From patchwork Thu Aug 22 09:13:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= X-Patchwork-Id: 1151391 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Rps69GMh"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 46Df3J4Tpzz9s7T for ; Thu, 22 Aug 2019 19:13:48 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733038AbfHVJNs (ORCPT ); Thu, 22 Aug 2019 05:13:48 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:33623 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733031AbfHVJNs (ORCPT ); Thu, 22 Aug 2019 05:13:48 -0400 Received: by mail-pl1-f193.google.com with SMTP id go14so3098748plb.0; Thu, 22 Aug 2019 02:13:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mzlRM96REuEosfmv5S1FfhcU+k21Y3nuygBDyIBSw50=; b=Rps69GMhSWVcDbR9c0fC/T58yszbwmfHp6VP9wSWe8S+/IFknD4+xjJlyRF5wfwVeK yso60e8F9ElHDHGziAEsNP3m0C14l0LH2UtM0C2sZDhcO0ZYi4Ig5VzCRFGtJkEcW6T7 wIQWGX9cqw9X6O0Ds+n1AeiqvLZSmVXUmjWS6YbPCf/580SelT9z1iRUWi1YoXYee9jr OEmaj8oIKHhS7dltoOe00V1qKaRRr0l+kSO+LzUQU7SU4dKOe9o5W2r/qM0Wc0bxWH5q rTrqhOKx4BD1H1R5mAl8OwQf0fyUaQA+SQL45tWWHij/jpno0NTCWhfYcJ7YJ1vzwyXh 79iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mzlRM96REuEosfmv5S1FfhcU+k21Y3nuygBDyIBSw50=; b=Pob/bdQ4dpwzz/cUoj3X/A9IDTle+yS+coQC/5Ob/OvVlN+BeNOqzAWwbbJ/vCMvrK 1R1YGQPJ+5dDpIlW4m9XY3Bp3yycp+Ak0Q5B9Pz9+Lzr9HWEW1gk8M9Slw+SIOqqNlNe Y+qWzp5/ZumKHUrZSaCC3tPrEbW6Xh77V9qwlsXSadBlRfwSWaBLYxfYJQCwbgltZzE5 J75E9jw4kKijhptf2FfRtzXCNqG1GBpHb7xabOfKA8oG59eo1TOnr4ZySAVcj+WDC2e+ 28BRRP38It2O1iVjgF/0Wpms9ObpANbUYHX4hN9L801TuidJeQUE+FNYbwaKvMIH00+Q blQg== X-Gm-Message-State: APjAAAWMfeesYrQM7hyIfxb0x2M9S3oyZcAGtGC93Ef+2upUnRkAzRXr lej3YecnVAswUeEhkvS+SUQ= X-Google-Smtp-Source: APXvYqyAyhGuZwD/a7dtPd3MK5m7Ju3Xe87NjOMlx1X+VZ6YbeyaLtyvdRRWO+llLMWXFwms8uDMDQ== X-Received: by 2002:a17:902:8f95:: with SMTP id z21mr38616146plo.42.1566465227259; Thu, 22 Aug 2019 02:13:47 -0700 (PDT) Received: from btopel-mobl.ger.intel.com ([192.55.54.43]) by smtp.gmail.com with ESMTPSA id w207sm28414754pff.93.2019.08.22.02.13.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Aug 2019 02:13:46 -0700 (PDT) From: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= To: ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org Cc: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= , magnus.karlsson@intel.com, magnus.karlsson@gmail.com, bpf@vger.kernel.org, jonathan.lemon@gmail.com, syzbot+c82697e3043781e08802@syzkaller.appspotmail.com, hdanton@sina.com, i.maximets@samsung.com Subject: [PATCH bpf-next 1/4] xsk: avoid store-tearing when assigning queues Date: Thu, 22 Aug 2019 11:13:03 +0200 Message-Id: <20190822091306.20581-2-bjorn.topel@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190822091306.20581-1-bjorn.topel@gmail.com> References: <20190822091306.20581-1-bjorn.topel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Björn Töpel Use WRITE_ONCE when doing the store of tx, rx, fq, and cq, to avoid potential store-tearing. These members are read outside of the control mutex in the mmap implementation. Fixes: 37b076933a8e ("xsk: add missing write- and data-dependency barrier") Signed-off-by: Björn Töpel Acked-by: Jonathan Lemon --- net/xdp/xsk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index ee4428a892fa..f3351013c2a5 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -409,7 +409,7 @@ static int xsk_init_queue(u32 entries, struct xsk_queue **queue, /* Make sure queue is ready before it can be seen by others */ smp_wmb(); - *queue = q; + WRITE_ONCE(*queue, q); return 0; } From patchwork Thu Aug 22 09:13:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= X-Patchwork-Id: 1151393 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="jZ72maZk"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 46Df3Q13LMz9s7T for ; Thu, 22 Aug 2019 19:13:54 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733044AbfHVJNx (ORCPT ); Thu, 22 Aug 2019 05:13:53 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:44177 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733031AbfHVJNx (ORCPT ); Thu, 22 Aug 2019 05:13:53 -0400 Received: by mail-pf1-f196.google.com with SMTP id c81so3514103pfc.11; Thu, 22 Aug 2019 02:13:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=53kzOzk9uol8OLrgJrHS3uVmvMJpgzP74FNMi6gK/mk=; b=jZ72maZkiKbEi0HIFWIRpNYXtmWLrhzm9paPa4zWmdhrgIh0b6Yy7I63McSw7kU8v0 HXlZAEwCl4JMXaRjI+oFHaqJ0UFGeFYGltcoA1NDwl7uW2AHjf9m7/hthofX/rt8MeJz dlrUDXWJz2A2zqMsHPVVlFS+uB8OMy85Kl2pTOgHqW6/u0VdD12Vaw0fTEqQdSTekI8C twC6ee8o//t86OQV2ZW96jLxY4q34HFOEQjiZZF0r8L+Nw4aV6pl7SPW6qVqAxPj4qq1 gkfKOQ10ZqnxTB5qMie62MISwVpC1MXS/WZ9D7AFfvOHcZtfjNgEvb23YBPiUeryfYU1 E/zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=53kzOzk9uol8OLrgJrHS3uVmvMJpgzP74FNMi6gK/mk=; b=L/1N7an1WiZssQw0UFnDt8N1E3H6Q3UeQGh641Vv/SmzENo2ILZy/RBRHTKfAunyLz Cg3dEdALoAymNWn1CyRzA6WStAnvEIuz7/y1xSxg8XEmt7l7/tOpcPMnCgpLXeviABFf IuOfNjGtzTYjcLfFmzKiDxCOuwqC1rV+x0k17NS7FYp7XUUCOH9lghcQXMBu4xdKySo5 ow21KVhi/jV/Q7/eAsaR7HixnGIoyPHeGUtXZTqZz7QVZCefgd8/4wze5+wiN7jJfY3k uK7tWLPzyz59ZqC6TMl+9KXhuJGWSN/01bFatxBSNXABn71+jv+293RNUFvJR4lYz8un B1xw== X-Gm-Message-State: APjAAAUqsfUCrSgUrHt216wNU3eb7cmePUhWKICz5IZbwirBhMq4WYFM HUP3MuFObv8plFKyoNDH+uI= X-Google-Smtp-Source: APXvYqzcE238JwBE/c3B4RyLI5BXrxnF4Jvl96NuTQwF/WEMMg/WMasa7Wk4j8UURI1MFG36nKwitg== X-Received: by 2002:a63:e70f:: with SMTP id b15mr32873869pgi.152.1566465232382; Thu, 22 Aug 2019 02:13:52 -0700 (PDT) Received: from btopel-mobl.ger.intel.com ([192.55.54.43]) by smtp.gmail.com with ESMTPSA id w207sm28414754pff.93.2019.08.22.02.13.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Aug 2019 02:13:51 -0700 (PDT) From: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= To: ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org Cc: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= , magnus.karlsson@intel.com, magnus.karlsson@gmail.com, bpf@vger.kernel.org, jonathan.lemon@gmail.com, syzbot+c82697e3043781e08802@syzkaller.appspotmail.com, hdanton@sina.com, i.maximets@samsung.com Subject: [PATCH bpf-next 2/4] xsk: add proper barriers and {READ, WRITE}_ONCE-correctness for state Date: Thu, 22 Aug 2019 11:13:04 +0200 Message-Id: <20190822091306.20581-3-bjorn.topel@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190822091306.20581-1-bjorn.topel@gmail.com> References: <20190822091306.20581-1-bjorn.topel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Björn Töpel The state variable was read, and written outside the control mutex (struct xdp_sock, mutex), without proper barriers and {READ, WRITE}_ONCE correctness. In this commit this issue is addressed, and the state member is now used a point of synchronization whether the socket is setup correctly or not. This also fixes a race, found by syzcaller, in xsk_poll() where umem could be accessed when stale. Suggested-by: Hillf Danton Reported-by: syzbot+c82697e3043781e08802@syzkaller.appspotmail.com Fixes: 77cd0d7b3f25 ("xsk: add support for need_wakeup flag in AF_XDP rings") Signed-off-by: Björn Töpel --- net/xdp/xsk.c | 57 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 16 deletions(-) diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index f3351013c2a5..31236e61069b 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -162,10 +162,23 @@ static int __xsk_rcv_zc(struct xdp_sock *xs, struct xdp_buff *xdp, u32 len) return err; } +static bool xsk_is_bound(struct xdp_sock *xs) +{ + if (READ_ONCE(xs->state) == XSK_BOUND) { + /* Matches smp_wmb() in bind(). */ + smp_rmb(); + return true; + } + return false; +} + int xsk_rcv(struct xdp_sock *xs, struct xdp_buff *xdp) { u32 len; + if (!xsk_is_bound(xs)) + return -EINVAL; + if (xs->dev != xdp->rxq->dev || xs->queue_id != xdp->rxq->queue_index) return -EINVAL; @@ -362,6 +375,8 @@ static int xsk_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len) struct sock *sk = sock->sk; struct xdp_sock *xs = xdp_sk(sk); + if (unlikely(!xsk_is_bound(xs))) + return -ENXIO; if (unlikely(!xs->dev)) return -ENXIO; if (unlikely(!(xs->dev->flags & IFF_UP))) @@ -378,10 +393,15 @@ static unsigned int xsk_poll(struct file *file, struct socket *sock, struct poll_table_struct *wait) { unsigned int mask = datagram_poll(file, sock, wait); - struct sock *sk = sock->sk; - struct xdp_sock *xs = xdp_sk(sk); - struct net_device *dev = xs->dev; - struct xdp_umem *umem = xs->umem; + struct xdp_sock *xs = xdp_sk(sock->sk); + struct net_device *dev; + struct xdp_umem *umem; + + if (unlikely(!xsk_is_bound(xs))) + return mask; + + dev = xs->dev; + umem = xs->umem; if (umem->need_wakeup) dev->netdev_ops->ndo_xsk_wakeup(dev, xs->queue_id, @@ -417,10 +437,9 @@ static void xsk_unbind_dev(struct xdp_sock *xs) { struct net_device *dev = xs->dev; - if (!dev || xs->state != XSK_BOUND) + if (xs->state != XSK_BOUND) return; - - xs->state = XSK_UNBOUND; + WRITE_ONCE(xs->state, XSK_UNBOUND); /* Wait for driver to stop using the xdp socket. */ xdp_del_sk_umem(xs->umem, xs); @@ -495,7 +514,9 @@ static int xsk_release(struct socket *sock) local_bh_enable(); xsk_delete_from_maps(xs); + mutex_lock(&xs->mutex); xsk_unbind_dev(xs); + mutex_unlock(&xs->mutex); xskq_destroy(xs->rx); xskq_destroy(xs->tx); @@ -589,19 +610,18 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) } umem_xs = xdp_sk(sock->sk); - if (!umem_xs->umem) { - /* No umem to inherit. */ + if (!xsk_is_bound(umem_xs)) { err = -EBADF; sockfd_put(sock); goto out_unlock; - } else if (umem_xs->dev != dev || umem_xs->queue_id != qid) { + } + if (umem_xs->dev != dev || umem_xs->queue_id != qid) { err = -EINVAL; sockfd_put(sock); goto out_unlock; } - xdp_get_umem(umem_xs->umem); - xs->umem = umem_xs->umem; + WRITE_ONCE(xs->umem, umem_xs->umem); sockfd_put(sock); } else if (!xs->umem || !xdp_umem_validate_queues(xs->umem)) { err = -EINVAL; @@ -626,10 +646,15 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) xdp_add_sk_umem(xs->umem, xs); out_unlock: - if (err) + if (err) { dev_put(dev); - else - xs->state = XSK_BOUND; + } else { + /* Matches smp_rmb() in bind() for shared umem + * sockets, and xsk_is_bound(). + */ + smp_wmb(); + WRITE_ONCE(xs->state, XSK_BOUND); + } out_release: mutex_unlock(&xs->mutex); rtnl_unlock(); @@ -869,7 +894,7 @@ static int xsk_mmap(struct file *file, struct socket *sock, unsigned long pfn; struct page *qpg; - if (xs->state != XSK_READY) + if (READ_ONCE(xs->state) != XSK_READY) return -EBUSY; if (offset == XDP_PGOFF_RX_RING) { From patchwork Thu Aug 22 09:13:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= X-Patchwork-Id: 1151395 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="oD4EOZEx"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 46Df3W1Ng2z9s7T for ; Thu, 22 Aug 2019 19:13:59 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733050AbfHVJN6 (ORCPT ); Thu, 22 Aug 2019 05:13:58 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:47101 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733031AbfHVJN6 (ORCPT ); Thu, 22 Aug 2019 05:13:58 -0400 Received: by mail-pl1-f194.google.com with SMTP id c2so3083382plz.13; Thu, 22 Aug 2019 02:13:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hGbD6Vh1mloKQbpoh3OOnJ9gcUMT0+HhT1PxglNKnQ4=; b=oD4EOZExG+ViTUs34Nz4fr9HAR3KqkVaabDSDUJ+MjRtyaTNIqhlKPXiZqV32kJ98J VJ+37FYjgo8yx/7Jsy18DMOmrObmLe9+VxOJvL6o0bd1c78mPcFdU1QGRSxpAbqROkzy rY5D5A0kjyEzljg+sSS+3l2jZa/W5YzwxDymfimyuK3ZP7aiS3bKNGDRb/0KK6DcM4eT bUQit+sstfJPFT0wWo3lVxLsn0YFTmRxnBlaO7Ckv9MaKpYT6tRRfw9Xvzzp1D3ee/xj HJvjtPnCc4YFURtyazf23ZTP0GDEABjw7gzwb7Zw8E/YZ9mveaTT3A2v6WM89rcxjTpT 9L/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hGbD6Vh1mloKQbpoh3OOnJ9gcUMT0+HhT1PxglNKnQ4=; b=gUfjR65e+wxtSs99AvYfjXq93e8tQ3QbM25hAHRmj4dZ3Lj67MFcW4bmGrBDdeQ7i9 ELlK0x5Nuo52D0IUkNCZ1of9IFaLfuQedrylvcLRH4ABr37GYG6NgejNI+Nm+wc/c35d bG3Rj7tBS2WE4DskjJNXIPzj25EyoXkVVlkpNgVP33Ia3hJ8qwR2jrZO4qfwOLQ4fsGG l3rZ5z/CNKZc7vWDOmHl+Ce0YcMEqMPSlZH8lcQok27bV8adiU0RYSnXNsh68g87YSAN pqZmn4JFQr1ynOl9tX+P64MYHI6iWzpCVrI3fm9+rqq8qP551tjZfzqBgPqfR5DIwaEC I6aw== X-Gm-Message-State: APjAAAXgMdXbqRtGXvLb9kDtnxgvu1E5bOwU0+tjq98akGX8yAJA1dzf 06ebBZqgvZO6mQm7UdNT5GoSPtbkPkMWlg== X-Google-Smtp-Source: APXvYqxiz0DJV27uKMnA2sX0w4wTc/ukPA0yKjGYFfOFDrd+Y0G2ViWlcaqxS9Fi7Y9f5bk419YRXQ== X-Received: by 2002:a17:902:f01:: with SMTP id 1mr37197450ply.337.1566465237693; Thu, 22 Aug 2019 02:13:57 -0700 (PDT) Received: from btopel-mobl.ger.intel.com ([192.55.54.43]) by smtp.gmail.com with ESMTPSA id w207sm28414754pff.93.2019.08.22.02.13.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Aug 2019 02:13:57 -0700 (PDT) From: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= To: ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org Cc: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= , magnus.karlsson@intel.com, magnus.karlsson@gmail.com, bpf@vger.kernel.org, jonathan.lemon@gmail.com, syzbot+c82697e3043781e08802@syzkaller.appspotmail.com, hdanton@sina.com, i.maximets@samsung.com Subject: [PATCH bpf-next 3/4] xsk: avoid store-tearing when assigning umem Date: Thu, 22 Aug 2019 11:13:05 +0200 Message-Id: <20190822091306.20581-4-bjorn.topel@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190822091306.20581-1-bjorn.topel@gmail.com> References: <20190822091306.20581-1-bjorn.topel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Björn Töpel The umem member of struct xdp_sock is read outside of the control mutex, in the mmap implementation, and needs a WRITE_ONCE to avoid potentional store-tearing. Fixes: 423f38329d26 ("xsk: add umem fill queue support and mmap") Signed-off-by: Björn Töpel Acked-by: Jonathan Lemon --- net/xdp/xsk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index 31236e61069b..6dde1857ed52 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -718,7 +718,7 @@ static int xsk_setsockopt(struct socket *sock, int level, int optname, /* Make sure umem is ready before it can be seen by others */ smp_wmb(); - xs->umem = umem; + WRITE_ONCE(xs->umem, umem); mutex_unlock(&xs->mutex); return 0; } From patchwork Thu Aug 22 09:13:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= X-Patchwork-Id: 1151397 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="iXKnRLAo"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 46Df3f4BwBz9sN4 for ; Thu, 22 Aug 2019 19:14:06 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733078AbfHVJOE (ORCPT ); Thu, 22 Aug 2019 05:14:04 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:41080 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733069AbfHVJOD (ORCPT ); Thu, 22 Aug 2019 05:14:03 -0400 Received: by mail-pg1-f193.google.com with SMTP id x15so3239691pgg.8; Thu, 22 Aug 2019 02:14:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=s13uwYeUDJ3MfvTea2e4qSOfagA3SE+Ke9a29ZUGY9A=; b=iXKnRLAoRw0EjyAylvNv4mlSXERFG8wETZ3sJjFXttAOsveA0mT8C4nGw8c1QvdkGT VpMbfiMLPyLhZow6O6gXKPemiDB8Z1xA9x85n39jeJb67L9p97JYTNodLChEbE1OJayO pylsK2Ry/xsuDaIEqmWzVlAw1qxuN4xlCn6+4Oy8gPZQOZsMkYJbiMRjkg7jlgify7YO Gw4QwaXNrsabmvlfrVHALINrONMprSOk+duso1tEfG0pLC1Gn3MwXtRN8WN+coi+nCsy FVHa9sqSepQNzA/9T4ILIF5uToVsVrkcVUaMxjYH0Z7wB4O8IoYEIfG1c+mHxp0m1FN2 dTuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=s13uwYeUDJ3MfvTea2e4qSOfagA3SE+Ke9a29ZUGY9A=; b=qpje+AUhRhfzE0SFoKgs5i2tEZLqpSYsPfX1ufHhIlL3ZHiJ29AcM/eNVHwtD3HaDV J12gTzvNs7WYpL9UoUfn3ariHSrBw/stdjYKcCvP8WkugmcgKCO1bZ0btvBUZ8FScNAo 7ME384acnKLvEuXVe+stFLs4TW7+VxLwkZ4fNAxhGANGNCk7aw6sNRIZujUuuAw9eliX qVl4l9x9HJWLNCMyJX8RILXDHaEqiDkzgKsSbK3qfqh36Dxc2Sk4IdVFvEpPc8GxOBZ6 MI6Vq1pby8oiSO/us4xcxUy38Q5d0GhKU8ItTKL2aV9elNiDPDUuUw5zowtWy1rLraho zkmg== X-Gm-Message-State: APjAAAWUYeDh1LOJrrQ4zaxIalVQkVhLIyH3KXUm3leKMsxDOcv01yXJ quC9Y4qoZkiqS4L8TZwUT94= X-Google-Smtp-Source: APXvYqwvBA214dNmsJekjaKTzlwv5ZLtusq+M2sghTis5Jk7tEgiEAQ7T8WTYgyTN5W3uWoC+zAXBQ== X-Received: by 2002:a63:101b:: with SMTP id f27mr31670036pgl.291.1566465242527; Thu, 22 Aug 2019 02:14:02 -0700 (PDT) Received: from btopel-mobl.ger.intel.com ([192.55.54.43]) by smtp.gmail.com with ESMTPSA id w207sm28414754pff.93.2019.08.22.02.13.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Aug 2019 02:14:02 -0700 (PDT) From: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= To: ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org Cc: =?utf-8?b?QmrDtnJuIFTDtnBlbA==?= , magnus.karlsson@intel.com, magnus.karlsson@gmail.com, bpf@vger.kernel.org, jonathan.lemon@gmail.com, syzbot+c82697e3043781e08802@syzkaller.appspotmail.com, hdanton@sina.com, i.maximets@samsung.com Subject: [PATCH bpf-next 4/4] xsk: lock the control mutex in sock_diag interface Date: Thu, 22 Aug 2019 11:13:06 +0200 Message-Id: <20190822091306.20581-5-bjorn.topel@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190822091306.20581-1-bjorn.topel@gmail.com> References: <20190822091306.20581-1-bjorn.topel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Björn Töpel When accessing the members of an XDP socket, the control mutex should be held. This commit fixes that. Fixes: a36b38aa2af6 ("xsk: add sock_diag interface for AF_XDP") Signed-off-by: Björn Töpel Acked-by: Jonathan Lemon --- net/xdp/xsk_diag.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/xdp/xsk_diag.c b/net/xdp/xsk_diag.c index d5e06c8e0cbf..c8f4f11edbbc 100644 --- a/net/xdp/xsk_diag.c +++ b/net/xdp/xsk_diag.c @@ -97,6 +97,7 @@ static int xsk_diag_fill(struct sock *sk, struct sk_buff *nlskb, msg->xdiag_ino = sk_ino; sock_diag_save_cookie(sk, msg->xdiag_cookie); + mutex_lock(&xs->mutex); if ((req->xdiag_show & XDP_SHOW_INFO) && xsk_diag_put_info(xs, nlskb)) goto out_nlmsg_trim; @@ -117,10 +118,12 @@ static int xsk_diag_fill(struct sock *sk, struct sk_buff *nlskb, sock_diag_put_meminfo(sk, nlskb, XDP_DIAG_MEMINFO)) goto out_nlmsg_trim; + mutex_unlock(&xs->mutex); nlmsg_end(nlskb, nlh); return 0; out_nlmsg_trim: + mutex_unlock(&xs->mutex); nlmsg_cancel(nlskb, nlh); return -EMSGSIZE; }