diff mbox series

[v2,net] net: restrict SO_REUSEPORT to inet sockets

Message ID 20241231160527.3994168-1-edumazet@google.com (mailing list archive)
State Accepted
Commit 5b0af621c3f6ef9261cf6067812f2fd9943acb4b
Delegated to: Netdev Maintainers
Headers show
Series [v2,net] net: restrict SO_REUSEPORT to inet sockets | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1 this patch: 1
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 5 of 6 maintainers
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 5 this patch: 5
netdev/checkpatch warning WARNING: Possible repeated word: 'Google'
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 9 this patch: 9
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2025-01-02--18-00 (tests: 881)

Commit Message

Eric Dumazet Dec. 31, 2024, 4:05 p.m. UTC 
After blamed commit, crypto sockets could accidentally be destroyed
from RCU call back, as spotted by zyzbot [1].

Trying to acquire a mutex in RCU callback is not allowed.

Restrict SO_REUSEPORT socket option to inet sockets.

v1 of this patch supported TCP, UDP and SCTP sockets,
but fcnal-test.sh test needed RAW and ICMP support.

[1]
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1
preempt_count: 100, expected: 0
RCU nest depth: 0, expected: 0
1 lock held by ksoftirqd/1/24:
  #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
  #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline]
  #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823
Preemption disabled at:
 [<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline]
 [<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
  __might_resched+0x5d4/0x780 kernel/sched/core.c:8758
  __mutex_lock_common kernel/locking/mutex.c:562 [inline]
  __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735
  crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179
  aead_release+0x3d/0x50 crypto/algif_aead.c:489
  alg_do_release crypto/af_alg.c:118 [inline]
  alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502
  __sk_destruct+0x58/0x5f0 net/core/sock.c:2260
  rcu_do_batch kernel/rcu/tree.c:2567 [inline]
  rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
  handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
  run_ksoftirqd+0xca/0x130 kernel/softirq.c:950
  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
  kthread+0x2f0/0x390 kernel/kthread.c:389
  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Fixes: 8c7138b33e5c ("net: Unpublish sk from sk_reuseport_cb before call_rcu")
Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6772f2f4.050a0220.2f3838.04cb.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Martin KaFai Lau <kafai@fb.com>
---
 net/core/sock.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Kuniyuki Iwashima Jan. 1, 2025, 9:27 a.m. UTC | #1 
From: Eric Dumazet <edumazet@google.com>
Date: Tue, 31 Dec 2024 16:05:27 +0000
> After blamed commit, crypto sockets could accidentally be destroyed
> from RCU call back, as spotted by zyzbot [1].
> 
> Trying to acquire a mutex in RCU callback is not allowed.
> 
> Restrict SO_REUSEPORT socket option to inet sockets.
> 
> v1 of this patch supported TCP, UDP and SCTP sockets,
> but fcnal-test.sh test needed RAW and ICMP support.
> 
> [1]
> BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562
> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1
> preempt_count: 100, expected: 0
> RCU nest depth: 0, expected: 0
> 1 lock held by ksoftirqd/1/24:
>   #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
>   #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline]
>   #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823
> Preemption disabled at:
>  [<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline]
>  [<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537
> CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> Call Trace:
>  <TASK>
>   __dump_stack lib/dump_stack.c:94 [inline]
>   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
>   __might_resched+0x5d4/0x780 kernel/sched/core.c:8758
>   __mutex_lock_common kernel/locking/mutex.c:562 [inline]
>   __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735
>   crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179
>   aead_release+0x3d/0x50 crypto/algif_aead.c:489
>   alg_do_release crypto/af_alg.c:118 [inline]
>   alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502
>   __sk_destruct+0x58/0x5f0 net/core/sock.c:2260
>   rcu_do_batch kernel/rcu/tree.c:2567 [inline]
>   rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
>   handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
>   run_ksoftirqd+0xca/0x130 kernel/softirq.c:950
>   smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
>   kthread+0x2f0/0x390 kernel/kthread.c:389
>   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
>  </TASK>
> 
> Fixes: 8c7138b33e5c ("net: Unpublish sk from sk_reuseport_cb before call_rcu")
> Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/6772f2f4.050a0220.2f3838.04cb.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>


> Cc: Martin KaFai Lau <kafai@fb.com>
> ---
>  net/core/sock.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 74729d20cd0099e748f4c4fe0be42a2d2d47e77a..be84885f9290a6ada1e0a3f987273a017a524ece 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1295,7 +1295,10 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
>  		sk->sk_reuse = (valbool ? SK_CAN_REUSE : SK_NO_REUSE);
>  		break;
>  	case SO_REUSEPORT:
> -		sk->sk_reuseport = valbool;
> +		if (valbool && !sk_is_inet(sk))
> +			ret = -EOPNOTSUPP;
> +		else
> +			sk->sk_reuseport = valbool;
>  		break;
>  	case SO_DONTROUTE:
>  		sock_valbool_flag(sk, SOCK_LOCALROUTE, valbool);
> -- 
> 2.47.1.613.gc27f4b7a9f-goog
patchwork-bot+netdevbpf@kernel.org Jan. 3, 2025, 2:20 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 31 Dec 2024 16:05:27 +0000 you wrote:
> After blamed commit, crypto sockets could accidentally be destroyed
> from RCU call back, as spotted by zyzbot [1].
> 
> Trying to acquire a mutex in RCU callback is not allowed.
> 
> Restrict SO_REUSEPORT socket option to inet sockets.
> 
> [...]

Here is the summary with links:
  - [v2,net] net: restrict SO_REUSEPORT to inet sockets
    https://git.kernel.org/netdev/net/c/5b0af621c3f6

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/core/sock.c b/net/core/sock.c
index 74729d20cd0099e748f4c4fe0be42a2d2d47e77a..be84885f9290a6ada1e0a3f987273a017a524ece 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1295,7 +1295,10 @@  int sk_setsockopt(struct sock *sk, int level, int optname,
 		sk->sk_reuse = (valbool ? SK_CAN_REUSE : SK_NO_REUSE);
 		break;
 	case SO_REUSEPORT:
-		sk->sk_reuseport = valbool;
+		if (valbool && !sk_is_inet(sk))
+			ret = -EOPNOTSUPP;
+		else
+			sk->sk_reuseport = valbool;
 		break;
 	case SO_DONTROUTE:
 		sock_valbool_flag(sk, SOCK_LOCALROUTE, valbool);