| Message ID | 20220127080040.399266-1-khalid.elmously@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,v2,F/gke] net/packet: rx_owner_map depends on pg_vec | expand |
On 27.01.22 09:00, Khalid Elmously wrote: > From: Willem de Bruijn <willemb@google.com> > > BugLink: https://bugs.launchpad.net/bugs/1959173 > > Packet sockets may switch ring versions. Avoid misinterpreting state > between versions, whose fields share a union. rx_owner_map is only > allocated with a packet ring (pg_vec) and both are swapped together. > If pg_vec is NULL, meaning no packet ring was allocated, then neither > was rx_owner_map. And the field may be old state from a tpacket_v3. > > Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") > Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com> > Signed-off-by: Willem de Bruijn <willemb@google.com> > Reviewed-by: Eric Dumazet <edumazet@google.com> > Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com > Signed-off-by: Jakub Kicinski <kuba@kernel.org> > (cherry picked from commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- Would this not better be a change for all relevant distro kernels? -Stefan > net/packet/af_packet.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c > index 46943a18a10d..76c2dca7f0a5 100644 > --- a/net/packet/af_packet.c > +++ b/net/packet/af_packet.c > @@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, > } > > out_free_pg_vec: > - bitmap_free(rx_owner_map); > - if (pg_vec) > + if (pg_vec) { > + bitmap_free(rx_owner_map); > free_pg_vec(pg_vec, order, req->tp_block_nr); > + } > out: > return err; > }
On 2022-01-27 10:14:29 , Stefan Bader wrote: > On 27.01.22 09:00, Khalid Elmously wrote: > > From: Willem de Bruijn <willemb@google.com> > > > > BugLink: https://bugs.launchpad.net/bugs/1959173 > > > > Packet sockets may switch ring versions. Avoid misinterpreting state > > between versions, whose fields share a union. rx_owner_map is only > > allocated with a packet ring (pg_vec) and both are swapped together. > > If pg_vec is NULL, meaning no packet ring was allocated, then neither > > was rx_owner_map. And the field may be old state from a tpacket_v3. > > > > Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") > > Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com> > > Signed-off-by: Willem de Bruijn <willemb@google.com> > > Reviewed-by: Eric Dumazet <edumazet@google.com> > > Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com > > Signed-off-by: Jakub Kicinski <kuba@kernel.org> > > (cherry picked from commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755) > > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > > --- > > Would this not better be a change for all relevant distro kernels? Yes. It is ready to be applied via linux-stable updates for all the main kernels, so they should all get it next cycle, which would mean a release around end of Feb. However, GKE thinks the risk is high enough that they would strongly prefer it be fixed as soon as possible, so I intend to respin the GKE kernels with this fix as soon as it is applied. > > -Stefan > > > net/packet/af_packet.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c > > index 46943a18a10d..76c2dca7f0a5 100644 > > --- a/net/packet/af_packet.c > > +++ b/net/packet/af_packet.c > > @@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, > > } > > out_free_pg_vec: > > - bitmap_free(rx_owner_map); > > - if (pg_vec) > > + if (pg_vec) { > > + bitmap_free(rx_owner_map); > > free_pg_vec(pg_vec, order, req->tp_block_nr); > > + } > > out: > > return err; > > } >
On 27.01.22 09:00, Khalid Elmously wrote: > From: Willem de Bruijn <willemb@google.com> > > BugLink: https://bugs.launchpad.net/bugs/1959173 > > Packet sockets may switch ring versions. Avoid misinterpreting state > between versions, whose fields share a union. rx_owner_map is only > allocated with a packet ring (pg_vec) and both are swapped together. > If pg_vec is NULL, meaning no packet ring was allocated, then neither > was rx_owner_map. And the field may be old state from a tpacket_v3. > > Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") > Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com> > Signed-off-by: Willem de Bruijn <willemb@google.com> > Reviewed-by: Eric Dumazet <edumazet@google.com> > Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com > Signed-off-by: Jakub Kicinski <kuba@kernel.org> > (cherry picked from commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > --- > net/packet/af_packet.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c > index 46943a18a10d..76c2dca7f0a5 100644 > --- a/net/packet/af_packet.c > +++ b/net/packet/af_packet.c > @@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, > } > > out_free_pg_vec: > - bitmap_free(rx_owner_map); > - if (pg_vec) > + if (pg_vec) { > + bitmap_free(rx_owner_map); > free_pg_vec(pg_vec, order, req->tp_block_nr); > + } > out: > return err; > }
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 1/27/22 1:00 AM, Khalid Elmously wrote: > From: Willem de Bruijn <willemb@google.com> > > BugLink: https://bugs.launchpad.net/bugs/1959173 > > Packet sockets may switch ring versions. Avoid misinterpreting state > between versions, whose fields share a union. rx_owner_map is only > allocated with a packet ring (pg_vec) and both are swapped together. > If pg_vec is NULL, meaning no packet ring was allocated, then neither > was rx_owner_map. And the field may be old state from a tpacket_v3. > > Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") > Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com> > Signed-off-by: Willem de Bruijn <willemb@google.com> > Reviewed-by: Eric Dumazet <edumazet@google.com> > Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com > Signed-off-by: Jakub Kicinski <kuba@kernel.org> > (cherry picked from commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- > net/packet/af_packet.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c > index 46943a18a10d..76c2dca7f0a5 100644 > --- a/net/packet/af_packet.c > +++ b/net/packet/af_packet.c > @@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, > } > > out_free_pg_vec: > - bitmap_free(rx_owner_map); > - if (pg_vec) > + if (pg_vec) { > + bitmap_free(rx_owner_map); > free_pg_vec(pg_vec, order, req->tp_block_nr); > + } > out: > return err; > }
On 27.01.22 09:00, Khalid Elmously wrote: > From: Willem de Bruijn <willemb@google.com> > > BugLink: https://bugs.launchpad.net/bugs/1959173 > > Packet sockets may switch ring versions. Avoid misinterpreting state > between versions, whose fields share a union. rx_owner_map is only > allocated with a packet ring (pg_vec) and both are swapped together. > If pg_vec is NULL, meaning no packet ring was allocated, then neither > was rx_owner_map. And the field may be old state from a tpacket_v3. > > Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition") > Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com> > Signed-off-by: Willem de Bruijn <willemb@google.com> > Reviewed-by: Eric Dumazet <edumazet@google.com> > Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com > Signed-off-by: Jakub Kicinski <kuba@kernel.org> > (cherry picked from commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755) > Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com> > --- Not sure this was ever picked up for any GKE kernel but it was applied to focal:linux via stable and is part of Ubuntu-5.4.0-100.113 in the current 2022.01.31 cycle. This got picked up by Ubuntu-gke-5.4.0-1063.66 so it does not need to be done again. Thanks. -Stefan > net/packet/af_packet.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c > index 46943a18a10d..76c2dca7f0a5 100644 > --- a/net/packet/af_packet.c > +++ b/net/packet/af_packet.c > @@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, > } > > out_free_pg_vec: > - bitmap_free(rx_owner_map); > - if (pg_vec) > + if (pg_vec) { > + bitmap_free(rx_owner_map); > free_pg_vec(pg_vec, order, req->tp_block_nr); > + } > out: > return err; > }
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 46943a18a10d..76c2dca7f0a5 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, } out_free_pg_vec: - bitmap_free(rx_owner_map); - if (pg_vec) + if (pg_vec) { + bitmap_free(rx_owner_map); free_pg_vec(pg_vec, order, req->tp_block_nr); + } out: return err; }