From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Willem de Bruijn <willemb@google.com>,
syzbot <syzkaller@googlegroups.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.16 41/43] af_packet: fix data-race in packet_setsockopt / packet_setsockopt
Date: Fri, 4 Feb 2022 10:22:48 +0100 [thread overview]
Message-ID: <20220204091918.496128137@linuxfoundation.org> (raw)
In-Reply-To: <20220204091917.166033635@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit e42e70ad6ae2ae511a6143d2e8da929366e58bd9 upstream.
When packet_setsockopt( PACKET_FANOUT_DATA ) reads po->fanout,
no lock is held, meaning that another thread can change po->fanout.
Given that po->fanout can only be set once during the socket lifetime
(it is only cleared from fanout_release()), we can use
READ_ONCE()/WRITE_ONCE() to document the race.
BUG: KCSAN: data-race in packet_setsockopt / packet_setsockopt
write to 0xffff88813ae8e300 of 8 bytes by task 14653 on cpu 0:
fanout_add net/packet/af_packet.c:1791 [inline]
packet_setsockopt+0x22fe/0x24a0 net/packet/af_packet.c:3931
__sys_setsockopt+0x209/0x2a0 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff88813ae8e300 of 8 bytes by task 14654 on cpu 1:
packet_setsockopt+0x691/0x24a0 net/packet/af_packet.c:3935
__sys_setsockopt+0x209/0x2a0 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2188
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0x0000000000000000 -> 0xffff888106f8c000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 14654 Comm: syz-executor.3 Not tainted 5.16.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes: 47dceb8ecdc1 ("packet: add classic BPF fanout mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20220201022358.330621-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1788,7 +1788,10 @@ static int fanout_add(struct sock *sk, s
err = -ENOSPC;
if (refcount_read(&match->sk_ref) < match->max_num_members) {
__dev_remove_pack(&po->prot_hook);
- po->fanout = match;
+
+ /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */
+ WRITE_ONCE(po->fanout, match);
+
po->rollover = rollover;
rollover = NULL;
refcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1);
@@ -3941,7 +3944,8 @@ packet_setsockopt(struct socket *sock, i
}
case PACKET_FANOUT_DATA:
{
- if (!po->fanout)
+ /* Paired with the WRITE_ONCE() in fanout_add() */
+ if (!READ_ONCE(po->fanout))
return -EINVAL;
return fanout_set_data(po, optval, optlen);
next prev parent reply other threads:[~2022-02-04 9:29 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-04 9:22 [PATCH 5.16 00/43] 5.16.6-rc1 review Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 01/43] PCI: pciehp: Fix infinite loop in IRQ handler upon power fault Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 02/43] selftests: mptcp: fix ipv6 routing setup Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 03/43] net: ipa: use a bitmap for endpoint replenish_enabled Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 04/43] net: ipa: prevent concurrent replenish Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 05/43] drm/vc4: hdmi: Make sure the device is powered with CEC Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 06/43] cgroup-v1: Require capabilities to set release_agent Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 07/43] Revert "mm/gup: small refactoring: simplify try_grab_page()" Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 08/43] net: phy: Fix qca8081 with speeds lower than 2.5Gb/s Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 09/43] ovl: dont fail copy up if no fileattr support on upper Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 10/43] lockd: fix server crash on reboot of client holding lock Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 11/43] lockd: fix failure to cleanup client locks Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 12/43] net/mlx5e: IPsec: Fix crypto offload for non TCP/UDP encapsulated traffic Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 13/43] net/mlx5e: IPsec: Fix tunnel mode crypto offload for non TCP/UDP traffic Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 14/43] net/mlx5e: TC, Reject rules with drop and modify hdr action Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 15/43] net/mlx5: Bridge, take rtnl lock in init error handler Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 16/43] net/mlx5: Bridge, ensure dev_name is null-terminated Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 17/43] net/mlx5e: Fix handling of wrong devices during bond netevent Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 18/43] net/mlx5: Use del_timer_sync in fw reset flow of halting poll Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 19/43] net/mlx5e: Fix module EEPROM query Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 20/43] net/mlx5e: TC, Reject rules with forward and drop actions Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 21/43] net/mlx5: Fix offloading with ESWITCH_IPV4_TTL_MODIFY_ENABLE Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 22/43] net/mlx5e: Dont treat small ceil values as unlimited in HTB offload Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 23/43] net/mlx5: Bridge, Fix devlink deadlock on net namespace deletion Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 24/43] net/mlx5e: Avoid field-overflowing memcpy() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 25/43] net/mlx5e: Fix wrong calculation of header index in HW_GRO Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 26/43] net/mlx5e: Fix broken SKB allocation in HW-GRO Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 27/43] net/mlx5: E-Switch, Fix uninitialized variable modact Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 28/43] net/mlx5e: Avoid implicit modify hdr for decap drop rule Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 29/43] ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 30/43] i40e: Fix reset bw limit when DCB enabled with 1 TC Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 31/43] i40e: Fix reset path while removing the driver Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 32/43] net: amd-xgbe: ensure to reset the tx_timer_active flag Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 33/43] net: amd-xgbe: Fix skb data length underflow Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 34/43] fanotify: Fix stale file descriptor in copy_event_to_user() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 35/43] net: sched: fix use-after-free in tc_new_tfilter() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 36/43] rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 37/43] net: ipa: request IPA register values be retained Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 38/43] bpf: Fix possible race in inc_misses_counter Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 39/43] cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 40/43] e1000e: Handshake with CSME starts from ADL platforms Greg Kroah-Hartman
2022-02-04 9:22 ` Greg Kroah-Hartman [this message]
2022-02-04 9:22 ` [PATCH 5.16 42/43] tcp: fix mem under-charging with zerocopy sendmsg() Greg Kroah-Hartman
2022-02-04 9:22 ` [PATCH 5.16 43/43] tcp: add missing tcp_skb_can_collapse() test in tcp_shift_skb_data() Greg Kroah-Hartman
2022-02-04 15:20 ` [PATCH 5.16 00/43] 5.16.6-rc1 review Jon Hunter
2022-02-04 18:15 ` Florian Fainelli
2022-02-04 20:31 ` Shuah Khan
2022-02-04 22:55 ` Justin Forbes
2022-02-04 23:41 ` Guenter Roeck
2022-02-05 4:40 ` Rudi Heitbaum
2022-02-05 5:14 ` Slade Watkins
2022-02-05 6:28 ` Naresh Kamboju
2022-02-05 6:50 ` Scott Bruce
2022-02-05 8:14 ` Bagas Sanjaya
2022-02-05 9:08 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220204091918.496128137@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).