Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp47354ybl; Thu, 22 Aug 2019 19:29:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqwg11bc0r9hgLuZmoZivhek9fcfy2MY2tamWByOFAUUns6J+m5TxQV9DccelmNdZ3S4sbKE X-Received: by 2002:a63:ec03:: with SMTP id j3mr1959068pgh.325.1566527396731; Thu, 22 Aug 2019 19:29:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566527396; cv=none; d=google.com; s=arc-20160816; b=ftmdND1P3MiBKxWsG9+laUNYl6XgpvH3CxtM1+FxKyGnIlk+4NMiq6pyJXqa9kcsjl eAU0fZfbPyw/Bm23ue+X6kyhJ5IKN3QCb5Lu+fuy6SEXpFlSFLCHCKNWnSdPm1y5d37K aOPMNAG5IUIF2xrLKtoJ3E7pvISe00DZEdxf2ik7PifxBxuolaGQCdjObLD5FZmHdJOT kzXnaE08ZbgwlsWK+Nef38WHlkfCjVeXd+hOPaGflFQXxtYlnbovwDUyt5uUPfHvKq2f E4gtmYRaUKdp7doSgMLh/qpkjZyOG5Y8FgbUgScZhWjeo+R22G8g8o+GouYcpgX0T/Th yIfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KJHEurrzHc0nNyIX4rfnUNAomrjZPNpRo3EvhBP3HJg=; b=KS9Jw740wtkN2xcO4iY0ggXggC5R5ySR0iaP1CwxtGiQO1JazTV70ydIp4Vrrow6s8 8hGwux0U1WH9XBwz0ARDrg81fgSHMwVnWJFLE6LXslb6CYd6OfFmMQWthXzdzwAgFWC5 0GDps28x8jYamuoPFTyVvHA9i8qKwJ6vf/kPMjOxa4QIrKqKd7CvU2ukbLdMi+JIWuP8 lfaecut/zLGzHbizL8050f82Q/RfiaN6IE4DYGwMLQP4/g31EKNrwsZj/blKIB1pl1s6 R5GZlpVO+RDz5Yso8jXIfv1l3Jn6XFl1wbCBQnJLGvZOgLiQ1BoWEYQvxTWWcTYkHcI7 ObVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bGC9Qzm9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 4si1149072pjo.48.2019.08.22.19.29.41; Thu, 22 Aug 2019 19:29:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bGC9Qzm9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392112AbfHVRaK (ORCPT + 99 others); Thu, 22 Aug 2019 13:30:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:51420 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404658AbfHVR0N (ORCPT ); Thu, 22 Aug 2019 13:26:13 -0400 Received: from localhost (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6F7332341A; Thu, 22 Aug 2019 17:26:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566494772; bh=wrFzXsQjAFxow8cRf9F3jeAVi9n9J//RaVGfTn5nMCU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bGC9Qzm9a594nNSp67abH0Ir0SymG2TIYhg3vnDxBWIkKUtCYGgOV2eoT53oI4Cje dve3oSEc2nEw6aNfILWAfrDNQxaNOb4KxY9rR/LnVXS+MrSQc20Nf1zCfaFSOcaf43 pXLKem5NaS3KcxYfTokYWknwA1UjX7SV2Ce4UQY8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.19 77/85] net/packet: fix race in tpacket_snd() Date: Thu, 22 Aug 2019 10:19:50 -0700 Message-Id: <20190822171734.446682447@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190822171731.012687054@linuxfoundation.org> References: <20190822171731.012687054@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ] packet_sendmsg() checks tx_ring.pg_vec to decide if it must call tpacket_snd(). Problem is that the check is lockless, meaning another thread can issue a concurrent setsockopt(PACKET_TX_RING ) to flip tx_ring.pg_vec back to NULL. Given that tpacket_snd() grabs pg_vec_lock mutex, we can perform the check again to solve the race. syzbot reported : kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474 Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00 RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50 R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000 R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000 FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: packet_current_frame net/packet/af_packet.c:487 [inline] tpacket_snd net/packet/af_packet.c:2667 [inline] packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2616,6 +2616,13 @@ static int tpacket_snd(struct packet_soc mutex_lock(&po->pg_vec_lock); + /* packet_sendmsg() check on tx_ring.pg_vec was lockless, + * we need to confirm it under protection of pg_vec_lock. + */ + if (unlikely(!po->tx_ring.pg_vec)) { + err = -EBUSY; + goto out; + } if (likely(saddr == NULL)) { dev = packet_cached_dev_get(po); proto = po->num;