From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jiayuan Chen <mrpre@163.com>,
Martin KaFai Lau <martin.lau@kernel.org>,
Sasha Levin <sashal@kernel.org>,
john.fastabend@gmail.com, jakub@cloudflare.com,
edumazet@google.com, davem@davemloft.net, dsahern@kernel.org,
kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org,
bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 13/14] bpf: fix filed access without lock
Date: Mon, 4 Nov 2024 05:52:05 -0500 [thread overview]
Message-ID: <20241104105228.97053-13-sashal@kernel.org> (raw)
In-Reply-To: <20241104105228.97053-1-sashal@kernel.org>
From: Jiayuan Chen <mrpre@163.com>
[ Upstream commit a32aee8f0d987a7cba7fcc28002553361a392048 ]
The tcp_bpf_recvmsg_parser() function, running in user context,
retrieves seq_copied from tcp_sk without holding the socket lock, and
stores it in a local variable seq. However, the softirq context can
modify tcp_sk->seq_copied concurrently, for example, n tcp_read_sock().
As a result, the seq value is stale when it is assigned back to
tcp_sk->copied_seq at the end of tcp_bpf_recvmsg_parser(), leading to
incorrect behavior.
Due to concurrency, the copied_seq field in tcp_bpf_recvmsg_parser()
might be set to an incorrect value (less than the actual copied_seq) at
the end of function: 'WRITE_ONCE(tcp->copied_seq, seq)'. This causes the
'offset' to be negative in tcp_read_sock()->tcp_recv_skb() when
processing new incoming packets (sk->copied_seq - skb->seq becomes less
than 0), and all subsequent packets will be dropped.
Signed-off-by: Jiayuan Chen <mrpre@163.com>
Link: https://lore.kernel.org/r/20241028065226.35568-1-mrpre@163.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_bpf.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index fe6178715ba05..915286c3615a2 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -221,11 +221,11 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
int flags,
int *addr_len)
{
- struct tcp_sock *tcp = tcp_sk(sk);
int peek = flags & MSG_PEEK;
- u32 seq = tcp->copied_seq;
struct sk_psock *psock;
+ struct tcp_sock *tcp;
int copied = 0;
+ u32 seq;
if (unlikely(flags & MSG_ERRQUEUE))
return inet_recv_error(sk, msg, len, addr_len);
@@ -238,7 +238,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
return tcp_recvmsg(sk, msg, len, flags, addr_len);
lock_sock(sk);
-
+ tcp = tcp_sk(sk);
+ seq = tcp->copied_seq;
/* We may have received data on the sk_receive_queue pre-accept and
* then we can not use read_skb in this context because we haven't
* assigned a sk_socket yet so have no link to the ops. The work-around
--
2.43.0
next prev parent reply other threads:[~2024-11-04 10:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-04 10:51 [PATCH AUTOSEL 6.6 01/14] wifi: radiotap: Avoid -Wflex-array-member-not-at-end warnings Sasha Levin
2024-11-04 10:51 ` [PATCH AUTOSEL 6.6 02/14] ASoC: codecs: rt5640: Always disable IRQs from rt5640_cancel_work() Sasha Levin
2024-11-04 10:51 ` [PATCH AUTOSEL 6.6 03/14] ASoC: Intel: bytcr_rt5640: Add support for non ACPI instantiated codec Sasha Levin
2024-11-04 10:51 ` [PATCH AUTOSEL 6.6 04/14] ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet Sasha Levin
2024-11-04 10:51 ` [PATCH AUTOSEL 6.6 05/14] ASoC: Intel: sst: Support LPE0F28 ACPI HID Sasha Levin
2024-11-04 10:51 ` [PATCH AUTOSEL 6.6 06/14] wifi: iwlwifi: mvm: Use the sync timepoint API in suspend Sasha Levin
2024-11-04 10:51 ` [PATCH AUTOSEL 6.6 07/14] mac80211: fix user-power when emulating chanctx Sasha Levin
2024-11-04 10:52 ` [PATCH AUTOSEL 6.6 08/14] usb: add support for new USB device ID 0x17EF:0x3098 for the r8152 driver Sasha Levin
2024-11-04 10:52 ` [PATCH AUTOSEL 6.6 09/14] usb: typec: use cleanup facility for 'altmodes_node' Sasha Levin
2024-11-04 10:52 ` [PATCH AUTOSEL 6.6 10/14] selftests/watchdog-test: Fix system accidentally reset after watchdog-test Sasha Levin
2024-11-04 10:52 ` [PATCH AUTOSEL 6.6 11/14] ALSA: hda/realtek: Add subwoofer quirk for Infinix ZERO BOOK 13 Sasha Levin
2024-11-04 10:52 ` [PATCH AUTOSEL 6.6 12/14] x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB Sasha Levin
2024-11-04 10:52 ` Sasha Levin [this message]
2024-11-04 10:52 ` [PATCH AUTOSEL 6.6 14/14] net: usb: qmi_wwan: add Quectel RG650V Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241104105228.97053-13-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=mrpre@163.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.