From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 36/52] netlink: annotate data races around nlk->bound
Date: Mon, 11 Oct 2021 15:46:05 +0200 [thread overview]
Message-ID: <20211011134504.970228383@linuxfoundation.org> (raw)
In-Reply-To: <20211011134503.715740503@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7707a4d01a648e4c655101a469c956cb11273655 ]
While existing code is correct, KCSAN is reporting
a data-race in netlink_insert / netlink_sendmsg [1]
It is correct to read nlk->bound without a lock, as netlink_autobind()
will acquire all needed locks.
[1]
BUG: KCSAN: data-race in netlink_insert / netlink_sendmsg
write to 0xffff8881031c8b30 of 1 bytes by task 18752 on cpu 0:
netlink_insert+0x5cc/0x7f0 net/netlink/af_netlink.c:597
netlink_autobind+0xa9/0x150 net/netlink/af_netlink.c:842
netlink_sendmsg+0x479/0x7c0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:703 [inline]
sock_sendmsg net/socket.c:723 [inline]
____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
___sys_sendmsg net/socket.c:2446 [inline]
__sys_sendmsg+0x1ed/0x270 net/socket.c:2475
__do_sys_sendmsg net/socket.c:2484 [inline]
__se_sys_sendmsg net/socket.c:2482 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2482
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff8881031c8b30 of 1 bytes by task 18751 on cpu 1:
netlink_sendmsg+0x270/0x7c0 net/netlink/af_netlink.c:1891
sock_sendmsg_nosec net/socket.c:703 [inline]
sock_sendmsg net/socket.c:723 [inline]
__sys_sendto+0x2a8/0x370 net/socket.c:2019
__do_sys_sendto net/socket.c:2031 [inline]
__se_sys_sendto net/socket.c:2027 [inline]
__x64_sys_sendto+0x74/0x90 net/socket.c:2027
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0x00 -> 0x01
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 18751 Comm: syz-executor.0 Not tainted 5.14.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes: da314c9923fe ("netlink: Replace rhash_portid with bound")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index acc76a738cfd..cb35680db9b2 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -585,7 +585,10 @@ static int netlink_insert(struct sock *sk, u32 portid)
/* We need to ensure that the socket is hashed and visible. */
smp_wmb();
- nlk_sk(sk)->bound = portid;
+ /* Paired with lockless reads from netlink_bind(),
+ * netlink_connect() and netlink_sendmsg().
+ */
+ WRITE_ONCE(nlk_sk(sk)->bound, portid);
err:
release_sock(sk);
@@ -1003,7 +1006,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
if (nlk->ngroups < BITS_PER_LONG)
groups &= (1UL << nlk->ngroups) - 1;
- bound = nlk->bound;
+ /* Paired with WRITE_ONCE() in netlink_insert() */
+ bound = READ_ONCE(nlk->bound);
if (bound) {
/* Ensure nlk->portid is up-to-date. */
smp_rmb();
@@ -1089,8 +1093,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
/* No need for barriers here as we return to user-space without
* using any of the bound attributes.
+ * Paired with WRITE_ONCE() in netlink_insert().
*/
- if (!nlk->bound)
+ if (!READ_ONCE(nlk->bound))
err = netlink_autobind(sock);
if (err == 0) {
@@ -1879,7 +1884,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
dst_group = nlk->dst_group;
}
- if (!nlk->bound) {
+ /* Paired with WRITE_ONCE() in netlink_insert() */
+ if (!READ_ONCE(nlk->bound)) {
err = netlink_autobind(sock);
if (err)
goto out;
--
2.33.0
next prev parent reply other threads:[~2021-10-11 13:49 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-11 13:45 [PATCH 5.4 00/52] 5.4.153-rc1 review Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 01/52] Partially revert "usb: Kconfig: using select for USB_COMMON dependency" Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 02/52] USB: cdc-acm: fix racy tty buffer accesses Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 03/52] USB: cdc-acm: fix break reporting Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 04/52] usb: typec: tcpm: handle SRC_STARTUP state if cc changes Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 05/52] xen/privcmd: fix error handling in mmap-resource processing Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 06/52] mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 07/52] ovl: fix missing negative dentry check in ovl_rename() Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 08/52] nfsd: fix error handling of register_pernet_subsys() in init_nfsd() Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 09/52] nfsd4: Handle the NFSv4 READDIR dircount hint being zero Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 10/52] xen/balloon: fix cancelled balloon action Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 11/52] ARM: dts: omap3430-sdp: Fix NAND device node Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 12/52] ARM: dts: qcom: apq8064: use compatible which contains chipid Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 13/52] MIPS: BPF: Restore MIPS32 cBPF JIT Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 14/52] bpf, mips: Validate conditional branch offsets Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 15/52] soc: qcom: socinfo: Fixed argument passed to platform_set_data() Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 16/52] ARM: dts: qcom: apq8064: Use 27MHz PXO clock as DSI PLL reference Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 17/52] soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 18/52] ARM: dts: imx: Add missing pinctrl-names for panel on M53Menlo Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 19/52] ARM: dts: imx: Fix USB host power regulator polarity " Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 20/52] arm64: dts: qcom: pm8150: use qcom,pm8998-pon binding Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 21/52] xtensa: move XCHAL_KIO_* definitions to kmem_layout.h Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 22/52] xtensa: use CONFIG_USE_OF instead of CONFIG_OF Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 23/52] xtensa: call irqchip_init only when CONFIG_USE_OF is selected Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 24/52] bpf, arm: Fix register clobbering in div/mod implementation Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 25/52] bpf: Fix integer overflow in prealloc_elems_and_freelist() Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 26/52] phy: mdio: fix memory leak Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 27/52] net_sched: fix NULL deref in fifo_set_limit() Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 28/52] powerpc/fsl/dts: Fix phy-connection-type for fm1mac3 Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 29/52] ptp_pch: Load module automatically if ID matches Greg Kroah-Hartman
2021-10-11 13:45 ` [PATCH 5.4 30/52] arm64: dts: freescale: Fix SP805 clock-names Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 31/52] arm64: dts: ls1028a: add missing CAN nodes Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 32/52] ARM: imx6: disable the GIC CPU interface before calling stby-poweroff sequence Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 33/52] net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 34/52] net/sched: sch_taprio: properly cancel timer from taprio_destroy() Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 35/52] net: sfp: Fix typo in state machine debug string Greg Kroah-Hartman
2021-10-11 13:46 ` Greg Kroah-Hartman [this message]
2021-10-11 13:46 ` [PATCH 5.4 37/52] bus: ti-sysc: Use CLKDM_NOAUTO for dra7 dcan1 for errata i893 Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 38/52] video: fbdev: gbefb: Only instantiate device when built for IP32 Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 39/52] drm/nouveau/debugfs: fix file release memory leak Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 40/52] gve: Correct available tx qpl check Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 41/52] rtnetlink: fix if_nlmsg_stats_size() under estimation Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 42/52] gve: fix gve_get_stats() Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 43/52] i40e: fix endless loop under rtnl Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 44/52] i40e: Fix freeing of uninitialized misc IRQ vector Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 45/52] net: prefer socket bound to interface when not in VRF Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 46/52] i2c: acpi: fix resource leak in reconfiguration device addition Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 47/52] bpf, s390: Fix potential memory leak about jit_data Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 48/52] RISC-V: Include clone3() on rv32 Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 49/52] powerpc/bpf: Fix BPF_MOD when imm == 1 Greg Kroah-Hartman
2021-10-11 17:33 ` Naresh Kamboju
2021-10-11 18:24 ` Christophe Leroy
2021-10-12 0:53 ` Sasha Levin
2021-10-12 6:42 ` Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 50/52] x86/platform/olpc: Correct ifdef symbol to intended CONFIG_OLPC_XO15_SCI Greg Kroah-Hartman
2021-10-11 13:46 ` [PATCH 5.4 51/52] x86/hpet: Use another crystalball to evaluate HPET usability Greg Kroah-Hartman
2021-10-11 13:59 ` Jakub Kicinski
2021-10-11 14:05 ` Greg Kroah-Hartman
2021-10-11 14:26 ` Jakub Kicinski
2021-10-11 13:46 ` [PATCH 5.4 52/52] x86/Kconfig: Correct reference to MWINCHIP3D Greg Kroah-Hartman
2021-10-11 15:55 ` [PATCH 5.4 00/52] 5.4.153-rc1 review Florian Fainelli
2021-10-11 17:17 ` Naresh Kamboju
2021-10-12 1:18 ` Shuah Khan
2021-10-12 2:00 ` Guenter Roeck
2021-10-12 8:13 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211011134504.970228383@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).