From patchwork Fri Jan 20 12:59:53 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <edumazet@google.com>
X-Patchwork-Id: 13109768
X-Patchwork-Delegate: kuba@kernel.org
Return-Path: <netdev-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F38FBC27C76
	for <netdev@archiver.kernel.org>; Fri, 20 Jan 2023 13:00:02 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230425AbjATNAB (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Fri, 20 Jan 2023 08:00:01 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53118 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229981AbjATNAA (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 20 Jan 2023 08:00:00 -0500
Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com
 [IPv6:2607:f8b0:4864:20::114a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83257BCE34
        for <netdev@vger.kernel.org>; Fri, 20 Jan 2023 04:59:59 -0800 (PST)
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-4d5097a95f5so49251737b3.1
        for <netdev@vger.kernel.org>; Fri, 20 Jan 2023 04:59:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=t/l2rPveJESg8rrABbnGTyADUlPwKvyV1vHn7CoOTFc=;
        b=eQ6skuo2vK0havCN8UKiVYU7O148ksZGzZXXQh+5jar4TLssh7ue8ap+w6HQbdc6WP
         uanJ4Se36WY2WnxEAgixg3HYz2kZK63hJBxkC9G1u+k1/A1t+OYdSdO6l4RvYbv2RFUJ
         PAWy8M2LXhHf+R1atIs+TBkMrZ6TEUk9Ojr+p1PebsNv/kbRJU6ms12LMbV7civbGa0E
         T2I6JWo+vy4T8NK+IE0w0xecCUVRlvkzFJuGVBBA7X3uu02IyiRvIzQpS0oHbrLOdJDd
         WQscSlKP/V2Udub6FF2wuFW2YXupb6I9vvhJTZPXvNkESYT5CHTpJHrcHPKh3ihAaUNQ
         11+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=t/l2rPveJESg8rrABbnGTyADUlPwKvyV1vHn7CoOTFc=;
        b=oolRyCeUSynD4dREFS2yzLBA2YsS4AGDKft9g2R+sHJcKtNayEd7fXczH3QnOjSsMI
         Lqh2j5RgpCHBvmyLjvWN0AlTA5lebjymJpopc/bE+vb7fEeEvB9jwfKojSB2I50CniDz
         EH5NQZnq5Pn6Ecq9XxZJBXRzriLIpWDG8yeJyqxN7JJf0UbeFwQ7TbiCyRCl0jQyS9FA
         jMBcGe77FFSDHKstAXUxpwcsDx7SuT68xguFnn/rHMc+UjSItWzHDK0rRZwSxhfFFWrb
         jq0xLJX0O91EdMZFtq1zfICzo8x0HL7DOaVsH8b12934PasB6eCVr5Yn0U/vq6tHE8FK
         DCLA==
X-Gm-Message-State: AFqh2kpM22zYTMs96g3rRRnOoxWR8gzFxWBO0GBIE0gTuaM4WPz3r4SO
        OB3NQl+Ed37EZdPlQn9m39oOri6dyepy7w==
X-Google-Smtp-Source: 
 AMrXdXukJuZs8dO/rgJTtSnVTe/FaP1J5qKsfY47VQA2tPwaqYlWEQd4WLRUClELRPky8IlLLjsnzyzrmerr5g==
X-Received: from edumazet1.c.googlers.com
 ([fda3:e722:ac3:cc00:2b:7d90:c0a8:395a])
 (user=edumazet job=sendgmr) by 2002:a81:bd6:0:b0:48d:1334:6e38 with SMTP id
 205-20020a810bd6000000b0048d13346e38mr1697578ywl.316.1674219598784; Fri, 20
 Jan 2023 04:59:58 -0800 (PST)
Date: Fri, 20 Jan 2023 12:59:53 +0000
In-Reply-To: <20230120125955.3453768-1-edumazet@google.com>
Mime-Version: 1.0
References: <20230120125955.3453768-1-edumazet@google.com>
X-Mailer: git-send-email 2.39.1.405.gd4c25cc71f-goog
Message-ID: <20230120125955.3453768-2-edumazet@google.com>
Subject: [PATCH net 1/3] netlink: annotate data races around nlk->portid
From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com,
        Eric Dumazet <edumazet@google.com>,
        syzbot <syzkaller@googlegroups.com>
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

syzbot reminds us netlink_getname() runs locklessly [1]

This first patch annotates the race against nlk->portid.

Following patches take care of the remaining races.

[1]
BUG: KCSAN: data-race in netlink_getname / netlink_insert

write to 0xffff88814176d310 of 4 bytes by task 2315 on cpu 1:
netlink_insert+0xf1/0x9a0 net/netlink/af_netlink.c:583
netlink_autobind+0xae/0x180 net/netlink/af_netlink.c:856
netlink_sendmsg+0x444/0x760 net/netlink/af_netlink.c:1895
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x38f/0x500 net/socket.c:2476
___sys_sendmsg net/socket.c:2530 [inline]
__sys_sendmsg+0x19a/0x230 net/socket.c:2559
__do_sys_sendmsg net/socket.c:2568 [inline]
__se_sys_sendmsg net/socket.c:2566 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff88814176d310 of 4 bytes by task 2316 on cpu 0:
netlink_getname+0xcd/0x1a0 net/netlink/af_netlink.c:1144
__sys_getsockname+0x11d/0x1b0 net/socket.c:2026
__do_sys_getsockname net/socket.c:2041 [inline]
__se_sys_getsockname net/socket.c:2038 [inline]
__x64_sys_getsockname+0x3e/0x50 net/socket.c:2038
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x00000000 -> 0xc9a49780

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 2316 Comm: syz-executor.2 Not tainted 6.2.0-rc3-syzkaller-00030-ge8f60cd7db24-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 net/netlink/af_netlink.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index bca2a470ccad5fac1caa1eb810d16e95103c93dc..4aea89f7d700a587c4e9017cdff76cd3fe93ed7a 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -580,7 +580,9 @@ static int netlink_insert(struct sock *sk, u32 portid)
 	if (nlk_sk(sk)->bound)
 		goto err;
 
-	nlk_sk(sk)->portid = portid;
+	/* portid can be read locklessly from netlink_getname(). */
+	WRITE_ONCE(nlk_sk(sk)->portid, portid);
+
 	sock_hold(sk);
 
 	err = __netlink_insert(table, sk);
@@ -1141,7 +1143,8 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr,
 		nladdr->nl_pid = nlk->dst_portid;
 		nladdr->nl_groups = netlink_group_mask(nlk->dst_group);
 	} else {
-		nladdr->nl_pid = nlk->portid;
+		/* Paired with WRITE_ONCE() in netlink_insert() */
+		nladdr->nl_pid = READ_ONCE(nlk->portid);
 		netlink_lock_table();
 		nladdr->nl_groups = nlk->groups ? nlk->groups[0] : 0;
 		netlink_unlock_table();

From patchwork Fri Jan 20 12:59:54 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <edumazet@google.com>
X-Patchwork-Id: 13109769
X-Patchwork-Delegate: kuba@kernel.org
Return-Path: <netdev-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 72281C05027
	for <netdev@archiver.kernel.org>; Fri, 20 Jan 2023 13:00:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230445AbjATNAC (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Fri, 20 Jan 2023 08:00:02 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53108 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229585AbjATNAC (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 20 Jan 2023 08:00:02 -0500
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 179849AA94
        for <netdev@vger.kernel.org>; Fri, 20 Jan 2023 05:00:01 -0800 (PST)
Received: by mail-yb1-xb49.google.com with SMTP id
 z17-20020a256651000000b007907852ca4dso5639618ybm.16
        for <netdev@vger.kernel.org>; Fri, 20 Jan 2023 05:00:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=rBCYpAfdbx9Jh38Ngl7/ITORvHxhv02w/j9M1uMQxzk=;
        b=cznIUcPI5gztHE9GQvlGmeSh8Wb+l37MegPnO05hPB8pHqsReGg18s0jSgN7wFddjJ
         q7IgPhVIUf90+tEtS4sB/ZnTg7XUzx3iHrdEBSuUd0weFtwc+YlHE2vJquRBgz/io6K4
         4Vt2JVqPgSn0e4aSv9GwvLRpFptCgw8qocH/a+heOAmlmm4hfaox1OevO6U/UB7FrO1D
         /VtwYGCoSgMaxVf6TKysIPF0rYQdCOlmDuyY7HVz/0YAyEvSkHjeVMk7FkGyTrus3gJ7
         6EtDkGvkxYs//0oEoR2VLvl64JrD/WNUpC43sKDvdSiq6JDo1NhI/7hTarMcNujgEWnP
         UWFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=rBCYpAfdbx9Jh38Ngl7/ITORvHxhv02w/j9M1uMQxzk=;
        b=s4kvLO4xK6qkjwsxJ3+rIDsNo7Dc/QArUcu/0hCOURb8jRtYB4rBxlS9SzMHI+Qx+v
         Su9Gg+zK7xDIB8CTx7G+D06+ZPwd6p6wrZSg67CHu7XVs2y2ERVOfXhJ27ljCWOI42pA
         nHhCX0aM3WXWZq8mIf7QJNrCJ++BxryHPx3As+GMLzifCkOfS5ps5c6FmhU/qgl3cI3/
         8XqWZDNm6mnmpArgfGojOow+2ZEyi2WaRk2JSQwlnH4mcbkDOzrv9fJPr3yVs1Kl2LY8
         6NRHCi+PqFVnRwvdFH8TvdS32Sl3odicNlhHHxPkYHUBLXvJi+3JLixnJKSf0oLrYz5j
         7PlA==
X-Gm-Message-State: AFqh2kpidTuCIFHI7rjkH57nI+Y3Md6Eu2vurTdN17mvMKmfXSEMCV8y
        YCf78JL3gu/JdgOazaHBLLX8sMXuyLbr5w==
X-Google-Smtp-Source: 
 AMrXdXvBRW8qRZGcXviLh3O1M32qXwmiFZoyPHO7HrA+N62OayfUzuTmrAguzwu4kK8lWs92eS19piblsAoeWQ==
X-Received: from edumazet1.c.googlers.com
 ([fda3:e722:ac3:cc00:2b:7d90:c0a8:395a])
 (user=edumazet job=sendgmr) by 2002:a25:300a:0:b0:7e9:643f:155a with SMTP id
 w10-20020a25300a000000b007e9643f155amr1247336ybw.607.1674219600279; Fri, 20
 Jan 2023 05:00:00 -0800 (PST)
Date: Fri, 20 Jan 2023 12:59:54 +0000
In-Reply-To: <20230120125955.3453768-1-edumazet@google.com>
Mime-Version: 1.0
References: <20230120125955.3453768-1-edumazet@google.com>
X-Mailer: git-send-email 2.39.1.405.gd4c25cc71f-goog
Message-ID: <20230120125955.3453768-3-edumazet@google.com>
Subject: [PATCH net 2/3] netlink: annotate data races around dst_portid and
 dst_group
From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com,
        Eric Dumazet <edumazet@google.com>
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

netlink_getname(), netlink_sendmsg() and netlink_getsockbyportid()
can read nlk->dst_portid and nlk->dst_group while another
thread is changing them.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/netlink/af_netlink.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 4aea89f7d700a587c4e9017cdff76cd3fe93ed7a..b5b8c6a5fc34205c849ab2ca105cc44ffb407623 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1099,8 +1099,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
 
 	if (addr->sa_family == AF_UNSPEC) {
 		sk->sk_state	= NETLINK_UNCONNECTED;
-		nlk->dst_portid	= 0;
-		nlk->dst_group  = 0;
+		/* dst_portid and dst_group can be read locklessly */
+		WRITE_ONCE(nlk->dst_portid, 0);
+		WRITE_ONCE(nlk->dst_group, 0);
 		return 0;
 	}
 	if (addr->sa_family != AF_NETLINK)
@@ -1122,8 +1123,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
 
 	if (err == 0) {
 		sk->sk_state	= NETLINK_CONNECTED;
-		nlk->dst_portid = nladdr->nl_pid;
-		nlk->dst_group  = ffs(nladdr->nl_groups);
+		/* dst_portid and dst_group can be read locklessly */
+		WRITE_ONCE(nlk->dst_portid, nladdr->nl_pid);
+		WRITE_ONCE(nlk->dst_group, ffs(nladdr->nl_groups));
 	}
 
 	return err;
@@ -1140,8 +1142,9 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr,
 	nladdr->nl_pad = 0;
 
 	if (peer) {
-		nladdr->nl_pid = nlk->dst_portid;
-		nladdr->nl_groups = netlink_group_mask(nlk->dst_group);
+		/* Paired with WRITE_ONCE() in netlink_connect() */
+		nladdr->nl_pid = READ_ONCE(nlk->dst_portid);
+		nladdr->nl_groups = netlink_group_mask(READ_ONCE(nlk->dst_group));
 	} else {
 		/* Paired with WRITE_ONCE() in netlink_insert() */
 		nladdr->nl_pid = READ_ONCE(nlk->portid);
@@ -1171,8 +1174,9 @@ static struct sock *netlink_getsockbyportid(struct sock *ssk, u32 portid)
 
 	/* Don't bother queuing skb if kernel socket has no input function */
 	nlk = nlk_sk(sock);
+	/* dst_portid can be changed in netlink_connect() */
 	if (sock->sk_state == NETLINK_CONNECTED &&
-	    nlk->dst_portid != nlk_sk(ssk)->portid) {
+	    READ_ONCE(nlk->dst_portid) != nlk_sk(ssk)->portid) {
 		sock_put(sock);
 		return ERR_PTR(-ECONNREFUSED);
 	}
@@ -1889,8 +1893,9 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 			goto out;
 		netlink_skb_flags |= NETLINK_SKB_DST;
 	} else {
-		dst_portid = nlk->dst_portid;
-		dst_group = nlk->dst_group;
+		/* Paired with WRITE_ONCE() in netlink_connect() */
+		dst_portid = READ_ONCE(nlk->dst_portid);
+		dst_group = READ_ONCE(nlk->dst_group);
 	}
 
 	/* Paired with WRITE_ONCE() in netlink_insert() */

From patchwork Fri Jan 20 12:59:55 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <edumazet@google.com>
X-Patchwork-Id: 13109770
X-Patchwork-Delegate: kuba@kernel.org
Return-Path: <netdev-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 067E8C25B4E
	for <netdev@archiver.kernel.org>; Fri, 20 Jan 2023 13:00:08 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230448AbjATNAH (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Fri, 20 Jan 2023 08:00:07 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53236 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229585AbjATNAF (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 20 Jan 2023 08:00:05 -0500
Received: from mail-vs1-xe49.google.com (mail-vs1-xe49.google.com
 [IPv6:2607:f8b0:4864:20::e49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A71E3BF8BE
        for <netdev@vger.kernel.org>; Fri, 20 Jan 2023 05:00:02 -0800 (PST)
Received: by mail-vs1-xe49.google.com with SMTP id
 u62-20020a676041000000b003c36eda854fso1506902vsb.22
        for <netdev@vger.kernel.org>; Fri, 20 Jan 2023 05:00:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=BiRcRi0wUXlcdsz+D9nC3qTODiVSw09z9B9duy2CBOk=;
        b=g1ZcGgS7/D/rgsHr9WYNUBeA8sIcd7VtW12KZiWVAOy/WcvoxXn/KSD+Me0G8Dn7Oy
         kp6IoxtpjUQrOECLjOmNFIORcMD4I0Bhw0uzArrnITPiTNUGu51mkSOImOc5X80R53Ue
         KXYXgtYQ9yHSat2P16z1xyAM4shO27JCYbyyb92vrlTJbJSkSFi4Ktcjqmy9lecIlZ4c
         IyvriCWRr2ufPSJEeapA3yEnGhgY7oCmO2QjUAqxMjEsAw2lIc/+s1WxNbPfxfNXvoB0
         KoIqprEW2wKPWxasgEyGFqPDeM3tLBAx0aCEN7s3n7UGMJqetwNn4OWNYl6LJ/4Jt8O+
         tTRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=BiRcRi0wUXlcdsz+D9nC3qTODiVSw09z9B9duy2CBOk=;
        b=nKO388INVMcPyD2Idgw9Cv8vxrsDrNWxXZwBResUOSBaxxy+uBd+8XW5OVGNlRjCIG
         td8Gw71l9v9I68i5lormf8BVDccI3KUHWQ/4qYGEWJ/bGz+MIB4xTHRsdfc68IDR4o2o
         e6MvGTKm4shBNfcr4XG7t0YLhAF2MDyFEd+2YP5cNn/MS8alsB/d/9qq2uHC/9CeQutj
         9m1j7CimaVgutAlGg795YLCLgess6IyagqMbFrb/1Tymq8WNyYzdOMC7fNOWS8FNMrzn
         jtAWlc+OREVhqbSldh97lp3plhKD48C/mjyk+/fz8I3sE6fyq1KTJmiTqXjmvLeZwFpt
         0ecA==
X-Gm-Message-State: AFqh2kqb1TZPLvaL10SmW34dIScpVIl9oHm58015LsLSFunFojyUJMyS
        kgm8PS2N4/T1SB0/PUez7po2dgKml3scaQ==
X-Google-Smtp-Source: 
 AMrXdXvzV91Ux4NRBJmoPyPPz42ELs3WlNxZ5Np3XVUcET5hoEid6KuSDinE91eh+unPIqJtnFM1qriWihfyxw==
X-Received: from edumazet1.c.googlers.com
 ([fda3:e722:ac3:cc00:2b:7d90:c0a8:395a])
 (user=edumazet job=sendgmr) by 2002:ab0:2250:0:b0:418:f8f7:d9d7 with SMTP id
 z16-20020ab02250000000b00418f8f7d9d7mr1733431uan.116.1674219601788; Fri, 20
 Jan 2023 05:00:01 -0800 (PST)
Date: Fri, 20 Jan 2023 12:59:55 +0000
In-Reply-To: <20230120125955.3453768-1-edumazet@google.com>
Mime-Version: 1.0
References: <20230120125955.3453768-1-edumazet@google.com>
X-Mailer: git-send-email 2.39.1.405.gd4c25cc71f-goog
Message-ID: <20230120125955.3453768-4-edumazet@google.com>
Subject: [PATCH net 3/3] netlink: annotate data races around sk_state
From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com,
        Eric Dumazet <edumazet@google.com>
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

netlink_getsockbyportid() reads sk_state while a concurrent
netlink_connect() can change its value.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/netlink/af_netlink.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index b5b8c6a5fc34205c849ab2ca105cc44ffb407623..c6427765975318b4c7fe3d5291dc4d69988f5249 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1098,7 +1098,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
 		return -EINVAL;
 
 	if (addr->sa_family == AF_UNSPEC) {
-		sk->sk_state	= NETLINK_UNCONNECTED;
+		/* paired with READ_ONCE() in netlink_getsockbyportid() */
+		WRITE_ONCE(sk->sk_state, NETLINK_UNCONNECTED);
 		/* dst_portid and dst_group can be read locklessly */
 		WRITE_ONCE(nlk->dst_portid, 0);
 		WRITE_ONCE(nlk->dst_group, 0);
@@ -1122,7 +1123,8 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
 		err = netlink_autobind(sock);
 
 	if (err == 0) {
-		sk->sk_state	= NETLINK_CONNECTED;
+		/* paired with READ_ONCE() in netlink_getsockbyportid() */
+		WRITE_ONCE(sk->sk_state, NETLINK_CONNECTED);
 		/* dst_portid and dst_group can be read locklessly */
 		WRITE_ONCE(nlk->dst_portid, nladdr->nl_pid);
 		WRITE_ONCE(nlk->dst_group, ffs(nladdr->nl_groups));
@@ -1174,8 +1176,8 @@ static struct sock *netlink_getsockbyportid(struct sock *ssk, u32 portid)
 
 	/* Don't bother queuing skb if kernel socket has no input function */
 	nlk = nlk_sk(sock);
-	/* dst_portid can be changed in netlink_connect() */
-	if (sock->sk_state == NETLINK_CONNECTED &&
+	/* dst_portid and sk_state can be changed in netlink_connect() */
+	if (READ_ONCE(sock->sk_state) == NETLINK_CONNECTED &&
 	    READ_ONCE(nlk->dst_portid) != nlk_sk(ssk)->portid) {
 		sock_put(sock);
 		return ERR_PTR(-ECONNREFUSED);