Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1478480ybl; Thu, 22 Aug 2019 15:30:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqw2a5kt98Utsn1HVUDjYDcSuS0pa54RWIAbO0BU7Rm15fZN4Bk5+rYULGapkQdRS99oIL3p X-Received: by 2002:a65:5183:: with SMTP id h3mr138039pgq.250.1566513004489; Thu, 22 Aug 2019 15:30:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566513004; cv=none; d=google.com; s=arc-20160816; b=G9SNmXDdp7M41URWlD0Bw4vT0VuqLXLkXb2YQyOy36uHhlZ5EDEb75pfjl3KvEXF2L +w7N4h6EGI9zb2zzsKJvu6vBpdMOQlqaPx3BXMA4xEETFamOrRdLhv9LiRvznc6bOhpZ oS4fpunH6SFK1H563t8X/VL68xN5cpHXOU/R3T6MpUpDeXY+6p1rmnHSTuYbOmNz/fJJ xe2f5X/rtl3Z+zlJ5BiiOgqNNrkEG2OLsL8l1wV4N79c+mk1G0K9FThP5EkJxGdceKmq 3GGS1oFjRULkAyNzUWqZkbP8wvMQgt+i5yv1v6PKNTYsrsqqREfbpJwO89ziY3NUAmum KzTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ecgLoBW3llbc+5e5zWeyghJXuvMKIojWd8PBdD0cR64=; b=wKlaTqPKbkoLzBmhKDllxAKY5076yU7Nep8uw5cKTK/sb+p/AasmaiXntE7tgDVBnj xYLXi4OGXDuW+Onw5Y6oLCs6B3OmLuTP1cB3Rnd9zgmVDd/i8xtHQsfD8C7EpT885fLz pwe+OU0PmRrjaoHLwBdA7gvKjTLqYPOGyxIytRm50CqqGwpEWsMOs1jY82VhI6/OKp2n k1NuR45n2hshsC6ISVc4AJRLvhUvexMBYAWYVGev8LTyfzkrhMp/ztUD6zIjPjdSC3IW JJw8WsS+r6yRlhOBYFiaGX4qbIe4+BDQztEF5iqlJgVHsFvqOkhAwKQ32Wc4h1vPRQ5y OF7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=S7JpAhAt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u191si438867pgd.281.2019.08.22.15.29.49; Thu, 22 Aug 2019 15:30:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=S7JpAhAt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390921AbfHVRLf (ORCPT + 99 others); Thu, 22 Aug 2019 13:11:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:59460 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390700AbfHVRJP (ORCPT ); Thu, 22 Aug 2019 13:09:15 -0400 Received: from sasha-vm.mshome.net (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 572D42341E; Thu, 22 Aug 2019 17:09:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566493754; bh=mmOI3UQiGw9Sq09GgmSULel99EFNPGDXPy1epgZjWfE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S7JpAhAtr7gVQAZ9zK3aftPR0Hgwhplf1lN0MvwOoQQHF5KH0TR8rW30ytOKBhKWl zfNSHrz9VjrI4w1QNn6gqgpVUgd+EuE6mKyYR2x/b/azcgH2yD4KARoNJERgssLxHL tDYfvmsDN2vfjhNLgZwvFFpsKqY8nEJ5w3zPWieM= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Eric Dumazet , syzbot , "David S . Miller" , Greg Kroah-Hartman Subject: [PATCH 5.2 111/135] net/packet: fix race in tpacket_snd() Date: Thu, 22 Aug 2019 13:07:47 -0400 Message-Id: <20190822170811.13303-112-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190822170811.13303-1-sashal@kernel.org> References: <20190822170811.13303-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.10-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.2.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.2.10-rc1 X-KernelTest-Deadline: 2019-08-24T17:07+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ] packet_sendmsg() checks tx_ring.pg_vec to decide if it must call tpacket_snd(). Problem is that the check is lockless, meaning another thread can issue a concurrent setsockopt(PACKET_TX_RING ) to flip tx_ring.pg_vec back to NULL. Given that tpacket_snd() grabs pg_vec_lock mutex, we can perform the check again to solve the race. syzbot reported : kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474 Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00 RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50 R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000 R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000 FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: packet_current_frame net/packet/af_packet.c:487 [inline] tpacket_snd net/packet/af_packet.c:2667 [inline] packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 5f78df0805732..bad144dfabc56 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2607,6 +2607,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) mutex_lock(&po->pg_vec_lock); + /* packet_sendmsg() check on tx_ring.pg_vec was lockless, + * we need to confirm it under protection of pg_vec_lock. + */ + if (unlikely(!po->tx_ring.pg_vec)) { + err = -EBUSY; + goto out; + } if (likely(saddr == NULL)) { dev = packet_cached_dev_get(po); proto = po->num; -- 2.20.1