Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp2921410ybx; Fri, 8 Nov 2019 11:17:56 -0800 (PST) X-Google-Smtp-Source: APXvYqwJE6heqsEgo5wTk7jApTWpyNPLllPBzBjX0pRnM9iNfjj+0KRBUIK8eFuuTA+iR126RZWY X-Received: by 2002:a17:906:bc9:: with SMTP id y9mr8443931ejg.64.1573240676788; Fri, 08 Nov 2019 11:17:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573240676; cv=none; d=google.com; s=arc-20160816; b=HpywjiHlL/UDVdzD2lsfE68V5V+wG1R/GtMIzUGCETbQmWKSQrx+la3TnSN0JE/Vid hzWsjuC1Sw5godZeyF+u6cVnYvMPlScFWaHsc5jkruUmJjA5RxG3zmaDhdxzpurwTO78 aUEbtZe2Fn9wEbyM4LIsflHk0LckWpapacsr/P1QG+k7TPSn4432WfjETtIbjDLVuq8S Bq6ztR48uhgXUYNg0gZSbR7X2vSHkM6d0a0XlhYQuGQmZ0valZx2RJGatEVXakR3y7SH bFmDBsa6c9u1fUSM+iSBZEUUo8UMIhXo9ZRIvEU4zcZ7EXjCq197CQjSVm/1TytbZlcr 6xMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U//x4JlddvVUjeHzsI/ReGdVIi68iLDKpKVvJN9k+eA=; b=sPbmrg66LRqyBJC7j0u0GaJskhY7+okNCZSzfzPEVGs9oRXuHfm+3x6p2aLRKER2Zi 48pKnEYDamp7LpgkTW6Yood6RDruxwfKO+DraNuYZi7qlkFPKp28iJ90lan2CdjlwaX5 MyDobioovEZlDRoz7GnmE2fp8fw15J8LEKQyb8kifvFfAIN5s3jVRQAe1ymiJLbLa+cf /gJbaH1Gm/qPbnL4nXfkC8+VWdYNBHSfUH3RFOwvVu0b+x9P8BGOIKQ050LUJyvmrAwF vGjRa71BCKGG3vXR6UuLRCQETVITWZbyuZspHFrK6cEWpks2KTVlnnf3QVvdBQscqfQl FhxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WpUv3v5h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o25si3872691ejg.237.2019.11.08.11.17.32; Fri, 08 Nov 2019 11:17:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WpUv3v5h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390628AbfKHTCo (ORCPT + 99 others); Fri, 8 Nov 2019 14:02:44 -0500 Received: from mail.kernel.org ([198.145.29.99]:60426 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390600AbfKHTCm (ORCPT ); Fri, 8 Nov 2019 14:02:42 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EFD11218AE; Fri, 8 Nov 2019 19:02:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573239761; bh=vezJ62qKN7SM97dUKY4AMhuPYiu4Q4LvtGB+qGrNF5M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WpUv3v5hCx5RDOASgFkw2kMqAAQT5o9LKC+xU9lwyIZ9NoIz9iKDwG5afQtPprD18 /OhsQwxepKpMzMipOGwOcZpEqxKkQUkdSVqf8ZA9Q5/De2w3wUVzZMqzBLTWypP+Ut LmwuuIyXaq9pr+iFBf4HfsnOi8go68RC5clQsD7E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Paolo Abeni , "David S. Miller" Subject: [PATCH 4.19 52/79] udp: fix data-race in udp_set_dev_scratch() Date: Fri, 8 Nov 2019 19:50:32 +0100 Message-Id: <20191108174815.485316010@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191108174745.495640141@linuxfoundation.org> References: <20191108174745.495640141@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit a793183caa9afae907a0d7ddd2ffd57329369bf5 ] KCSAN reported a data-race in udp_set_dev_scratch() [1] The issue here is that we must not write over skb fields if skb is shared. A similar issue has been fixed in commit 89c22d8c3b27 ("net: Fix skb csum races when peeking") While we are at it, use a helper only dealing with udp_skb_scratch(skb)->csum_unnecessary, as this allows udp_set_dev_scratch() to be called once and thus inlined. [1] BUG: KCSAN: data-race in udp_set_dev_scratch / udpv6_recvmsg write to 0xffff888120278317 of 1 bytes by task 10411 on cpu 1: udp_set_dev_scratch+0xea/0x200 net/ipv4/udp.c:1308 __first_packet_length+0x147/0x420 net/ipv4/udp.c:1556 first_packet_length+0x68/0x2a0 net/ipv4/udp.c:1579 udp_poll+0xea/0x110 net/ipv4/udp.c:2720 sock_poll+0xed/0x250 net/socket.c:1256 vfs_poll include/linux/poll.h:90 [inline] do_select+0x7d0/0x1020 fs/select.c:534 core_sys_select+0x381/0x550 fs/select.c:677 do_pselect.constprop.0+0x11d/0x160 fs/select.c:759 __do_sys_pselect6 fs/select.c:784 [inline] __se_sys_pselect6 fs/select.c:769 [inline] __x64_sys_pselect6+0x12e/0x170 fs/select.c:769 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 read to 0xffff888120278317 of 1 bytes by task 10413 on cpu 0: udp_skb_csum_unnecessary include/net/udp.h:358 [inline] udpv6_recvmsg+0x43e/0xe90 net/ipv6/udp.c:310 inet6_recvmsg+0xbb/0x240 net/ipv6/af_inet6.c:592 sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 __do_sys_recvmmsg net/socket.c:2703 [inline] __se_sys_recvmmsg net/socket.c:2696 [inline] __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10413 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 2276f58ac589 ("udp: use a separate rx queue for packet reception") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Paolo Abeni Reviewed-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/udp.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1270,6 +1270,20 @@ static void udp_set_dev_scratch(struct s scratch->_tsize_state |= UDP_SKB_IS_STATELESS; } +static void udp_skb_csum_unnecessary_set(struct sk_buff *skb) +{ + /* We come here after udp_lib_checksum_complete() returned 0. + * This means that __skb_checksum_complete() might have + * set skb->csum_valid to 1. + * On 64bit platforms, we can set csum_unnecessary + * to true, but only if the skb is not shared. + */ +#if BITS_PER_LONG == 64 + if (!skb_shared(skb)) + udp_skb_scratch(skb)->csum_unnecessary = true; +#endif +} + static int udp_skb_truesize(struct sk_buff *skb) { return udp_skb_scratch(skb)->_tsize_state & ~UDP_SKB_IS_STATELESS; @@ -1504,10 +1518,7 @@ static struct sk_buff *__first_packet_le *total += skb->truesize; kfree_skb(skb); } else { - /* the csum related bits could be changed, refresh - * the scratch area - */ - udp_set_dev_scratch(skb); + udp_skb_csum_unnecessary_set(skb); break; } }