[PATCH 4.14 30/62] netlink: annotate data races around dst_portid and dst_group

Archive-only list for patches
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 30/62] netlink: annotate data races around dst_portid and dst_group
Date: Fri,  3 Feb 2023 11:12:26 +0100	[thread overview]
Message-ID: <20230203101014.311613084@linuxfoundation.org> (raw)
In-Reply-To: <20230203101012.959398849@linuxfoundation.org>

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 004db64d185a5f23dfb891d7701e23713b2420ee ]

netlink_getname(), netlink_sendmsg() and netlink_getsockbyportid()
can read nlk->dst_portid and nlk->dst_group while another
thread is changing them.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netlink/af_netlink.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 1b2e99ce54e5..1547d0825668 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1062,8 +1062,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
 
 	if (addr->sa_family == AF_UNSPEC) {
 		sk->sk_state	= NETLINK_UNCONNECTED;
-		nlk->dst_portid	= 0;
-		nlk->dst_group  = 0;
+		/* dst_portid and dst_group can be read locklessly */
+		WRITE_ONCE(nlk->dst_portid, 0);
+		WRITE_ONCE(nlk->dst_group, 0);
 		return 0;
 	}
 	if (addr->sa_family != AF_NETLINK)
@@ -1085,8 +1086,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
 
 	if (err == 0) {
 		sk->sk_state	= NETLINK_CONNECTED;
-		nlk->dst_portid = nladdr->nl_pid;
-		nlk->dst_group  = ffs(nladdr->nl_groups);
+		/* dst_portid and dst_group can be read locklessly */
+		WRITE_ONCE(nlk->dst_portid, nladdr->nl_pid);
+		WRITE_ONCE(nlk->dst_group, ffs(nladdr->nl_groups));
 	}
 
 	return err;
@@ -1104,8 +1106,9 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr,
 	*addr_len = sizeof(*nladdr);
 
 	if (peer) {
-		nladdr->nl_pid = nlk->dst_portid;
-		nladdr->nl_groups = netlink_group_mask(nlk->dst_group);
+		/* Paired with WRITE_ONCE() in netlink_connect() */
+		nladdr->nl_pid = READ_ONCE(nlk->dst_portid);
+		nladdr->nl_groups = netlink_group_mask(READ_ONCE(nlk->dst_group));
 	} else {
 		nladdr->nl_pid = nlk->portid;
 		netlink_lock_table();
@@ -1134,8 +1137,9 @@ static struct sock *netlink_getsockbyportid(struct sock *ssk, u32 portid)
 
 	/* Don't bother queuing skb if kernel socket has no input function */
 	nlk = nlk_sk(sock);
+	/* dst_portid can be changed in netlink_connect() */
 	if (sock->sk_state == NETLINK_CONNECTED &&
-	    nlk->dst_portid != nlk_sk(ssk)->portid) {
+	    READ_ONCE(nlk->dst_portid) != nlk_sk(ssk)->portid) {
 		sock_put(sock);
 		return ERR_PTR(-ECONNREFUSED);
 	}
@@ -1847,8 +1851,9 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 			goto out;
 		netlink_skb_flags |= NETLINK_SKB_DST;
 	} else {
-		dst_portid = nlk->dst_portid;
-		dst_group = nlk->dst_group;
+		/* Paired with WRITE_ONCE() in netlink_connect() */
+		dst_portid = READ_ONCE(nlk->dst_portid);
+		dst_group = READ_ONCE(nlk->dst_group);
 	}
 
 	/* Paired with WRITE_ONCE() in netlink_insert() */
-- 
2.39.0

next prev parent reply	other threads:[~2023-02-03 10:15 UTC|newest]

Thread overview: 65+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-03 10:11 [PATCH 4.14 00/62] 4.14.305-rc1 review Greg Kroah-Hartman
2023-02-03 10:11 ` [PATCH 4.14 01/62] ARM: dts: imx6qdl-gw560x: Remove incorrect uart-has-rtscts Greg Kroah-Hartman
2023-02-03 10:11 ` [PATCH 4.14 02/62] HID: intel_ish-hid: Add check for ishtp_dma_tx_map Greg Kroah-Hartman
2023-02-03 10:11 ` [PATCH 4.14 03/62] EDAC/highbank: Fix memory leak in highbank_mc_probe() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 04/62] tomoyo: fix broken dependency on *.conf.default Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 05/62] IB/hfi1: Reject a zero-length user expected buffer Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 06/62] IB/hfi1: Reserve user expected TIDs Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 07/62] affs: initialize fsdata in affs_truncate() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 08/62] amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 09/62] phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 10/62] net: nfc: Fix use-after-free in local_cleanup() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 11/62] wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 12/62] net: usb: sr9700: Handle negative len Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 13/62] net: mdio: validate parameter addr in mdiobus_get_phy() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 14/62] HID: check empty report_list in hid_validate_values() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 15/62] usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 16/62] usb: gadget: f_fs: Ensure ep0req is dequeued before free_request Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 17/62] net: mlx5: eliminate anonymous module_init & module_exit Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 18/62] dmaengine: Fix double increment of client_count in dma_chan_get() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 19/62] HID: betop: check shape of output reports Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 20/62] w1: fix deadloop in __w1_remove_master_device() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 21/62] w1: fix WARNING after calling w1_process() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 22/62] comedi: adv_pci1760: Fix PWM instruction handling Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 23/62] fs: reiserfs: remove useless new_opts in reiserfs_remount Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 24/62] Bluetooth: hci_sync: cancel cmd_timer if hci_open failed Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 25/62] scsi: hpsa: Fix allocation size for scsi_host_alloc() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 26/62] module: Dont wait for GOING modules Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 27/62] tracing: Make sure trace_printk() can output as soon as it can be used Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 28/62] ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 29/62] EDAC/device: Respect any driver-supplied workqueue polling value Greg Kroah-Hartman
2023-02-03 10:12 ` Greg Kroah-Hartman [this message]
2023-02-03 10:12 ` [PATCH 4.14 31/62] netlink: annotate data races around sk_state Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 32/62] netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 33/62] netrom: Fix use-after-free of a listening socket Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 34/62] sctp: fail if no bound addresses can be used for a given scope Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 35/62] net: ravb: Fix possible hang if RIS2_QFF1 happen Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 36/62] net/tg3: resolve deadlock in tg3_reset_task() during EEH Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 37/62] Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 38/62] x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 39/62] wifi: brcmfmac: fix up incorrect 4.14.y backport for brcmf_fw_map_chip_to_name() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 40/62] xen: Fix up build warning with xen_init_time_ops() reference Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 41/62] drm/radeon/dp: make radeon_dp_get_dp_link_config static Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 42/62] scsi: qla2xxx: dont break the bsg-lib abstractions Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 43/62] x86/asm: Fix an assembler warning with current binutils Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 44/62] x86/entry/64: Add instruction suffix to SYSRET Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 45/62] sysctl: add a new register_sysctl_init() interface Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 46/62] panic: unset panic_on_warn inside panic() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 47/62] exit: Add and use make_task_dead Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 48/62] objtool: Add a missing comma to avoid string concatenation Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 49/62] hexagon: Fix function name in die() Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 50/62] h8300: Fix build errors from do_exit() to make_task_dead() transition Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 51/62] ia64: make IA64_MCA_RECOVERY bool instead of tristate Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 52/62] exit: Put an upper limit on how often we can oops Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 53/62] exit: Expose "oops_count" to sysfs Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 54/62] exit: Allow oops_limit to be disabled Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 55/62] panic: Consolidate open-coded panic_on_warn checks Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 56/62] panic: Introduce warn_limit Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 57/62] panic: Expose "warn_count" to sysfs Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 58/62] docs: Fix path paste-o for /sys/kernel/warn_count Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 59/62] exit: Use READ_ONCE() for all oops/warn limit reads Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 60/62] mm: kvmalloc does not fallback to vmalloc for incompatible gfp flags Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 61/62] ipv6: ensure sane device mtu in tunnels Greg Kroah-Hartman
2023-02-03 10:12 ` [PATCH 4.14 62/62] usb: host: xhci-plat: add wakeup entry at sysfs Greg Kroah-Hartman
2023-02-04  1:48 ` [PATCH 4.14 00/62] 4.14.305-rc1 review Guenter Roeck
2023-02-04  9:36 ` Naresh Kamboju

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1b2e99ce54e dfblob:1547d082566 )
 OR (
bs:"[PATCH 4.14 30/62] netlink: annotate data races around dst_portid and dst_group" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230203101014.311613084@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox