From: Richard Guy Briggs <rgb@redhat.com>
To: Cong Wang <xiyou.wangcong@gmail.com>,
linux-audit@redhat.com, pmoore@redhat.com
Cc: Dmitry Vyukov <dvyukov@google.com>,
David Miller <davem@davemloft.net>,
Johannes Berg <johannes.berg@intel.com>,
Florian Westphal <fw@strlen.de>,
Eric Dumazet <edumazet@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: netlink: GPF in sock_sndtimeo
Date: Fri, 9 Dec 2016 01:02:48 -0500 [thread overview]
Message-ID: <20161209060248.GT22655@madcap2.tricolour.ca> (raw)
In-Reply-To: <20161130045207.GE26673@madcap2.tricolour.ca>
On 2016-11-29 23:52, Richard Guy Briggs wrote:
> On 2016-11-29 15:13, Cong Wang wrote:
> > On Tue, Nov 29, 2016 at 8:48 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > > On 2016-11-26 17:11, Cong Wang wrote:
> > >> It is racy on audit_sock, especially on the netns exit path.
> > >
> > > I think that is the only place it is racy. The other places audit_sock
> > > is set is when the socket failure has just triggered a reset.
> > >
> > > Is there a notifier callback for failed or reaped sockets?
> >
> > Is NETLINK_URELEASE event what you are looking for?
>
> Possibly, yes. Thanks, I'll have a look.
I tried a quick compile attempt on the test case (I assume it is a
socket fuzzer) and get the following compile error:
cc -g -O0 -Wall -D_GNU_SOURCE -o socket_fuzz socket_fuzz.c
socket_fuzz.c:16:1: warning: "_GNU_SOURCE" redefined
<command-line>: warning: this is the location of the previous definition
socket_fuzz.c: In function ‘segv_handler’:
socket_fuzz.c:89: warning: implicit declaration of function ‘__atomic_load_n’
socket_fuzz.c:89: error: ‘__ATOMIC_RELAXED’ undeclared (first use in this function)
socket_fuzz.c:89: error: (Each undeclared identifier is reported only once
socket_fuzz.c:89: error: for each function it appears in.)
socket_fuzz.c: In function ‘loop’:
socket_fuzz.c:280: warning: unused variable ‘errno0’
socket_fuzz.c: In function ‘test’:
socket_fuzz.c:303: warning: implicit declaration of function ‘__atomic_fetch_add’
socket_fuzz.c:303: error: ‘__ATOMIC_SEQ_CST’ undeclared (first use in this function)
socket_fuzz.c:303: warning: implicit declaration of function ‘__atomic_fetch_sub’
I also tried to extend Cong Wang's idea to attempt to proactively respond to a
NETLINK_URELEASE on the audit_sock and reset it, but ran into a locking error
stack dump using mutex_lock(&audit_cmd_mutex) in the notifier callback.
Eliminating the lock since the sock is dead anways eliminates the error.
Is it safe? I'll resubmit if this looks remotely sane. Meanwhile I'll try to
get the test case to compile.
This is being tracked as https://github.com/linux-audit/audit-kernel/issues/30
Subject: [PATCH] audit: proactively reset audit_sock on matching NETLINK_URELEASE
diff --git a/kernel/audit.c b/kernel/audit.c
index f1ca116..91d222d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -423,6 +423,7 @@ static void kauditd_send_skb(struct sk_buff *skb)
snprintf(s, sizeof(s), "audit_pid=%d reset", audit_pid);
audit_log_lost(s);
audit_pid = 0;
+ audit_nlk_portid = 0;
audit_sock = NULL;
} else {
pr_warn("re-scheduling(#%d) write to audit_pid=%d\n",
@@ -1143,6 +1144,28 @@ static int audit_bind(struct net *net, int group)
return 0;
}
+static int audit_sock_netlink_notify(struct notifier_block *nb,
+ unsigned long event,
+ void *_notify)
+{
+ struct netlink_notify *notify = _notify;
+ struct audit_net *aunet = net_generic(notify->net, audit_net_id);
+
+ if (event == NETLINK_URELEASE && notify->protocol == NETLINK_AUDIT) {
+ if (audit_nlk_portid == notify->portid &&
+ audit_sock == aunet->nlsk) {
+ audit_pid = 0;
+ audit_nlk_portid = 0;
+ audit_sock = NULL;
+ }
+ }
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block audit_netlink_notifier = {
+ .notifier_call = audit_sock_netlink_notify,
+};
+
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
@@ -1167,10 +1190,14 @@ static void __net_exit audit_net_exit(struct net *net)
{
struct audit_net *aunet = net_generic(net, audit_net_id);
struct sock *sock = aunet->nlsk;
+
+ mutex_lock(&audit_cmd_mutex);
if (sock == audit_sock) {
audit_pid = 0;
+ audit_nlk_portid = 0;
audit_sock = NULL;
}
+ mutex_unlock(&audit_cmd_mutex);
RCU_INIT_POINTER(aunet->nlsk, NULL);
synchronize_net();
@@ -1202,6 +1229,7 @@ static int __init audit_init(void)
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
+ netlink_register_notifier(&audit_netlink_notifier);
audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
--
1.7.1
> - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2016-12-09 6:02 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CACT4Y+aG1+91U1PWMTwpE_6vbEuqG7CdLCM1H=3WVJWtz=>
[not found] ` <CAM_iQpVeLvfYV+1jX1ZKOntZim4roof4=>
2016-11-29 16:48 ` netlink: GPF in sock_sndtimeo Richard Guy Briggs
2016-11-29 23:13 ` Cong Wang
2016-11-30 4:52 ` Richard Guy Briggs
2016-12-09 6:02 ` Richard Guy Briggs [this message]
2016-12-09 6:57 ` Cong Wang
2016-12-09 11:01 ` Richard Guy Briggs
2016-12-10 4:13 ` Cong Wang
2016-12-10 7:40 ` Cong Wang
2016-12-12 10:07 ` Dmitry Vyukov
2016-12-13 7:51 ` Richard Guy Briggs
2016-12-13 8:28 ` Richard Guy Briggs
2016-12-12 10:02 ` Richard Guy Briggs
2016-12-12 10:03 ` [PATCH v2] audit: use proper refcount locking on audit_sock Richard Guy Briggs
2016-12-12 17:10 ` Paul Moore
2016-12-13 4:49 ` Richard Guy Briggs
2016-12-12 20:18 ` Paul Moore
2016-12-13 5:10 ` Richard Guy Briggs
2016-12-13 15:01 ` Richard Guy Briggs
2016-12-12 23:58 ` Cong Wang
2016-12-13 14:55 ` Richard Guy Briggs
2016-12-13 0:10 ` netlink: GPF in sock_sndtimeo Cong Wang
2016-12-13 10:52 ` Richard Guy Briggs
2016-12-14 0:17 ` Cong Wang
2016-12-14 4:17 ` Richard Guy Briggs
2016-12-13 15:03 ` [RFC PATCH v3] audit: use proper refcount locking on audit_sock Richard Guy Briggs
2016-12-13 20:50 ` Paul Moore
2016-12-14 0:19 ` Cong Wang
2016-12-14 4:00 ` Richard Guy Briggs
2016-12-14 5:36 ` Cong Wang
2016-12-09 10:49 ` netlink: GPF in sock_sndtimeo Dmitry Vyukov
2016-12-09 11:48 ` Richard Guy Briggs
2016-12-09 11:53 ` Dmitry Vyukov
2016-12-09 12:12 ` Richard Guy Briggs
2016-11-26 15:44 Dmitry Vyukov
2016-11-26 16:17 ` Eric Dumazet
2016-11-27 1:11 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161209060248.GT22655@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=herbert@gondor.apana.org.au \
--cc=johannes.berg@intel.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=syzkaller@googlegroups.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).