From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"Eric Dumazet" <edumazet@google.com>,
"syzbot" <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.16 40/83] net/packet: fix race in tpacket_snd()
Date: Wed, 20 Nov 2019 15:37:50 +0000 [thread overview]
Message-ID: <lsq.1574264230.887661069@decadent.org.uk> (raw)
In-Reply-To: <lsq.1574264230.280218497@decadent.org.uk>
3.16.78-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f upstream.
packet_sendmsg() checks tx_ring.pg_vec to decide
if it must call tpacket_snd().
Problem is that the check is lockless, meaning another thread
can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
tx_ring.pg_vec back to NULL.
Given that tpacket_snd() grabs pg_vec_lock mutex, we can
perform the check again to solve the race.
syzbot reported :
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
packet_current_frame net/packet/af_packet.c:487 [inline]
tpacket_snd net/packet/af_packet.c:2667 [inline]
packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:657
___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
__sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
__do_sys_sendmmsg net/socket.c:2442 [inline]
__se_sys_sendmmsg net/socket.c:2439 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2286,6 +2286,13 @@ static int tpacket_snd(struct packet_soc
mutex_lock(&po->pg_vec_lock);
+ /* packet_sendmsg() check on tx_ring.pg_vec was lockless,
+ * we need to confirm it under protection of pg_vec_lock.
+ */
+ if (unlikely(!po->tx_ring.pg_vec)) {
+ err = -EBUSY;
+ goto out;
+ }
if (likely(saddr == NULL)) {
dev = packet_cached_dev_get(po);
proto = po->num;
next prev parent reply other threads:[~2019-11-20 15:44 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 01/83] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 02/83] x86/sysfb_efi: Add quirks for some devices with swapped width and height Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 03/83] mmc: mmc_spi: Enable stable writes Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 04/83] ALSA: compress: Fix regression on compressed capture streams Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 05/83] can: peak_usb: fix potential double kfree_skb() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 06/83] usb: pci-quirks: Correct AMD PLL quirk detection Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 07/83] usb: wusbcore: fix unbalanced get/put cluster_id Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 08/83] x86/speculation/mds: Apply more accurate check on hypervisor platform Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 09/83] hpet: Fix division by zero in hpet_time_div() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 10/83] sched/fair: Don't free p->numa_faults with concurrent readers Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 11/83] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 12/83] bnx2x: Disable multi-cos feature Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 13/83] arm64: compat: Allow single-byte watchpoints on all addresses Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 14/83] net: sched: Fix a possible null-pointer dereference in dequeue_func() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 15/83] net: fix ifindex collision during namespace removal Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 16/83] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 17/83] selinux: fix memory leak in policydb_init() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 18/83] net: bridge: mcast: don't delete permanent entries when fast leave is enabled Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 19/83] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 20/83] s390/dasd: fix endless loop after read unit address configuration Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 21/83] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 22/83] asm-generic: fix -Wtype-limits compiler warnings Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 23/83] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 24/83] USB: serial: option: Add support for ZTE MF871A Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 25/83] usb: yurex: Fix use-after-free in yurex_delete Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 26/83] SMB3: Fix deadlock in validate negotiate hits reconnect Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 27/83] smb3: send CAP_DFS capability during session setup Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 28/83] sound: fix a memory leak bug Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 29/83] ALSA: firewire: " Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 30/83] ALSA: hda - Fix " Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 31/83] sh: kernel: hw_breakpoint: Fix missing break in switch statement Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 32/83] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 33/83] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 34/83] staging: comedi: dt3000: Fix rounding up of timer divisor Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 35/83] USB: core: Fix races in character device registration and deregistraion Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 36/83] netfilter: conntrack: Use consistent ct id hash calculation Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 37/83] sctp: fix the transport error_count check Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 38/83] USB: serial: option: Add Motorola modem UARTs Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 39/83] usb: cdc-acm: make sure a refcount is taken early enough Ben Hutchings
2019-11-20 15:37 ` Ben Hutchings [this message]
2019-11-20 15:37 ` [PATCH 3.16 41/83] Revert "cfg80211: fix processing world regdomain when non modular" Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 42/83] usb-storage: Add new JMS567 revision to unusual_devs Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 43/83] dm btree: fix order of block initialization in btree_split_beneath Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 44/83] dm space map metadata: fix missing store of apply_bops() return value Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 45/83] dm table: fix invalid memory accesses with too high sector number Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 46/83] x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 47/83] batman-adv: Only read OGM tvlv_len after buffer len check Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 48/83] ALSA: seq: Fix potential concurrent access to the deleted pool Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 49/83] ptrace,x86: Make user_64bit_mode() available to 32-bit builds Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 50/83] uprobes/x86: Fix detection of 32-bit user mode Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 51/83] x86/apic: Do not initialize LDR and DFR for bigsmp Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 52/83] x86/apic: Drop logical_smp_processor_id() inline Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 53/83] x86/apic/32: Avoid bogus LDR warnings Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 54/83] usb: host: ohci: fix a race condition between shutdown and irq Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 55/83] USB: storage: ums-realtek: Update module parameter description for auto_delink_en Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 56/83] USB: storage: ums-realtek: Whitelist auto-delink support Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 57/83] USB: cdc-wdm: fix race between write and disconnect due to flag abuse Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 58/83] VMCI: Release resource if the work is already queued Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 59/83] mld: fix memory leak in mld_del_delrec() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 60/83] ALSA: hda - Fix potential endless loop at applying quirks Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 61/83] mmc: core: Fix init of SD cards reporting an invalid VDD range Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 62/83] net: seeq: Fix the function used to release some memory in an error handling path Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 63/83] sched/fair: Don't assign runtime for throttled cfs_rq Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 64/83] vhost/test: fix build for vhost test Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 65/83] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 66/83] genirq: Prevent NULL pointer dereference in resend_irqs() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 67/83] keys: Fix missing null pointer check in request_key_auth_describe() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 68/83] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 69/83] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 70/83] tun: fix use-after-free when register netdev failed Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 71/83] ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 72/83] net: Fix null de-reference of device refcount Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 73/83] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 74/83] KVM: nVMX: handle page fault in vmread Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 75/83] KVM: x86: work around leak of uninitialized stack contents Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 76/83] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 77/83] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 78/83] cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 79/83] CIFS: Fix use after free of file info structures Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 80/83] md/raid: raid5 preserve the writeback action after the parity check Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 81/83] btrfs: partially apply b8b93addde Ben Hutchings
2019-11-20 15:56 ` Hans van Kranenburg
2019-11-21 21:42 ` Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 82/83] btrfs: volumes: Cleanup stripe size calculation Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 83/83] btrfs: alloc_chunk: fix more DUP stripe size handling Ben Hutchings
2019-11-20 15:46 ` [PATCH 3.16 00/83] 3.16.78-rc1 review Guenter Roeck
2019-11-20 15:50 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1574264230.887661069@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).