LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, DaeRyong Jeong <threeearcat@gmail.com>,
	Byoungyoung Lee <byoungyoung@purdue.edu>,
	Willem de Bruijn <willemb@google.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.16 21/81] packet: fix bitfield update race
Date: Fri, 27 Apr 2018 15:58:23 +0200	[thread overview]
Message-ID: <20180427135744.454778445@linuxfoundation.org> (raw)
In-Reply-To: <20180427135743.216853156@linuxfoundation.org>

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <willemb@google.com>


[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ]

Updates to the bitfields in struct packet_sock are not atomic.
Serialize these read-modify-write cycles.

Move po->running into a separate variable. Its writes are protected by
po->bind_lock (except for one startup case at packet_create). Also
replace a textual precondition warning with lockdep annotation.

All others are set only in packet_setsockopt. Serialize these
updates by holding the socket lock. Analogous to other field updates,
also hold the lock when testing whether a ring is active (pg_vec).

Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg")
Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Reported-by: Byoungyoung Lee <byoungyoung@purdue.edu>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |   60 +++++++++++++++++++++++++++++++++++--------------
 net/packet/internal.h  |   10 ++++----
 2 files changed, 49 insertions(+), 21 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -329,11 +329,11 @@ static void packet_pick_tx_queue(struct
 	skb_set_queue_mapping(skb, queue_index);
 }
 
-/* register_prot_hook must be invoked with the po->bind_lock held,
+/* __register_prot_hook must be invoked through register_prot_hook
  * or from a context in which asynchronous accesses to the packet
  * socket is not possible (packet_create()).
  */
-static void register_prot_hook(struct sock *sk)
+static void __register_prot_hook(struct sock *sk)
 {
 	struct packet_sock *po = pkt_sk(sk);
 
@@ -348,8 +348,13 @@ static void register_prot_hook(struct so
 	}
 }
 
-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock
- * held.   If the sync parameter is true, we will temporarily drop
+static void register_prot_hook(struct sock *sk)
+{
+	lockdep_assert_held_once(&pkt_sk(sk)->bind_lock);
+	__register_prot_hook(sk);
+}
+
+/* If the sync parameter is true, we will temporarily drop
  * the po->bind_lock and do a synchronize_net to make sure no
  * asynchronous packet processing paths still refer to the elements
  * of po->prot_hook.  If the sync parameter is false, it is the
@@ -359,6 +364,8 @@ static void __unregister_prot_hook(struc
 {
 	struct packet_sock *po = pkt_sk(sk);
 
+	lockdep_assert_held_once(&po->bind_lock);
+
 	po->running = 0;
 
 	if (po->fanout)
@@ -3252,7 +3259,7 @@ static int packet_create(struct net *net
 
 	if (proto) {
 		po->prot_hook.type = proto;
-		register_prot_hook(sk);
+		__register_prot_hook(sk);
 	}
 
 	mutex_lock(&net->packet.sklist_lock);
@@ -3734,12 +3741,18 @@ packet_setsockopt(struct socket *sock, i
 
 		if (optlen != sizeof(val))
 			return -EINVAL;
-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-			return -EBUSY;
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
-		po->tp_loss = !!val;
-		return 0;
+
+		lock_sock(sk);
+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+			ret = -EBUSY;
+		} else {
+			po->tp_loss = !!val;
+			ret = 0;
+		}
+		release_sock(sk);
+		return ret;
 	}
 	case PACKET_AUXDATA:
 	{
@@ -3750,7 +3763,9 @@ packet_setsockopt(struct socket *sock, i
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
 
+		lock_sock(sk);
 		po->auxdata = !!val;
+		release_sock(sk);
 		return 0;
 	}
 	case PACKET_ORIGDEV:
@@ -3762,7 +3777,9 @@ packet_setsockopt(struct socket *sock, i
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
 
+		lock_sock(sk);
 		po->origdev = !!val;
+		release_sock(sk);
 		return 0;
 	}
 	case PACKET_VNET_HDR:
@@ -3771,15 +3788,20 @@ packet_setsockopt(struct socket *sock, i
 
 		if (sock->type != SOCK_RAW)
 			return -EINVAL;
-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-			return -EBUSY;
 		if (optlen < sizeof(val))
 			return -EINVAL;
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
 
-		po->has_vnet_hdr = !!val;
-		return 0;
+		lock_sock(sk);
+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+			ret = -EBUSY;
+		} else {
+			po->has_vnet_hdr = !!val;
+			ret = 0;
+		}
+		release_sock(sk);
+		return ret;
 	}
 	case PACKET_TIMESTAMP:
 	{
@@ -3817,11 +3839,17 @@ packet_setsockopt(struct socket *sock, i
 
 		if (optlen != sizeof(val))
 			return -EINVAL;
-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-			return -EBUSY;
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
-		po->tp_tx_has_off = !!val;
+
+		lock_sock(sk);
+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+			ret = -EBUSY;
+		} else {
+			po->tp_tx_has_off = !!val;
+			ret = 0;
+		}
+		release_sock(sk);
 		return 0;
 	}
 	case PACKET_QDISC_BYPASS:
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -112,10 +112,12 @@ struct packet_sock {
 	int			copy_thresh;
 	spinlock_t		bind_lock;
 	struct mutex		pg_vec_lock;
-	unsigned int		running:1,	/* prot_hook is attached*/
-				auxdata:1,
+	unsigned int		running;	/* bind_lock must be held */
+	unsigned int		auxdata:1,	/* writer must hold sock lock */
 				origdev:1,
-				has_vnet_hdr:1;
+				has_vnet_hdr:1,
+				tp_loss:1,
+				tp_tx_has_off:1;
 	int			pressure;
 	int			ifindex;	/* bound device		*/
 	__be16			num;
@@ -125,8 +127,6 @@ struct packet_sock {
 	enum tpacket_versions	tp_version;
 	unsigned int		tp_hdrlen;
 	unsigned int		tp_reserve;
-	unsigned int		tp_loss:1;
-	unsigned int		tp_tx_has_off:1;
 	unsigned int		tp_tstamp;
 	struct net_device __rcu	*cached_dev;
 	int			(*xmit)(struct sk_buff *skb);

  parent reply	other threads:[~2018-04-27 14:10 UTC|newest]

Thread overview: 88+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-27 13:58 [PATCH 4.16 00/81] 4.16.6-stable review Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 01/81] Revert "pinctrl: intel: Initialize GPIO properly when used through irqchip" Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 02/81] drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson GX SoCs Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 03/81] i40e: Fix attach VF to VM issue Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 04/81] tpm: cmd_ready command can be issued only after granting locality Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 05/81] tpm: tpm-interface: fix tpm_transmit/_cmd kdoc Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 06/81] tpm: add retry logic Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 07/81] Revert "ath10k: send (re)assoc peer command when NSS changed" Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 08/81] bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 09/81] docs: ip-sysctl.txt: fix name of some ipv6 variables Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 10/81] ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 11/81] ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 12/81] KEYS: DNS: limit the length of option strings Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 13/81] l2tp: check sockaddr length in pppol2tp_connect() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 14/81] llc: delete timers synchronously in llc_sk_free() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 15/81] net: af_packet: fix race in PACKET_{R|T}X_RING Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 16/81] net: fix deadlock while clearing neighbor proxy table Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 17/81] net: mvpp2: Fix DMA address mask size Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 18/81] net: qmi_wwan: add Wistron Neweb D19Q1 Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 19/81] net/smc: fix shutdown in state SMC_LISTEN Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 20/81] net: stmmac: Disable ACS Feature for GMAC >= 4 Greg Kroah-Hartman
2018-04-27 13:58 ` Greg Kroah-Hartman [this message]
2018-04-27 13:58 ` [PATCH 4.16 22/81] pppoe: check sockaddr length in pppoe_connect() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 23/81] Revert "macsec: missing dev_put() on error in macsec_newlink()" Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 24/81] sctp: do not check port in sctp_inet6_cmp_addr Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 25/81] strparser: Do not call mod_delayed_work with a timeout of LONG_MAX Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 26/81] strparser: Fix incorrect strp->need_bytes value Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 27/81] tcp: clear tp->packets_out when purging write queue Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 28/81] tcp: dont read out-of-bounds opsize Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 29/81] tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 30/81] team: avoid adding twice the same option to the event list Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 31/81] team: fix netconsole setup over team Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 32/81] tipc: add policy for TIPC_NLA_NET_ADDR Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 33/81] vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 34/81] vmxnet3: fix incorrect dereference when rxvlan is disabled Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 35/81] amd-xgbe: Add pre/post auto-negotiation phy hooks Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 36/81] amd-xgbe: Improve KR auto-negotiation and training Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 37/81] amd-xgbe: Only use the SFP supported transceiver signals Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 38/81] net: sched: ife: signal not finding metaid Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 39/81] net: sched: ife: handle malformed tlv length Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 40/81] net: sched: ife: check on metadata length Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 41/81] l2tp: hold reference on tunnels in netlink dumps Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 42/81] l2tp: hold reference on tunnels printed in pppol2tp proc file Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 43/81] l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 44/81] l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 45/81] llc: hold llc_sap before release_sock() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 46/81] llc: fix NULL pointer deref for SOCK_ZAPPED Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 47/81] s390/qeth: fix error handling in adapter command callbacks Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 48/81] s390/qeth: avoid control IO completion stalls Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 49/81] s390/qeth: handle failure on workqueue creation Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 50/81] net: ethernet: ti: cpsw: fix tx vlan priority mapping Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 51/81] net: validate attribute sizes in neigh_dump_table() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 52/81] bnxt_en: Fix memory fault in bnxt_ethtool_init() Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 53/81] virtio-net: add missing virtqueue kick when flushing packets Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 54/81] VSOCK: make af_vsock.ko removable again Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 55/81] net: aquantia: Regression on reset with 1.x firmware Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 56/81] tun: fix vlan packet truncation Greg Kroah-Hartman
2018-04-27 13:58 ` [PATCH 4.16 57/81] net: aquantia: oops when shutdown on already stopped device Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 58/81] virtio_net: split out ctrl buffer Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 59/81] virtio_net: fix adding vids on big-endian Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 60/81] Revert "mm/hmm: fix header file if/else/endif maze" Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 61/81] commoncap: Handle memory allocation failure Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 62/81] scsi: mptsas: Disable WRITE SAME Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 63/81] cdrom: information leak in cdrom_ioctl_media_changed() Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 64/81] fsnotify: Fix fsnotify_mark_connector race Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 65/81] m68k/mac: Dont remap SWIM MMIO region Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 66/81] block/swim: Check drive type Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 67/81] block/swim: Dont log an error message for an invalid ioctl Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 68/81] block/swim: Remove extra put_disk() call from error path Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 69/81] block/swim: Rename macros to avoid inconsistent inverted logic Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 70/81] block/swim: Select appropriate drive on device open Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 71/81] block/swim: Fix array bounds check Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 72/81] block/swim: Fix IO error at end of medium Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 73/81] tracing: Fix missing tab for hwlat_detector print format Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 74/81] hwmon: (k10temp) Add temperature offset for Ryzen 2700X Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 75/81] hwmon: (k10temp) Add support for AMD Ryzen w/ Vega graphics Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 76/81] s390/cio: update chpid descriptor after resource accessibility event Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 77/81] s390/dasd: fix IO error for newly defined devices Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 78/81] s390/uprobes: implement arch_uretprobe_is_alive() Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 79/81] s390/cpum_cf: rename IBM z13/z14 counter names Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 80/81] kprobes: Fix random address output of blacklist file Greg Kroah-Hartman
2018-04-27 13:59 ` [PATCH 4.16 81/81] ACPI / video: Only default only_lcd to true on Win8-ready _desktops_ Greg Kroah-Hartman
2018-04-27 18:15 ` [PATCH 4.16 00/81] 4.16.6-stable review Shuah Khan
2018-04-27 20:41 ` Dan Rue
2018-04-28  5:50   ` Greg Kroah-Hartman
2018-04-27 20:44 ` kernelci.org bot
2018-04-28 14:32 ` Guenter Roeck
2018-04-28 15:52   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180427135744.454778445@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=byoungyoung@purdue.edu \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=threeearcat@gmail.com \
    --cc=willemb@google.com \
    --subject='Re: [PATCH 4.16 21/81] packet: fix bitfield update race' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).