diff mbox series

[net-next] inet: remove races in inet{6}_getname()

Message ID 20211026173800.2232409-1-eric.dumazet@gmail.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [net-next] inet: remove races in inet{6}_getname() | expand

Checks

Context Check Description
netdev/cover_letter success Single patches do not need cover letters
netdev/fixes_present success Fixes tag not required for -next series
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for net-next
netdev/subject_prefix success Link
netdev/cc_maintainers warning 2 maintainers not CCed: dsahern@kernel.org yoshfuji@linux-ipv6.org
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success No Fixes tag
netdev/checkpatch warning WARNING: Possible repeated word: 'Google'
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/header_inline success No static functions without inline keyword in header files

Commit Message

Eric Dumazet Oct. 26, 2021, 5:38 p.m. UTC 
From: Eric Dumazet <edumazet@google.com>

syzbot reported data-races in inet_getname() multiple times,
it is time we fix this instead of pretending applications
should not trigger them.

getsockname() and getpeername() are not really considered fast path.

syzbot typical report:
BUG: KCSAN: data-race in __inet_hash_connect / inet_getname

write to 0xffff888136d66cf8 of 2 bytes by task 14374 on cpu 1:
 __inet_hash_connect+0x7ec/0x950 net/ipv4/inet_hashtables.c:831
 inet_hash_connect+0x85/0x90 net/ipv4/inet_hashtables.c:853
 tcp_v4_connect+0x782/0xbb0 net/ipv4/tcp_ipv4.c:275
 __inet_stream_connect+0x156/0x6e0 net/ipv4/af_inet.c:664
 inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:728
 __sys_connect_file net/socket.c:1896 [inline]
 __sys_connect+0x254/0x290 net/socket.c:1913
 __do_sys_connect net/socket.c:1923 [inline]
 __se_sys_connect net/socket.c:1920 [inline]
 __x64_sys_connect+0x3d/0x50 net/socket.c:1920
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

read to 0xffff888136d66cf8 of 2 bytes by task 14408 on cpu 0:
 inet_getname+0x11f/0x170 net/ipv4/af_inet.c:790
 __sys_getsockname+0x11d/0x1b0 net/socket.c:1946
 __do_sys_getsockname net/socket.c:1961 [inline]
 __se_sys_getsockname net/socket.c:1958 [inline]
 __x64_sys_getsockname+0x3e/0x50 net/socket.c:1958
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

value changed: 0x0000 -> 0xdee0

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 14408 Comm: syz-executor.3 Not tainted 5.15.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 net/ipv4/af_inet.c  | 16 +++++++++-------
 net/ipv6/af_inet6.c | 21 +++++++++++----------
 2 files changed, 20 insertions(+), 17 deletions(-)

Comments

kernel test robot Oct. 26, 2021, 8:53 p.m. UTC | #1 
Hi Eric,

I love your patch! Yet something to improve:

[auto build test ERROR on net-next/master]

url:    https://github.com/0day-ci/linux/commits/Eric-Dumazet/inet-remove-races-in-inet-6-_getname/20211027-013901
base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 6b3671746a8a3aa05316b829e1357060f35009c1
config: csky-defconfig (attached as .config)
compiler: csky-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/337791bc53db80fb5982e0f66be795a2d37c3d8d
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Eric-Dumazet/inet-remove-races-in-inet-6-_getname/20211027-013901
        git checkout 337791bc53db80fb5982e0f66be795a2d37c3d8d
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross ARCH=csky 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   net/ipv6/af_inet6.c: In function 'inet6_getname':
>> net/ipv6/af_inet6.c:536:17: error: implicit declaration of function 'BPF_CGROUP_RUN_SA_PROG'; did you mean 'BPF_CGROUP_RUN_SA_PROG_LOCK'? [-Werror=implicit-function-declaration]
     536 |                 BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin,
         |                 ^~~~~~~~~~~~~~~~~~~~~~
         |                 BPF_CGROUP_RUN_SA_PROG_LOCK
>> net/ipv6/af_inet6.c:537:40: error: 'CGROUP_INET6_GETPEERNAME' undeclared (first use in this function); did you mean 'BPF_CGROUP_INET6_GETPEERNAME'?
     537 |                                        CGROUP_INET6_GETPEERNAME);
         |                                        ^~~~~~~~~~~~~~~~~~~~~~~~
         |                                        BPF_CGROUP_INET6_GETPEERNAME
   net/ipv6/af_inet6.c:537:40: note: each undeclared identifier is reported only once for each function it appears in
>> net/ipv6/af_inet6.c:545:40: error: 'CGROUP_INET6_GETSOCKNAME' undeclared (first use in this function); did you mean 'BPF_CGROUP_INET6_GETSOCKNAME'?
     545 |                                        CGROUP_INET6_GETSOCKNAME);
         |                                        ^~~~~~~~~~~~~~~~~~~~~~~~
         |                                        BPF_CGROUP_INET6_GETSOCKNAME
   cc1: some warnings being treated as errors


vim +536 net/ipv6/af_inet6.c

   509	
   510	/*
   511	 *	This does both peername and sockname.
   512	 */
   513	int inet6_getname(struct socket *sock, struct sockaddr *uaddr,
   514			  int peer)
   515	{
   516		struct sockaddr_in6 *sin = (struct sockaddr_in6 *)uaddr;
   517		struct sock *sk = sock->sk;
   518		struct inet_sock *inet = inet_sk(sk);
   519		struct ipv6_pinfo *np = inet6_sk(sk);
   520	
   521		sin->sin6_family = AF_INET6;
   522		sin->sin6_flowinfo = 0;
   523		sin->sin6_scope_id = 0;
   524		lock_sock(sk);
   525		if (peer) {
   526			if (!inet->inet_dport ||
   527			    (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)) &&
   528			    peer == 1)) {
   529				release_sock(sk);
   530				return -ENOTCONN;
   531			}
   532			sin->sin6_port = inet->inet_dport;
   533			sin->sin6_addr = sk->sk_v6_daddr;
   534			if (np->sndflow)
   535				sin->sin6_flowinfo = np->flow_label;
 > 536			BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin,
 > 537					       CGROUP_INET6_GETPEERNAME);
   538		} else {
   539			if (ipv6_addr_any(&sk->sk_v6_rcv_saddr))
   540				sin->sin6_addr = np->saddr;
   541			else
   542				sin->sin6_addr = sk->sk_v6_rcv_saddr;
   543			sin->sin6_port = inet->inet_sport;
   544			BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin,
 > 545					       CGROUP_INET6_GETSOCKNAME);
   546		}
   547		sin->sin6_scope_id = ipv6_iface_scope_id(&sin->sin6_addr,
   548							 sk->sk_bound_dev_if);
   549		release_sock(sk);
   550		return sizeof(*sin);
   551	}
   552	EXPORT_SYMBOL(inet6_getname);
   553	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Eric Dumazet Oct. 26, 2021, 9:20 p.m. UTC | #2 
On 10/26/21 1:53 PM, kernel test robot wrote:
> Hi Eric,
> 
> I love your patch! Yet something to improve:
> 
> [auto build test ERROR on net-next/master]
> 
> url:    https://github.com/0day-ci/linux/commits/Eric-Dumazet/inet-remove-races-in-inet-6-_getname/20211027-013901
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 6b3671746a8a3aa05316b829e1357060f35009c1
> config: csky-defconfig (attached as .config)
> compiler: csky-linux-gcc (GCC) 11.2.0
> reproduce (this is a W=1 build):
>         wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
>         chmod +x ~/bin/make.cross
>         # https://github.com/0day-ci/linux/commit/337791bc53db80fb5982e0f66be795a2d37c3d8d
>         git remote add linux-review https://github.com/0day-ci/linux
>         git fetch --no-tags linux-review Eric-Dumazet/inet-remove-races-in-inet-6-_getname/20211027-013901
>         git checkout 337791bc53db80fb5982e0f66be795a2d37c3d8d
>         # save the attached .config to linux build tree
>         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross ARCH=csky 
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> 
> All errors (new ones prefixed by >>):
> 

Apparently there is a missing declaration in the include file.

I will include this bit in V2

diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
index 2746fd8042162c68d869bcbe210cee13bf89cf34..3536ab432b30cbeac6273d0ad8affaf9f23e3789 100644
--- a/include/linux/bpf-cgroup.h
+++ b/include/linux/bpf-cgroup.h
@@ -517,6 +517,7 @@ static inline int bpf_percpu_cgroup_storage_update(struct bpf_map *map,
 
 #define cgroup_bpf_enabled(atype) (0)
 #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, atype, t_ctx) ({ 0; })
+#define BPF_CGROUP_RUN_SA_PROG(sk, uaddr, atype) ({ 0; })
 #define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) (0)
 #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk,skb) ({ 0; })
 #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; })
diff mbox series

Patch

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 8eb428387bac25ee8fc638702d993640601e09d6..31d5cefa99799ca25969894c4bcdfc578f3b4cec 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -769,26 +769,28 @@  int inet_getname(struct socket *sock, struct sockaddr *uaddr,
 	DECLARE_SOCKADDR(struct sockaddr_in *, sin, uaddr);
 
 	sin->sin_family = AF_INET;
+	lock_sock(sk);
 	if (peer) {
 		if (!inet->inet_dport ||
 		    (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)) &&
-		     peer == 1))
+		     peer == 1)) {
+			release_sock(sk);
 			return -ENOTCONN;
+		}
 		sin->sin_port = inet->inet_dport;
 		sin->sin_addr.s_addr = inet->inet_daddr;
-		BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin,
-					    CGROUP_INET4_GETPEERNAME,
-					    NULL);
+		BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin,
+				       CGROUP_INET4_GETPEERNAME);
 	} else {
 		__be32 addr = inet->inet_rcv_saddr;
 		if (!addr)
 			addr = inet->inet_saddr;
 		sin->sin_port = inet->inet_sport;
 		sin->sin_addr.s_addr = addr;
-		BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin,
-					    CGROUP_INET4_GETSOCKNAME,
-					    NULL);
+		BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin,
+				       CGROUP_INET4_GETSOCKNAME);
 	}
+	release_sock(sk);
 	memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
 	return sizeof(*sin);
 }
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index b5878bb8e419d6087dcff1836479f6a808ad24d9..0c4da163535ad956be0a194478ca3ab988df872a 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -521,31 +521,32 @@  int inet6_getname(struct socket *sock, struct sockaddr *uaddr,
 	sin->sin6_family = AF_INET6;
 	sin->sin6_flowinfo = 0;
 	sin->sin6_scope_id = 0;
+	lock_sock(sk);
 	if (peer) {
-		if (!inet->inet_dport)
-			return -ENOTCONN;
-		if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)) &&
-		    peer == 1)
+		if (!inet->inet_dport ||
+		    (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)) &&
+		    peer == 1)) {
+			release_sock(sk);
 			return -ENOTCONN;
+		}
 		sin->sin6_port = inet->inet_dport;
 		sin->sin6_addr = sk->sk_v6_daddr;
 		if (np->sndflow)
 			sin->sin6_flowinfo = np->flow_label;
-		BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin,
-					    CGROUP_INET6_GETPEERNAME,
-					    NULL);
+		BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin,
+				       CGROUP_INET6_GETPEERNAME);
 	} else {
 		if (ipv6_addr_any(&sk->sk_v6_rcv_saddr))
 			sin->sin6_addr = np->saddr;
 		else
 			sin->sin6_addr = sk->sk_v6_rcv_saddr;
 		sin->sin6_port = inet->inet_sport;
-		BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin,
-					    CGROUP_INET6_GETSOCKNAME,
-					    NULL);
+		BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin,
+				       CGROUP_INET6_GETSOCKNAME);
 	}
 	sin->sin6_scope_id = ipv6_iface_scope_id(&sin->sin6_addr,
 						 sk->sk_bound_dev_if);
+	release_sock(sk);
 	return sizeof(*sin);
 }
 EXPORT_SYMBOL(inet6_getname);