From: Paolo Abeni <pabeni@redhat.com>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
Tom Herbert <tom@quantonium.net>,
Kirill Tkhai <ktkhai@virtuozzo.com>
Subject: [RFC PATCH] kcm: hold rx mux lock when updating the receive queue.
Date: Tue, 5 Jun 2018 12:32:33 +0200 [thread overview]
Message-ID: <fa80bc9f24e40e1a7a7fa1452330b7f0b7d6e1fe.1528194606.git.pabeni@redhat.com> (raw)
Currently kcm holds both the RX mux lock and the socket lock when
updating the sk receive queue, except in some notable cases:
- kcm_rfree holds only the RX mux lock
- kcm_recvmsg holds only the socket lock
has results there are possible races which cause receive queue
corruption, as reported by the syzbot.
Since we can't acquire the socket lock in kcm_rfree, let's use
the RX mux lock to protect the receive queue update in kcm_recvmsg,
too. Also, let's add some commit noting which is the locking schema in use.
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Reported-and-tested-by: syzbot+278279efdd2730dd14bf@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
This is an RFC, since I'm really new to this area, anyway the syzport
reported success in testing the proposed fix.
This is very likely a scenario where the hopefully upcoming
skb->prev,next->list_head conversion would have helped a lot, thanks to
list poisoning and list debug
---
net/kcm/kcmsock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index d3601d421571..95e1d95ab24a 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -188,6 +188,7 @@ static void kcm_rfree(struct sk_buff *skb)
}
}
+/* RX mux lock held */
static int kcm_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct sk_buff_head *list = &sk->sk_receive_queue;
@@ -1157,7 +1158,9 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
/* Finished with message */
msg->msg_flags |= MSG_EOR;
KCM_STATS_INCR(kcm->stats.rx_msgs);
+ spin_lock_bh(&kcm->mux->rx_lock);
skb_unlink(skb, &sk->sk_receive_queue);
+ spin_unlock_bh(&kcm->mux->rx_lock);
kfree_skb(skb);
}
}
--
2.17.1
next reply other threads:[~2018-06-05 10:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-05 10:32 Paolo Abeni [this message]
2018-06-05 14:53 ` [RFC PATCH] kcm: hold rx mux lock when updating the receive queue David Miller
[not found] ` <CALx6S353uk_W8b4ic1NYNBS--z41PT6brkwzPvZZj6J2-yEieg@mail.gmail.com>
2018-06-05 16:06 ` Paolo Abeni
2018-06-06 9:44 ` Paolo Abeni
2018-06-06 10:25 ` Kirill Tkhai
2018-06-06 12:23 ` Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fa80bc9f24e40e1a7a7fa1452330b7f0b7d6e1fe.1528194606.git.pabeni@redhat.com \
--to=pabeni@redhat.com \
--cc=davem@davemloft.net \
--cc=ktkhai@virtuozzo.com \
--cc=netdev@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).