diff mbox series

[net] net: annotate sk->sk_err write from do_recvmmsg()

Message ID 20230509163553.3081476-1-edumazet@google.com (mailing list archive)
State Accepted
Commit e05a5f510f26607616fecdd4ac136310c8bea56b
Delegated to: Netdev Maintainers
Headers show
Series [net] net: annotate sk->sk_err write from do_recvmmsg() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 10 this patch: 10
netdev/cc_maintainers fail 1 blamed authors not CCed: acme@redhat.com; 1 maintainers not CCed: acme@redhat.com
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 10 this patch: 10
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Eric Dumazet May 9, 2023, 4:35 p.m. UTC 
do_recvmmsg() can write to sk->sk_err from multiple threads.

As said before, many other points reading or writing sk_err
need annotations.

Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 net/socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Kuniyuki Iwashima May 9, 2023, 10:53 p.m. UTC | #1 
From: Eric Dumazet <edumazet@google.com>
Date: Tue,  9 May 2023 16:35:53 +0000
> do_recvmmsg() can write to sk->sk_err from multiple threads.
> 
> As said before, many other points reading or writing sk_err
> need annotations.
> 
> Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>


> ---
>  net/socket.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/socket.c b/net/socket.c
> index a7b4b37d86df7a9232d582a14863c05b5fd34b68..b7e01d0fe0824d1f277c1fe70f68f09a10319832 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -2911,7 +2911,7 @@ static int do_recvmmsg(int fd, struct mmsghdr __user *mmsg,
>  		 * error to return on the next call or if the
>  		 * app asks about it using getsockopt(SO_ERROR).
>  		 */
> -		sock->sk->sk_err = -err;
> +		WRITE_ONCE(sock->sk->sk_err, -err);
>  	}
>  out_put:
>  	fput_light(sock->file, fput_needed);
> -- 
> 2.40.1.521.gf1e218fcd8-goog
patchwork-bot+netdevbpf@kernel.org May 10, 2023, 9 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Tue,  9 May 2023 16:35:53 +0000 you wrote:
> do_recvmmsg() can write to sk->sk_err from multiple threads.
> 
> As said before, many other points reading or writing sk_err
> need annotations.
> 
> Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> 
> [...]

Here is the summary with links:
  - [net] net: annotate sk->sk_err write from do_recvmmsg()
    https://git.kernel.org/netdev/net/c/e05a5f510f26

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/socket.c b/net/socket.c
index a7b4b37d86df7a9232d582a14863c05b5fd34b68..b7e01d0fe0824d1f277c1fe70f68f09a10319832 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2911,7 +2911,7 @@  static int do_recvmmsg(int fd, struct mmsghdr __user *mmsg,
 		 * error to return on the next call or if the
 		 * app asks about it using getsockopt(SO_ERROR).
 		 */
-		sock->sk->sk_err = -err;
+		WRITE_ONCE(sock->sk->sk_err, -err);
 	}
 out_put:
 	fput_light(sock->file, fput_needed);