From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] bpfilter: fix race in pipe access Date: Thu, 07 Jun 2018 20:07:52 -0400 (EDT) Message-ID: <20180607.200752.284768085796877308.davem@davemloft.net> References: <20180607223114.189970-1-ast@kernel.org> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: daniel@iogearbox.net, netdev@vger.kernel.org, dvyukov@google.com, willy@infradead.org, kernel-team@fb.com To: ast@kernel.org Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:36274 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752178AbeFHAHy (ORCPT ); Thu, 7 Jun 2018 20:07:54 -0400 In-Reply-To: <20180607223114.189970-1-ast@kernel.org> Sender: netdev-owner@vger.kernel.org List-ID: From: Alexei Starovoitov Date: Thu, 7 Jun 2018 15:31:14 -0700 > syzbot reported the following crash > [ 338.293946] bpfilter: read fail -512 > [ 338.304515] kasan: GPF could be caused by NULL-ptr deref or user memory access > [ 338.311863] general protection fault: 0000 [#1] SMP KASAN > [ 338.344360] RIP: 0010:__vfs_write+0x4a6/0x960 > [ 338.426363] Call Trace: > [ 338.456967] __kernel_write+0x10c/0x380 > [ 338.460928] __bpfilter_process_sockopt+0x1d8/0x35b > [ 338.487103] bpfilter_mbox_request+0x4d/0xb0 > [ 338.491492] bpfilter_ip_get_sockopt+0x6b/0x90 > > This can happen when multiple cpus trying to talk to user mode process > via bpfilter_mbox_request(). One cpu grabs the mutex while another goes to > sleep on the same mutex. Then former cpu sees that umh pipe is down and > shuts down the pipes. Later cpu finally acquires the mutex and crashes > on freed pipe. > Fix the race by using info.pid as an indicator that umh and pipes are healthy > and check it after acquiring the mutex. > > Fixes: d2ba09c17a06 ("net: add skeleton of bpfilter kernel module") > Reported-by: syzbot+7ade6c94abb2774c0fee@syzkaller.appspotmail.com > Signed-off-by: Alexei Starovoitov Applied, thanks Alexei.