Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1177744imm; Wed, 23 May 2018 11:31:59 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqEAaWe3k2JbOQanRXmTKmH3zLv4hlJJrZSlgJbS77Cn5UO77COPTWJrlZYxrAXh13C+ey8 X-Received: by 2002:a17:902:848b:: with SMTP id c11-v6mr4040215plo.132.1527100319318; Wed, 23 May 2018 11:31:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527100319; cv=none; d=google.com; s=arc-20160816; b=jPpB3CAOMo5wDH2vkeErkFmeB2eol/HVtNAIzVAON+g9YSRQYw2DdX/Xg9CM6Ib4LR VC2hnY5KTflNO5CAZSk2bRYeKQj362p3kNpx27UufH0zXr4+YOW0UzmdrzVBf9Qq5cag foWnfoYHz/9L8XhpGKVs/GNeZueHzS1T7q5VvahzlqNNW42MLggzDBKM8mEv7r6J4AI2 4yGxJbTek7t5w63rvbTcRTTtCHq6bjjguy9GsgVsgffeTW/XhWPZgnURxysMJCvOD/lC nTOJFK0gTwye+jDxJgntE7KN0cgxniNFLqEOqsA0NioDh9P7HZOJmn7mI/lYA9WFO+DO KFow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=oaqkaSq3OXOmYUbFOX27pkUr/COK+Fbnw54EgxjdYUA=; b=nPVcN4wQlSmYmiULQLTiFcpzig3F7TyL9FQNAM2lGCssNJacVvWYyNeLyeq1p2zp5g utMxAgKhmOSf2YT/KBD11CtJwQ40KXAFiYqs7BhHmzP2t8GiK2IBaqeqrJmKCjAc8DgS qs/sSEch1tHo6JwjH9CRQMQOVMioF1BlBGhnAnD64F3jQOKmsFTO4Ii+yhkqK7XuQD5C WVO6ibGkWall1jytCzNMI5HUOzAPo7pQMJGgyz+A255Jl7L3BN46+Vll767IQ4fs59kC nzIZD2AHLg1iD658WdRbsr+QPh56+kGd+B42dToOtNCmTGCX41N4JJMIA1ilI54Bklo5 5LEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Xqp6Bk0Z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t3-v6si557510pgp.421.2018.05.23.11.31.44; Wed, 23 May 2018 11:31:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Xqp6Bk0Z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933963AbeEWSb1 (ORCPT + 99 others); Wed, 23 May 2018 14:31:27 -0400 Received: from mail-ua0-f195.google.com ([209.85.217.195]:38083 "EHLO mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933632AbeEWSbY (ORCPT ); Wed, 23 May 2018 14:31:24 -0400 Received: by mail-ua0-f195.google.com with SMTP id y8-v6so15420512ual.5; Wed, 23 May 2018 11:31:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oaqkaSq3OXOmYUbFOX27pkUr/COK+Fbnw54EgxjdYUA=; b=Xqp6Bk0Z2BgMht8Cp23rWDc6u+v1jSS1H5ntXMLlYUroBD+6wPB16WkgClFNzZk/3p 6sUk4DpLDSTas39/PJpJGNBRKHpF4df8hGj2ca0i9MSZ5jj4v9GngZZJThNrETfRym+G DaNqOWMkDD6QxySZNpC4QArnXo5DjGXqGy4OucFIDekiG9KqEgPgGlAmoZFNBibnw5lH DD0RLsmIvGXKPjnAzmO269Q4LjrpNrX0uIMpzZ3YToLU/VNdliKTSZeUxd3P57VbpRZf lY8fRgq9Rk6k+o06WnV2luSSBVivdqevr36Ww1VJ/TObOs/rkMbOFPX+SFN/5NSPMeFw cJmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oaqkaSq3OXOmYUbFOX27pkUr/COK+Fbnw54EgxjdYUA=; b=cKXJXf6uZERDh3GBDj6wBCPcBDgEVfLRpbyIkTMhpHSZv4LsRwtVPZppNUse2CaprA +IumzFF0l2vK6RDk2038P7PaU4OG4l0r0YEGBAMbyVgY6UUQsB2peyfBRDK1zfpZDCRB FPx+wX1aQIrQjs1x96ipc96w/YyCGW/ojdSZGI7cj8hNXUXrSrC2TYvR6xfnvdw6kiiQ 6cEF7WbAqc1TzoLdlOKmgoNk84bZIYEKXg6zN6APs/IjxMNr1UdXEDWv5dJMl22MNqF5 RNc/69VDPjHW91doz8xekqqScYcHN6WA5B+6gqThYJDpG8GRul5lvBSXtT1dVQDsBSu7 lN6g== X-Gm-Message-State: ALKqPwdDeWnt7GjXaL+8v0wHqncxyJF9/b9I/yWFO5k+jsu4ShcICT/w euj9WHpPHTtPFo9bcPdfp+GkXpFZxle5vNHhl0o= X-Received: by 2002:ab0:3004:: with SMTP id f4-v6mr2703697ual.80.1527100283130; Wed, 23 May 2018 11:31:23 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:975a:0:0:0:0:0 with HTTP; Wed, 23 May 2018 11:30:42 -0700 (PDT) In-Reply-To: References: <20180518120826.GA19515@dragonet.kaist.ac.kr> <293d029c-b14c-a625-3703-97a5754e99f1@gmail.com> <20180518.114433.390752642781753429.davem@davemloft.net> From: Willem de Bruijn Date: Wed, 23 May 2018 14:30:42 -0400 Message-ID: Subject: Re: WARNING in ip_recv_error To: David Miller Cc: Eric Dumazet , DaeLyong Jeong , Alexey Kuznetsov , Hideaki YOSHIFUJI , Network Development , LKML , Byoungyoung Lee , Kyungtae Kim , bammanag@purdue.edu, Willem de Bruijn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 23, 2018 at 11:40 AM, Willem de Bruijn wrote: > On Sun, May 20, 2018 at 7:13 PM, Willem de Bruijn > wrote: >> On Fri, May 18, 2018 at 2:59 PM, Willem de Bruijn >> wrote: >>> On Fri, May 18, 2018 at 2:46 PM, Willem de Bruijn >>> wrote: >>>> On Fri, May 18, 2018 at 2:44 PM, Willem de Bruijn >>>> wrote: >>>>> On Fri, May 18, 2018 at 1:09 PM, Willem de Bruijn >>>>> wrote: >>>>>> On Fri, May 18, 2018 at 11:44 AM, David Miller wrote: >>>>>>> From: Eric Dumazet >>>>>>> Date: Fri, 18 May 2018 08:30:43 -0700 >>>>>>> >>>>>>>> We probably need to revert Willem patch (7ce875e5ecb8562fd44040f69bda96c999e38bbc) >>>>>>> >>>>>>> Is it really valid to reach ip_recv_err with an ipv6 socket? >>>>>> >>>>>> I guess the issue is that setsockopt IPV6_ADDRFORM is not an >>>>>> atomic operation, so that the socket is neither fully ipv4 nor fully >>>>>> ipv6 by the time it reaches ip_recv_error. >>>>>> >>>>>> sk->sk_socket->ops = &inet_dgram_ops; >>>>>> < HERE > >>>>>> sk->sk_family = PF_INET; >>>>>> >>>>>> Even calling inet_recv_error to demux would not necessarily help. >>>>>> >>>>>> Safest would be to look up by skb->protocol, similar to what >>>>>> ipv6_recv_error does to handle v4-mapped-v6. >>>>>> >>>>>> Or to make that function safe with PF_INET and swap the order >>>>>> of the above two operations. >>>>>> >>>>>> All sound needlessly complicated for this rare socket option, but >>>>>> I don't have a better idea yet. Dropping on the floor is not nice, >>>>>> either. >>>>> >>>>> Ensuring that ip_recv_error correctly handles packets from either >>>>> socket and removing the warning should indeed be good. >>>>> >>>>> It is robust against v4-mapped packets from an AF_INET6 socket, >>>>> but see caveat on reconnect below. >>>>> >>>>> The code between ipv6_recv_error for v4-mapped addresses and >>>>> ip_recv_error is essentially the same, the main difference being >>>>> whether to return network headers as sockaddr_in with SOL_IP >>>>> or sockaddr_in6 with SOL_IPV6. >>>>> >>>>> There are very few other locations in the stack that explicitly test >>>>> sk_family in this way and thus would be vulnerable to races with >>>>> IPV6_ADDRFORM. >>>>> >>>>> I'm not sure whether it is possible for a udpv6 socket to queue a >>>>> real ipv6 packet on the error queue, disconnect, connect to an >>>>> ipv4 address, call IPV6_ADDRFORM and then call ip_recv_error >>>>> on a true ipv6 packet. That would return buggy data, e.g., in >>>>> msg_name. >>>> >>>> In do_ipv6_setsockopt IPV6_ADDRFORM we can test that the >>>> error queue is empty, and then take its lock for the duration of the >>>> operation. >>> >>> Actually, no reason to hold the lock. This setsockopt holds the socket >>> lock, which connect would need, too. So testing that the queue >>> is empty after testing that it is connected to a v4 address is >>> sufficient to ensure that no ipv6 packets are queued for reception. >>> >>> diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c >>> index 4d780c7f0130..a975d6311341 100644 >>> --- a/net/ipv6/ipv6_sockglue.c >>> +++ b/net/ipv6/ipv6_sockglue.c >>> @@ -199,6 +199,11 @@ static int do_ipv6_setsockopt(struct sock *sk, >>> int level, int optname, >>> >>> if (ipv6_only_sock(sk) || >>> !ipv6_addr_v4mapped(&sk->sk_v6_daddr)) { >>> retv = -EADDRNOTAVAIL; >>> break; >>> } >>> >>> + if (!skb_queue_empty(&sk->sk_error_queue)) { >>> + retv = -EBUSY; >>> + break; >>> + } >>> + >>> fl6_free_socklist(sk); >>> __ipv6_sock_mc_close(sk); >>> >>> After this it should be safe to remove the warning in ip_recv_error. >> >> Hmm.. nope. >> >> This ensures that the socket cannot produce any new true v6 packets. >> But it does not guarantee that they are not already in the system, e.g. >> queued in tc, and will find their way to the error queue later. >> >> We'll have to just be able to handle ipv6 packets in ip_recv_error. >> Since IPV6_ADDRFORM is used to pass to legacy v4-only >> processes and those likely are only confused by SOL_IPV6 >> error messages, it is probably best to just drop them and perhaps >> WARN_ONCE. > > Even more fun, this is not limited to the error queue. > > I can queue a v6 packet for reception on a socket, connect to a v4 > address, call IPV6_ADDRFORM and then a regular recvfrom will > return a partial v6 address as AF_INET. > > We definitely do not want to have to add a check > > if (skb->protocol == htons(ETH_P_IPV6)) { > kfree_skb(skb); > goto try_again; > } > > to the normal recvmsg path. > > An alternative may be to tighten the check on when to allow > IPV6_ADDRFORM. Not only return EBUSY if a packet is pending, > but also if any sk_{rmem, omem, wmem}_alloc is non-zero. Only, > these tightened constraints could break a legacy application. > > Either way, this race is somewhat tangential to the one that > RaceFuzzer found. The sk changes that IPV6_ADDRFORM makes > to sk_prot, sk_socket->ops and sk_family are not atomic and will > not be. They need not be, because no other code assumes this > consistency. > > So I'll start by removing the warning as Eric suggested. http://patchwork.ozlabs.org/patch/919270/