From patchwork Tue Sep 26 16:19:37 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
X-Patchwork-Id: 818726
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="XFf4u2wV"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3y1mPX5X0Jz9sRm
	for <patchwork-incoming@ozlabs.org>;
	Wed, 27 Sep 2017 02:19:44 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965599AbdIZQTm (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 26 Sep 2017 12:19:42 -0400
Received: from mail-qk0-f195.google.com ([209.85.220.195]:35274 "EHLO
	mail-qk0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S934771AbdIZQTk (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 26 Sep 2017 12:19:40 -0400
Received: by mail-qk0-f195.google.com with SMTP id o77so7143343qke.2
	for <netdev@vger.kernel.org>; Tue, 26 Sep 2017 09:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=IoB+/XajPfvsZMpHZ0x6t480SwtTd5JsEqaMhPjPvZw=;
	b=XFf4u2wVSBQ0S+vo5+nhx8hVGL9w84QvT4SRdTOAXWyCck6EYkb143o/EGTmbg/vER
	dBE0dnYvYtFNMZVoVTh7bqjlSdWp0FEMjZgED2fMEdZxcnapGE7SrROMRURPGg7ChoQD
	Hwcb/83n2pa2hB5a2BRw3mLFfEy5bp6aQmr+IgT7oLuxcsLoA0/DK0nAx9/n7qxLN4Ao
	NCHllcttDwZJ0XBn4LPLCxuCKSbVGk9A8X1VM5Y4RyxIMsUrMjSV0n5G0nMn9WZyB5BF
	hNRtkMqL2rgOT08ywsOllX/QMU8cmwJqvpna6sTjZ7gpnx36FV21e6eWleEW+qqDzRp5
	Ecug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=IoB+/XajPfvsZMpHZ0x6t480SwtTd5JsEqaMhPjPvZw=;
	b=IU4DGZHqZbYCjx5O75HA7HT7t5f+TpSZLjU5LLymy3w8LWUHJQ9PkKVlLXlN9iVpdg
	ikl3UXJT7L0QlvBa/W79meCkb4nORgMuxzvOvKpuiwFAsPEwqmrmi2m+MMm1QneMeXOk
	hsyMnHRU/jto2vvlJX2MGyzyBi+dyZcFZU+zZs8Yxh9GlojgVGifNC9M/ZkCtuBY5QJD
	zfaRSgdZR+wsCvcuw7R1yzLha7linf/b5xMRURAqfmCccooCXMdw9ku1D86HhPupSNmy
	eWxW2nHwGU82pjlu+fKtAl1xdOucLKvVdM9l6uJoTSjdkOVCN4LUL1yVZIdx7K8ikTPH
	PaAg==
X-Gm-Message-State: AHPjjUiSTux2qAul/vghElL2XopMWS4FB93RUsB+WqeGXftpO+BeNQvh
	C+CSGrx2x0myX6SMFX1BXcPgmhCn
X-Google-Smtp-Source: 
 AOwi7QDCDpI+8e0lYOTTCoQKvNUIxz7QN8sJf939ModMnMmpll5nK9cEIdtMaR+YFHzzxlF0mxTUmg==
X-Received: by 10.55.22.75 with SMTP id g72mr15106086qkh.66.1506442779706;
	Tue, 26 Sep 2017 09:19:39 -0700 (PDT)
Received: from willemb1.nyc.corp.google.com ([100.101.212.81])
	by smtp.gmail.com with ESMTPSA id
	72sm7375274qkz.57.2017.09.26.09.19.39
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 26 Sep 2017 09:19:39 -0700 (PDT)
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, Willem de Bruijn <willemb@google.com>
Subject: [PATCH net] packet: in packet_do_bind,
	test fanout with bind_lock held
Date: Tue, 26 Sep 2017 12:19:37 -0400
Message-Id: <20170926161937.60597-1-willemdebruijn.kernel@gmail.com>
X-Mailer: git-send-email 2.14.1.821.g8fa685d3b7-goog
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Willem de Bruijn <willemb@google.com>

Once a socket has po->fanout set, it remains a member of the group
until it is destroyed. The prot_hook must be constant and identical
across sockets in the group.

If fanout_add races with packet_do_bind between the test of po->fanout
and taking the lock, the bind call may make type or dev inconsistent
with that of the fanout group.

Hold po->bind_lock when testing po->fanout to avoid this race.

I had to introduce artificial delay (local_bh_enable) to actually
observe the race.

Fixes: dc99f600698d ("packet: Add fanout support.")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
---
 net/packet/af_packet.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 1da0851f51f2..bec01a3daf5b 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3071,13 +3071,15 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
 	int ret = 0;
 	bool unlisted = false;
 
-	if (po->fanout)
-		return -EINVAL;
-
 	lock_sock(sk);
 	spin_lock(&po->bind_lock);
 	rcu_read_lock();
 
+	if (po->fanout) {
+		ret = -EINVAL;
+		goto out_unlock;
+	}
+
 	if (name) {
 		dev = dev_get_by_name_rcu(sock_net(sk), name);
 		if (!dev) {