From patchwork Wed Oct 18 22:08:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 827833 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="jhSW948z"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yHR5n6f2jz9t7p for ; Thu, 19 Oct 2017 09:08:29 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751046AbdJRWI1 (ORCPT ); Wed, 18 Oct 2017 18:08:27 -0400 Received: from mail-io0-f195.google.com ([209.85.223.195]:52143 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750880AbdJRWI0 (ORCPT ); Wed, 18 Oct 2017 18:08:26 -0400 Received: by mail-io0-f195.google.com with SMTP id b186so7879342iof.8 for ; Wed, 18 Oct 2017 15:08:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=/qQvOXsMme+swY8n4vdSuBVK/7KpTl8WgOhlpb6itgI=; b=jhSW948zlFWymCQBO8H6dwLBn3F8jJwZSv0wv3hd96bM0Jms3XxXjd3v3SGi4B3y8i v8XTA79EIYF2TJd5lMp4GDbz7c8k2V0RkWyVTK3PpYjao5x70tN24EQdGlfXJ4Giv9cM UwpzpOSLgVuzJ/LOYfyvR9NYMpY1/TosbRyvUy/aF48KeBaHHNC0lB18ZmJh3+w+YrzE uIJmro5JB1gb1K1zg7SQdo5WqmHEIQda4Wn6hyP7ye3/3vr3obVYDvucyF4B2E/kUwvq P6orWOLcwGyZls7/bSGnKfynRnT4HJV3CZmnzOb7vVhlvqDMZJywQgqC9e5l4pBYZCmi yUsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=/qQvOXsMme+swY8n4vdSuBVK/7KpTl8WgOhlpb6itgI=; b=G/HI5iAHHPxJWpMsI7CEi3ixTyQVxy/F+14YZSzneWiA3cQ3ZC++hVeDpOhGDasO/d Cq0TsO9Z6/jl/iKcU6t0fVQ7xtxsHm0/mW8a8yTSWgklb2YqtpDy2z1vOR4ZY7afbrtm I3v4QG/SlbFnCFUI8cB4VEoBZm+NTjVNGn7cIc+rgxHxNosbOMgiK2Hc/2aWcwBTD3bm QAtw5kYcs2D/A8UNpDVk7mWEmBBqo/R9/hTJ9VwG3naB64Cc8tx4oeW1oxMW/61SNqjq 9oWa/MHLG629KV4WnJ9dS7u6RBV7tIkTYGr9RQyrapBWcLdqCtCQnOCxo3Tk/w0zhXXx mQyw== X-Gm-Message-State: AMCzsaXuOQNKLudtybDzPPWvzPLc4ftiius+WlTPIhXeg4/BGZSLMBIe Pr5oreaTksMscD1KRIwjYKI= X-Google-Smtp-Source: ABhQp+RukbvcV1n75lucY9m9kFHQi4g5wyH8EJBQe9b0H72HWUvmEXNfkM6432gf3oc/Zy5U8ZPmsw== X-Received: by 10.107.18.170 with SMTP id 42mr35228ios.55.1508364506025; Wed, 18 Oct 2017 15:08:26 -0700 (PDT) Received: from ?IPv6:2620:15c:2c1:100:8c3b:83ae:17c4:e83? ([2620:15c:2c1:100:8c3b:83ae:17c4:e83]) by smtp.googlemail.com with ESMTPSA id d1sm6844569iti.35.2017.10.18.15.08.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Oct 2017 15:08:25 -0700 (PDT) Message-ID: <1508364504.31614.150.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net] packet: avoid panic in packet_getsockopt() From: Eric Dumazet To: David Miller Cc: netdev , Willem de Bruijn , Eric Dumazet Date: Wed, 18 Oct 2017 15:08:24 -0700 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet syzkaller got crashes in packet_getsockopt() processing PACKET_ROLLOVER_STATS command while another thread was managing to change po->rollover Using RCU will fix this bug. We might later add proper RCU annotations for sparse sake. Fixes: a9b6391814d5 ("packet: rollover statistics") Signed-off-by: Eric Dumazet Willem de Bruijn --- net/packet/af_packet.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index bec01a3daf5b02bd716dbff5c9efef8d6a7982be..1d8a7add86b4f29880e11c6f4971d79319dcb426 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1796,8 +1796,10 @@ static struct packet_fanout *fanout_release(struct sock *sk) else f = NULL; - if (po->rollover) + if (po->rollover) { kfree_rcu(po->rollover, rcu); + po->rollover = NULL; + } } mutex_unlock(&fanout_mutex); @@ -3851,6 +3853,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, void *data = &val; union tpacket_stats_u st; struct tpacket_rollover_stats rstats; + struct packet_rollover *rollover; if (level != SOL_PACKET) return -ENOPROTOOPT; @@ -3929,13 +3932,18 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, 0); break; case PACKET_ROLLOVER_STATS: - if (!po->rollover) + rcu_read_lock(); + rollover = rcu_dereference(po->rollover); + if (rollover) { + rstats.tp_all = atomic_long_read(&rollover->num); + rstats.tp_huge = atomic_long_read(&rollover->num_huge); + rstats.tp_failed = atomic_long_read(&rollover->num_failed); + data = &rstats; + lv = sizeof(rstats); + } + rcu_read_unlock(); + if (!rollover) return -EINVAL; - rstats.tp_all = atomic_long_read(&po->rollover->num); - rstats.tp_huge = atomic_long_read(&po->rollover->num_huge); - rstats.tp_failed = atomic_long_read(&po->rollover->num_failed); - data = &rstats; - lv = sizeof(rstats); break; case PACKET_TX_HAS_OFF: val = po->tp_tx_has_off;