From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 24/35] net/packet: annotate accesses to po->ifindex
Date: Mon, 21 Jun 2021 13:52:49 -0400 [thread overview]
Message-ID: <20210621175300.735437-24-sashal@kernel.org> (raw)
In-Reply-To: <20210621175300.735437-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e032f7c9c7cefffcfb79b9fc16c53011d2d9d11f ]
Like prior patch, we need to annotate lockless accesses to po->ifindex
For instance, packet_getname() is reading po->ifindex (twice) while
another thread is able to change po->ifindex.
KCSAN reported:
BUG: KCSAN: data-race in packet_do_bind / packet_getname
write to 0xffff888143ce3cbc of 4 bytes by task 25573 on cpu 1:
packet_do_bind+0x420/0x7e0 net/packet/af_packet.c:3191
packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255
__sys_bind+0x200/0x290 net/socket.c:1637
__do_sys_bind net/socket.c:1648 [inline]
__se_sys_bind net/socket.c:1646 [inline]
__x64_sys_bind+0x3d/0x50 net/socket.c:1646
do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff888143ce3cbc of 4 bytes by task 25578 on cpu 0:
packet_getname+0x5b/0x1a0 net/packet/af_packet.c:3525
__sys_getsockname+0x10e/0x1a0 net/socket.c:1887
__do_sys_getsockname net/socket.c:1902 [inline]
__se_sys_getsockname net/socket.c:1899 [inline]
__x64_sys_getsockname+0x3e/0x50 net/socket.c:1899
do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0x00000000 -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 25578 Comm: syz-executor.5 Not tainted 5.13.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index c4eb26f0f1a7..08144559eed5 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3186,11 +3186,11 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
if (unlikely(unlisted)) {
dev_put(dev);
po->prot_hook.dev = NULL;
- po->ifindex = -1;
+ WRITE_ONCE(po->ifindex, -1);
packet_cached_dev_reset(po);
} else {
po->prot_hook.dev = dev;
- po->ifindex = dev ? dev->ifindex : 0;
+ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0);
packet_cached_dev_assign(po, dev);
}
}
@@ -3504,7 +3504,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
uaddr->sa_family = AF_PACKET;
memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
rcu_read_lock();
- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
+ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex));
if (dev)
strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
rcu_read_unlock();
@@ -3519,16 +3519,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
struct sock *sk = sock->sk;
struct packet_sock *po = pkt_sk(sk);
DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr);
+ int ifindex;
if (peer)
return -EOPNOTSUPP;
+ ifindex = READ_ONCE(po->ifindex);
sll->sll_family = AF_PACKET;
- sll->sll_ifindex = po->ifindex;
+ sll->sll_ifindex = ifindex;
sll->sll_protocol = READ_ONCE(po->num);
sll->sll_pkttype = 0;
rcu_read_lock();
- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
+ dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
if (dev) {
sll->sll_hatype = dev->type;
sll->sll_halen = dev->addr_len;
@@ -4107,7 +4109,7 @@ static int packet_notifier(struct notifier_block *this,
}
if (msg == NETDEV_UNREGISTER) {
packet_cached_dev_reset(po);
- po->ifindex = -1;
+ WRITE_ONCE(po->ifindex, -1);
if (po->prot_hook.dev)
dev_put(po->prot_hook.dev);
po->prot_hook.dev = NULL;
@@ -4617,7 +4619,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
refcount_read(&s->sk_refcnt),
s->sk_type,
ntohs(READ_ONCE(po->num)),
- po->ifindex,
+ READ_ONCE(po->ifindex),
po->running,
atomic_read(&s->sk_rmem_alloc),
from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
--
2.30.2
next prev parent reply other threads:[~2021-06-21 17:58 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-21 17:52 [PATCH AUTOSEL 5.10 01/35] dmaengine: zynqmp_dma: Fix PM reference leak in zynqmp_dma_alloc_chan_resourc() Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 02/35] dmaengine: stm32-mdma: fix PM reference leak in stm32_mdma_alloc_chan_resourc() Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 03/35] dmaengine: xilinx: dpdma: Add missing dependencies to Kconfig Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 04/35] dmaengine: xilinx: dpdma: Limit descriptor IDs to 16 bits Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 05/35] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 06/35] mac80211_hwsim: drop pending frames on stop Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 07/35] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 08/35] dmaengine: rcar-dmac: Fix PM reference leak in rcar_dmac_probe() Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 09/35] dmaengine: mediatek: free the proper desc in desc_free handler Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 10/35] dmaengine: mediatek: do not issue a new desc if one is still current Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 11/35] dmaengine: mediatek: use GFP_NOWAIT instead of GFP_ATOMIC in prep_dma Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 12/35] net: ipv4: Remove unneed BUG() function Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 13/35] mac80211: drop multicast fragments Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 14/35] net: ethtool: clear heap allocations for ethtool function Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 15/35] inet: annotate data race in inet_send_prepare() and inet_dgram_connect() Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 16/35] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 17/35] net: annotate data race in sock_error() Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 18/35] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 19/35] net/packet: annotate data race in packet_sendmsg() Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 20/35] net: phy: dp83867: perform soft reset and retain established link Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 21/35] riscv32: Use medany C model for modules Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 22/35] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 23/35] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-21 17:52 ` Sasha Levin [this message]
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 25/35] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 26/35] sh_eth: " Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 27/35] r8169: " Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 28/35] KVM: selftests: Fix kvm_check_cap() assertion Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 29/35] net: qed: Fix memcpy() overflow of qed_dcbx_params() Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 30/35] mac80211: reset profile_periodicity/ema_ap Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 31/35] mac80211: handle various extensible elements correctly Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 32/35] recordmcount: Correct st_shndx handling Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 33/35] PCI: Add AMD RS690 quirk to enable 64-bit DMA Sasha Levin
2021-06-21 17:52 ` [PATCH AUTOSEL 5.10 34/35] net: ll_temac: Add memory-barriers for TX BD access Sasha Levin
2021-06-21 17:52 ` Sasha Levin
2021-06-21 17:53 ` [PATCH AUTOSEL 5.10 35/35] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-21 17:53 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210621175300.735437-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.