From patchwork Thu Sep 14 21:14:41 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Willem de Bruijn <willemb@google.com>
X-Patchwork-Id: 813945
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="bNNWrZse"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3xtWX23lGtz9sCZ
	for <patchwork-incoming@ozlabs.org>;
	Fri, 15 Sep 2017 07:15:14 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751672AbdINVPI (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 14 Sep 2017 17:15:08 -0400
Received: from mail-qk0-f178.google.com ([209.85.220.178]:53962 "EHLO
	mail-qk0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751594AbdINVPG (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 14 Sep 2017 17:15:06 -0400
Received: by mail-qk0-f178.google.com with SMTP id t184so567306qke.10
	for <netdev@vger.kernel.org>; Thu, 14 Sep 2017 14:15:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=OiG1+ORRsi6FO0cF1FZ5t08ZVUFc5tVJciQDjO6W/YM=;
	b=bNNWrZse4Zfw22vFwn6omP6dlh6HdVN6G4U1e7fIKxpHSAxHg0cEKQ56Qod/mEVrBc
	ekYQK/dvpF8HfFWpqdboXyoyHvZeNO5vU4/3EjmrCRhJKd6DFFXy64yW3An7YrYc0uLp
	glRmGbhFrAs7IOiSt+Sk/H09MeoadPZHEuT+yMpPcw9QfL7dSfBQNJawBSBg96mExpNv
	r+lLTCM6KjkcpDlt60VfgomV1LfHhYKybK6b8Loir5UQ8RldhzC9GMKp6dioINuctdV6
	csTBVTN6t2Qmpq7QsAFkNaBSGyMD/42rozGWi+GQLYfjv8LT2wkKzyvnzr24RCjCnjsf
	YiMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=OiG1+ORRsi6FO0cF1FZ5t08ZVUFc5tVJciQDjO6W/YM=;
	b=BgXfTY8L0SXChJt2kcsKZEM/QvloIDmrl1yG30gFsSYn7AzcQukjmLtF8SV4WuhDRT
	/2msXMT82d549xvPFUDwk4j0Eighk0sFWNTGUXpzexTZIkREFigTCOA6f1QR3tgveOQf
	mwamM09ORH/DNI1/mhhl6HxX85EjGVi6Zx3VHOWV4RITdA+6KxsJKvMkjbf0uw7XcqA8
	DQ55iCwL304sr3u0U9zyx71K0rvy2OTJjWzbd649k/9g9AKp8r4i7uBiPC7vQGF93MJB
	1igXAoemtkqbJN495n+c/iePVIe+rytsSn29IkfLR55pSQiXOird8D9LXPdJEyxO3ySe
	boLQ==
X-Gm-Message-State: AHPjjUiEFlkd2/sRXWjriPJ194clBU9DXD2Wt/OkfU7Bn4OMHTlShHIc
	bxrJwHNZ+UJ7ajz8kQr72Q==
X-Google-Smtp-Source: 
 AOwi7QCD2egRJwylzb6PFXeCKAi3v+S8WoCSyiQ3bGXCLw5D8R/zxJgPmusWI9qprSaEfFCCMtbvsQ==
X-Received: by 10.55.75.8 with SMTP id y8mr4244905qka.255.1505423705317;
	Thu, 14 Sep 2017 14:15:05 -0700 (PDT)
Received: from willemb1.nyc.corp.google.com ([100.101.212.81])
	by smtp.gmail.com with ESMTPSA id
	b11sm13094618qkb.75.2017.09.14.14.15.03
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 14 Sep 2017 14:15:03 -0700 (PDT)
From: Willem de Bruijn <willemb@google.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, nixiaoming@huawei.com,
	Willem de Bruijn <willemb@google.com>
Subject: [PATCH net] packet: hold bind lock when rebinding to fanout hook
Date: Thu, 14 Sep 2017 17:14:41 -0400
Message-Id: <20170914211441.67326-1-willemb@google.com>
X-Mailer: git-send-email 2.14.1.690.gbb1197296e-goog
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Packet socket bind operations must hold the po->bind_lock. This keeps
po->running consistent with whether the socket is actually on a ptype
list to receive packets.

fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then
binds the fanout object to receive through packet_rcv_fanout.

Make it hold the po->bind_lock when testing po->running and rebinding.
Else, it can race with other rebind operations, such as that in
packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates
can result in a socket being added to a fanout group twice, causing
use-after-free KASAN bug reports, among others.

Reported independently by both trinity and syzkaller.
Verified that the syzkaller reproducer passes after this patch.

Reported-by: nixioaming <nixiaoming@huawei.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/packet/af_packet.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index c26172995511..d288f52c53f7 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1684,10 +1684,6 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 
 	mutex_lock(&fanout_mutex);
 
-	err = -EINVAL;
-	if (!po->running)
-		goto out;
-
 	err = -EALREADY;
 	if (po->fanout)
 		goto out;
@@ -1749,7 +1745,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 		list_add(&match->list, &fanout_list);
 	}
 	err = -EINVAL;
-	if (match->type == type &&
+
+	spin_lock(&po->bind_lock);
+	if (po->running &&
+	    match->type == type &&
 	    match->prot_hook.type == po->prot_hook.type &&
 	    match->prot_hook.dev == po->prot_hook.dev) {
 		err = -ENOSPC;
@@ -1761,6 +1760,13 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 			err = 0;
 		}
 	}
+	spin_unlock(&po->bind_lock);
+
+	if (err && !refcount_read(&match->sk_ref)) {
+		list_del(&match->list);
+		kfree(match);
+	}
+
 out:
 	if (err && rollover) {
 		kfree(rollover);