlink: annotate data-races around sk->sk_err Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 15/23] KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 16/23] drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 17/23] binder: fix max_thread type inconsistency Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 18/23] usb: typec: ucsi: displayport: Fix potential deadlock Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 19/23] serial: kgdboc: Fix NMI-safety problems from keyboard reset code Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 20/23] remoteproc: mediatek: Make sure IPI buffer fits in L2TCM Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 21/23] KEYS: trusted: Do not use WARN when encode fails Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 22/23] admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET Greg Kroah-Hartman
2024-05-23 13:13 ` [PATCH 5.15 23/23] docs: kernel_include.py: Cope with docutils 0.21 Greg Kroah-Hartman
2024-05-23 17:02 ` [PATCH 5.15 00/23] 5.15.160-rc1 review SeongJae Park
2024-05-23 18:20 ` Mark Brown
2024-05-23 18:50 ` Florian Fainelli
2024-05-24 6:54 ` Harshit Mogalapalli
2024-05-24 8:16 ` Anders Roxell
2024-05-24 14:36 ` Shuah Khan
2024-05-24 20:44 ` Ron Economos
2024-05-24 23:13 ` Jon Hunter
2024-05-25 14:20 ` Greg Kroah-Hartman
2024-05-28 9:04 ` Jon Hunter
2024-05-28 13:14 ` Chuck Lever III
2024-05-28 13:33 ` Fwd: " Chuck Lever III
2024-05-28 16:45 ` kdevops: suspend tests (Wasx: Re: Fwd: [PATCH 5.15 00/23] 5.15.160-rc1 review) Luis Chamberlain
2024-05-28 18:02 ` Chuck Lever III
2024-05-28 18:26 ` kdevops: suspend tests (Wasx: Re: Fwd: [PATCH 5.15 00/23] 5.15.160-rc1 review)' Luis Chamberlain
2024-05-28 14:18 ` [PATCH 5.15 00/23] 5.15.160-rc1 review Jon Hunter
2024-05-28 20:38 ` Chris Packham
2024-05-28 20:55 ` Chuck Lever III
2024-05-28 22:01 ` NeilBrown
2024-05-28 23:33 ` Chuck Lever III
2024-05-28 23:44 ` NeilBrown
2024-05-29 0:13 ` Chuck Lever III
2024-05-28 23:42 ` NeilBrown
2024-05-29 8:59 ` Jon Hunter
2024-05-29 20:59 ` NeilBrown
2024-05-30 12:11 ` Jon Hunter
2024-06-06 14:32 ` Chuck Lever
2024-06-03 13:44 ` Chuck Lever III
2024-05-25 0:58 ` Kelsey Steele
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240523130328.455931434@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=simon.horman@corigine.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=yenchia.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.