Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp103526ybl;
        Thu, 22 Aug 2019 20:47:13 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzyDwsxPoKeZ4w0HChLBzTx4FknY+TA/094qCwk9loYVRxBumLH9iO7jCzgeTIt2xnGk6QV
X-Received: by 2002:a62:e801:: with SMTP id c1mr2879072pfi.184.1566532033570;
        Thu, 22 Aug 2019 20:47:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566532033; cv=none;
        d=google.com; s=arc-20160816;
        b=g7zwLCcaMe4cdwSxskoXZ84B0b0zkRmS7dlhNXtpokHX/34iefCLrlD5muGmPpwGfV
         bJRuYnFc6iP3tmzs4kNx+D1jF3Fu+vHC1i3RSCyqzdXAP6aUYWptjsuzf5v6TMxoJPiE
         wdNYAOR4LD48h9Ho6zA4DusEbudqmUpihqPg66YMGPCQrWYJ0BRB4ZmpaTVYfhUiiIOJ
         7oHSzKq6RGFxpY0ilw40gbRiqel/nztqE7hJxcVdw6cUPkvX+/+iSUqXRKzAjJnMWMiv
         tsLOifggmmOeLUGUXTl6DgYsuEGaBUsTEgE7V939Lo5/8AfXl13RDqZ81cZvFB3CRgLb
         Ub6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Posd9hl1QK24xro2f5jLjDrUNEn73FosM1k1kznb1sk=;
        b=C67E1DIscyuhD0+I62TdAqU/np8lIgT96DOcsbpwW8rYPozCv0N/mGaiNEy31ChPt1
         8BOwBzPRa5qV9MKNcRYy64YZDOFhL6Wh3zy9fMnSzg7yHXlYewVIAHTBAkFLKKO+GlOQ
         jkZqvgwQmUAd1cWqI74uIfqVeY7ObOIm3JpJKuFzjTVQixnczGOgl619Xl5loc56RTSe
         i8p6f7iCY6IVw72dtjOBBDtbuEmsPrJyyu5nCZ1YSyPasOl+OF8Dr5R3NSV55yETQ3/k
         kmmk542A4kP2K9fvQi60K02rJJB1tSioMIsv3NArGfFJ3nra6momNt7gH9tGQY+4ySLG
         bn4A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=s4qMt2JJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 130si963342pgg.18.2019.08.22.20.46.58;
        Thu, 22 Aug 2019 20:47:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=s4qMt2JJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2404456AbfHVRfQ (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Thu, 22 Aug 2019 13:35:16 -0400
Received: from mail.kernel.org ([198.145.29.99]:48156 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2404333AbfHVRZJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Aug 2019 13:25:09 -0400
Received: from localhost (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6E2B823400;
        Thu, 22 Aug 2019 17:25:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1566494708;
        bh=V/iiuI8Wppd6VLPF38NEuEcD2efPXh8k7EKBn3Uupbk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=s4qMt2JJCnLBonIbBK7rDEaatfZrfAkLiuDeKbcwEVYnqFTfXqCGZ8493VfjKScQD
         v8LWSgbZe7KOwwC8QapZp9S2j/c47dYCYYvGHEoHowMnb/v6UFwpjuCWZc4rUq6Cv+
         mNYOQoc7fcVUUQLH3T0U7I2/00TlF3cKt6GCfPbU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
        syzbot <syzkaller@googlegroups.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 63/71] net/packet: fix race in tpacket_snd()
Date:   Thu, 22 Aug 2019 10:19:38 -0700
Message-Id: <20190822171730.475123825@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190822171726.131957995@linuxfoundation.org>
References: <20190822171726.131957995@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ]

packet_sendmsg() checks tx_ring.pg_vec to decide
if it must call tpacket_snd().

Problem is that the check is lockless, meaning another thread
can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
tx_ring.pg_vec back to NULL.

Given that tpacket_snd() grabs pg_vec_lock mutex, we can
perform the check again to solve the race.

syzbot reported :

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 packet_current_frame net/packet/af_packet.c:487 [inline]
 tpacket_snd net/packet/af_packet.c:2667 [inline]
 packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:657
 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg net/socket.c:2439 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2654,6 +2654,13 @@ static int tpacket_snd(struct packet_soc
 
 	mutex_lock(&po->pg_vec_lock);
 
+	/* packet_sendmsg() check on tx_ring.pg_vec was lockless,
+	 * we need to confirm it under protection of pg_vec_lock.
+	 */
+	if (unlikely(!po->tx_ring.pg_vec)) {
+		err = -EBUSY;
+		goto out;
+	}
 	if (likely(saddr == NULL)) {
 		dev	= packet_cached_dev_get(po);
 		proto	= po->num;