[net] xfrm: fix a data-race in xfrm_gen_index()

Commit Message

Eric Dumazet Sept. 8, 2023, 6:13 p.m. UTC

xfrm_gen_index() mutual exclusion uses net->xfrm.xfrm_policy_lock.

This means we must use a per-netns idx_generator variable,
instead of a static one.
Alternative would be to use an atomic variable.

syzbot reported:

BUG: KCSAN: data-race in xfrm_sk_policy_insert / xfrm_sk_policy_insert

write to 0xffffffff87005938 of 4 bytes by task 29466 on cpu 0:
xfrm_gen_index net/xfrm/xfrm_policy.c:1385 [inline]
xfrm_sk_policy_insert+0x262/0x640 net/xfrm/xfrm_policy.c:2347
xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffffffff87005938 of 4 bytes by task 29460 on cpu 1:
xfrm_sk_policy_insert+0x13e/0x640
xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x00006ad8 -> 0x00006b18

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 29460 Comm: syz-executor.1 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023

Fixes: 1121994c803f ("netns xfrm: policy insertion in netns")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
---
 include/net/netns/xfrm.h | 1 +
 net/xfrm/xfrm_policy.c   | 6 ++----
 2 files changed, 3 insertions(+), 4 deletions(-)

Comments

Herbert Xu Sept. 9, 2023, 12:54 a.m. UTC | #1

On Fri, Sep 08, 2023 at 06:13:59PM +0000, Eric Dumazet wrote:
> xfrm_gen_index() mutual exclusion uses net->xfrm.xfrm_policy_lock.
> 
> This means we must use a per-netns idx_generator variable,
> instead of a static one.
> Alternative would be to use an atomic variable.
> 
> syzbot reported:
> 
> BUG: KCSAN: data-race in xfrm_sk_policy_insert / xfrm_sk_policy_insert
> 
> write to 0xffffffff87005938 of 4 bytes by task 29466 on cpu 0:
> xfrm_gen_index net/xfrm/xfrm_policy.c:1385 [inline]
> xfrm_sk_policy_insert+0x262/0x640 net/xfrm/xfrm_policy.c:2347
> xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
> do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
> ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
> rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
> sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
> __sys_setsockopt+0x1c9/0x230 net/socket.c:2263
> __do_sys_setsockopt net/socket.c:2274 [inline]
> __se_sys_setsockopt net/socket.c:2271 [inline]
> __x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> read to 0xffffffff87005938 of 4 bytes by task 29460 on cpu 1:
> xfrm_sk_policy_insert+0x13e/0x640
> xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
> do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
> ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
> rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
> sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
> __sys_setsockopt+0x1c9/0x230 net/socket.c:2263
> __do_sys_setsockopt net/socket.c:2274 [inline]
> __se_sys_setsockopt net/socket.c:2271 [inline]
> __x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> value changed: 0x00006ad8 -> 0x00006b18
> 
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 PID: 29460 Comm: syz-executor.1 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
> 
> Fixes: 1121994c803f ("netns xfrm: policy insertion in netns")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> ---
>  include/net/netns/xfrm.h | 1 +
>  net/xfrm/xfrm_policy.c   | 6 ++----
>  2 files changed, 3 insertions(+), 4 deletions(-)

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,

Steffen Klassert Sept. 14, 2023, 7:42 a.m. UTC | #2

On Fri, Sep 08, 2023 at 06:13:59PM +0000, Eric Dumazet wrote:
> xfrm_gen_index() mutual exclusion uses net->xfrm.xfrm_policy_lock.
> 
> This means we must use a per-netns idx_generator variable,
> instead of a static one.
> Alternative would be to use an atomic variable.
> 
> syzbot reported:
> 
> BUG: KCSAN: data-race in xfrm_sk_policy_insert / xfrm_sk_policy_insert
> 
> write to 0xffffffff87005938 of 4 bytes by task 29466 on cpu 0:
> xfrm_gen_index net/xfrm/xfrm_policy.c:1385 [inline]
> xfrm_sk_policy_insert+0x262/0x640 net/xfrm/xfrm_policy.c:2347
> xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
> do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
> ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
> rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
> sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
> __sys_setsockopt+0x1c9/0x230 net/socket.c:2263
> __do_sys_setsockopt net/socket.c:2274 [inline]
> __se_sys_setsockopt net/socket.c:2271 [inline]
> __x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> read to 0xffffffff87005938 of 4 bytes by task 29460 on cpu 1:
> xfrm_sk_policy_insert+0x13e/0x640
> xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
> do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
> ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
> rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
> sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
> __sys_setsockopt+0x1c9/0x230 net/socket.c:2263
> __do_sys_setsockopt net/socket.c:2274 [inline]
> __se_sys_setsockopt net/socket.c:2271 [inline]
> __x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> value changed: 0x00006ad8 -> 0x00006b18
> 
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 PID: 29460 Comm: syz-executor.1 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
> 
> Fixes: 1121994c803f ("netns xfrm: policy insertion in netns")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>

Applied, thanks a lot Eric!

Patch

diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
index bd7c3be4af5d7bee4c63a57a2b0bf283b81bc4bf..423b52eca908d90009889b64764fbd4008a29529 100644
--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -50,6 +50,7 @@  struct netns_xfrm {
 	struct list_head	policy_all;
 	struct hlist_head	*policy_byidx;
 	unsigned int		policy_idx_hmask;
+	unsigned int		idx_generator;
 	struct hlist_head	policy_inexact[XFRM_POLICY_MAX];
 	struct xfrm_policy_hash	policy_bydst[XFRM_POLICY_MAX];
 	unsigned int		policy_count[XFRM_POLICY_MAX * 2];
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d6b405782b6361c4da2e06fae50befbd699aed15..a73e4b66c98f9db98d94a146bc963fa29979c592 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1372,8 +1372,6 @@  EXPORT_SYMBOL(xfrm_policy_hash_rebuild);
  * of an absolute inpredictability of ordering of rules. This will not pass. */
 static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
 {
-	static u32 idx_generator;
-
 	for (;;) {
 		struct hlist_head *list;
 		struct xfrm_policy *p;
@@ -1381,8 +1379,8 @@  static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
 		int found;
 
 		if (!index) {
-			idx = (idx_generator | dir);
-			idx_generator += 8;
+			idx = (net->xfrm.idx_generator | dir);
+			net->xfrm.idx_generator += 8;
 		} else {
 			idx = index;
 			index = 0;