From patchwork Tue Sep 11 01:27:26 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cong Wang <xiyou.wangcong@gmail.com>
X-Patchwork-Id: 968368
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="Y2YX8dYl"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 428S2m4Tqtz9sBJ
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 11 Sep 2018 11:27:44 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726484AbeIKGYX (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Tue, 11 Sep 2018 02:24:23 -0400
Received: from mail-pg1-f193.google.com ([209.85.215.193]:36169 "EHLO
	mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726353AbeIKGYX (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 11 Sep 2018 02:24:23 -0400
Received: by mail-pg1-f193.google.com with SMTP id d1-v6so11367576pgo.3
	for <netdev@vger.kernel.org>; Mon, 10 Sep 2018 18:27:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=pPw/S1K30jrJ2JICVklDl+4/3A7UyOEJA8WkrwVl1WE=;
	b=Y2YX8dYl6vjtoUY016WTStymniwr/7g1GT6kR6gNHoIIOyPXcIHyvNIoOgTGYLKTMx
	jeFciH6zqDfLAzWz4z1UmlWRAKtmS5ugz/em+4D9oQdBf2Xz463Ir3FuAxWS9nXEQTvR
	jFXasR5cKUjbql9dI4RwpEO/gJ4zuuKC4EtT3ZTrGLP3FSTMzeVWcPenshqoIPel/NQJ
	TjEjP31q9yyZnHIY0K4RKIHdspFpfVv3+25NJPwWOmysKjuuWh18s3NkZHUEZFx0gMsF
	eWZHx4QSbxBLlebRzwkkRKpeHldtyuyHIZjrw/w/dSAHT79o+wy9RCxu4af5/F/l3mpy
	szIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=pPw/S1K30jrJ2JICVklDl+4/3A7UyOEJA8WkrwVl1WE=;
	b=CGgTerHaA+KjHgMPB5/47WnS17nyY+l5qKYlqvuK32AXgYZKbwqRtNafd6w0nYHqgS
	A36046mvNjRI9SvwK1UK3pNgfakH2Leq7OjqQvBv4JC8K+KaYtaqjkstsTdnuzDoPV6Y
	EBArKWaaN0QYo/vCqiDhiXd6GGsTg+tnLW9tRv8tTF+I/jRpLGeLWYk+FDsB4RizWpia
	OPbcpntmySJuzLFmmfCGVslnJDbBYt5JCze2QH/zALmIK3i0rER6TmlS0lGm37bZ7gAt
	KdkJb+7SNWT7tLHGdbxNt6r0EP9CnpuHjsGfRdllcvnmHM4UNAofSh/YltTQDDOA+Hq9
	o3MA==
X-Gm-Message-State: APzg51ALV+rYYvUXskPOpWC3MO29s+BPhos9zfAt3wNoc3ICsyPz9Euc
	nrUdiaF9HCOMLiT/9xqsjjOgP0b2
X-Google-Smtp-Source: 
 ANB0VdbVsamtnEcYualUriB65/02PLL7UlusV8ch2mcudW67p33ev2zvAmXtOr7eU2ArF1OFcXqqHA==
X-Received: by 2002:a63:dd09:: with SMTP id
	t9-v6mr24801909pgg.370.1536629257195;
	Mon, 10 Sep 2018 18:27:37 -0700 (PDT)
Received: from tw-172-25-29-37.office.twttr.net ([8.25.197.25])
	by smtp.gmail.com with ESMTPSA id
	g11-v6sm28797439pgi.90.2018.09.10.18.27.36
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 10 Sep 2018 18:27:36 -0700 (PDT)
From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
	Sowmini Varadhan <sowmini.varadhan@oracle.com>,
	Santosh Shilimkar <santosh.shilimkar@oracle.com>,
	rds-devel@oss.oracle.com
Subject: [Patch net v2] rds: fix two RCU related problems
Date: Mon, 10 Sep 2018 18:27:26 -0700
Message-Id: <20180911012726.5353-1-xiyou.wangcong@gmail.com>
X-Mailer: git-send-email 2.14.4
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

When a rds sock is bound, it is inserted into the bind_hash_table
which is protected by RCU. But when releasing rds sock, after it
is removed from this hash table, it is freed immediately without
respecting RCU grace period. This could cause some use-after-free
as reported by syzbot.

Mark the rds sock with SOCK_RCU_FREE before inserting it into the
bind_hash_table, so that it would be always freed after a RCU grace
period.

The other problem is in rds_find_bound(), the rds sock could be
freed in between rhashtable_lookup_fast() and rds_sock_addref(),
so we need to extend RCU read lock protection in rds_find_bound()
to close this race condition.

Reported-and-tested-by: syzbot+8967084bcac563795dc6@syzkaller.appspotmail.com
Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com
Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: rds-devel@oss.oracle.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oarcle.com>
---
 net/rds/bind.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/rds/bind.c b/net/rds/bind.c
index 3ab55784b637..762d2c6788a3 100644
--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -76,11 +76,13 @@ struct rds_sock *rds_find_bound(const struct in6_addr *addr, __be16 port,
 	struct rds_sock *rs;
 
 	__rds_create_bind_key(key, addr, port, scope_id);
-	rs = rhashtable_lookup_fast(&bind_hash_table, key, ht_parms);
+	rcu_read_lock();
+	rs = rhashtable_lookup(&bind_hash_table, key, ht_parms);
 	if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
 		rds_sock_addref(rs);
 	else
 		rs = NULL;
+	rcu_read_unlock();
 
 	rdsdebug("returning rs %p for %pI6c:%u\n", rs, addr,
 		 ntohs(port));
@@ -235,6 +237,7 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 		goto out;
 	}
 
+	sock_set_flag(sk, SOCK_RCU_FREE);
 	ret = rds_add_bound(rs, binding_addr, &port, scope_id);
 	if (ret)
 		goto out;