From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Francesco Ruggeri <fruggeri@aristanetworks.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 28/64] net/packet: fix a race in packet_bind() and packet_notifier()
Date: Fri, 15 Dec 2017 10:21:52 +0100 [thread overview]
Message-ID: <20171215092213.117682895@linuxfoundation.org> (raw)
In-Reply-To: <20171215092212.018372669@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 15fe076edea787807a7cdc168df832544b58eba6 ]
syzbot reported crashes [1] and provided a C repro easing bug hunting.
When/if packet_do_bind() calls __unregister_prot_hook() and releases
po->bind_lock, another thread can run packet_notifier() and process an
NETDEV_UP event.
This calls register_prot_hook() and hooks again the socket right before
first thread is able to grab again po->bind_lock.
Fixes this issue by temporarily setting po->num to 0, as suggested by
David Miller.
[1]
dev_remove_pack: ffff8801bf16fa80 not found
------------[ cut here ]------------
kernel BUG at net/core/dev.c:7945! ( BUG_ON(!list_empty(&dev->ptype_all)); )
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
device syz0 entered promiscuous mode
CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cc57a500 task.stack: ffff8801cc588000
RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945
RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293
RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2
RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810
device syz0 entered promiscuous mode
RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8
R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0
FS: 0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106
tun_detach drivers/net/tun.c:670 [inline]
tun_chr_close+0x49/0x60 drivers/net/tun.c:2845
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ae0 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:977
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x44ad19
Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Francesco Ruggeri <fruggeri@aristanetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2704,6 +2704,10 @@ static int packet_do_bind(struct sock *s
if (need_rehook) {
if (po->running) {
rcu_read_unlock();
+ /* prevents packet_notifier() from calling
+ * register_prot_hook()
+ */
+ po->num = 0;
__unregister_prot_hook(sk, true);
rcu_read_lock();
dev_curr = po->prot_hook.dev;
@@ -2712,6 +2716,7 @@ static int packet_do_bind(struct sock *s
dev->ifindex);
}
+ BUG_ON(po->running);
po->num = proto;
po->prot_hook.type = proto;
next prev parent reply other threads:[~2017-12-15 9:23 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-15 9:21 [PATCH 3.18 00/64] 3.18.88-stable review Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 01/64] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 02/64] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 03/64] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 04/64] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 05/64] can: ems_usb: " Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 06/64] can: esd_usb2: " Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 07/64] can: usb_8dev: " Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 08/64] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 09/64] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 10/64] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 11/64] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 12/64] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 13/64] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 14/64] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 15/64] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 16/64] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 17/64] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 18/64] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 19/64] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 20/64] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 21/64] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 22/64] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 23/64] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 25/64] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 27/64] sit: update frag_off info Greg Kroah-Hartman
2017-12-15 9:21 ` Greg Kroah-Hartman [this message]
2017-12-15 9:21 ` [PATCH 3.18 29/64] Revert "drm/armada: Fix compile fail" Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 30/64] Revert "s390/kbuild: enable modversions for symbols exported from asm" Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 31/64] selftest/powerpc: Fix false failures for skipped tests Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 32/64] usb: gadget: configs: plug memory leak Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 33/64] USB: gadgetfs: Fix a potential memory leak in dev_config() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 34/64] libata: drop WARN from protocol error in ata_sff_qc_issue() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 35/64] workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 36/64] scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 37/64] irqchip/crossbar: Fix incorrect type of register size Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 39/64] arm: KVM: Survive unknown traps from guests Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 40/64] spi_ks8995: fix "BUG: key accdaa28 not in .data!" Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 41/64] bnx2x: fix possible overrun of VFPF multicast addresses array Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 42/64] ipv6: reorder icmpv6_init() and ip6_mr_init() Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 43/64] crypto: s5p-sss - Fix completing crypto request in IRQ handler Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 44/64] i2c: riic: fix restart condition Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 45/64] axonram: Fix gendisk handling Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 48/64] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 49/64] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 50/64] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 51/64] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 52/64] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 53/64] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 54/64] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 55/64] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 56/64] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 57/64] atm: horizon: Fix irq release error Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 58/64] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 59/64] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 60/64] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 61/64] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 62/64] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 63/64] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 64/64] usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping Greg Kroah-Hartman
2017-12-15 11:22 ` [PATCH 3.18 00/64] 3.18.88-stable review Sebastian Gottschall
2017-12-15 12:55 ` Greg Kroah-Hartman
2017-12-15 17:39 ` Guenter Roeck
2017-12-15 21:18 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171215092213.117682895@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fruggeri@aristanetworks.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).