Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp13337412ybl; Sun, 29 Dec 2019 09:35:44 -0800 (PST) X-Google-Smtp-Source: APXvYqyrwbBaQVsMY0En/oq/JbksWmPOlVBM9ka3WYYCG8ec0QtMKx4HtalxUJ5ZOHaSdfKXJJK2 X-Received: by 2002:a05:6830:1385:: with SMTP id d5mr39602791otq.61.1577640944409; Sun, 29 Dec 2019 09:35:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577640944; cv=none; d=google.com; s=arc-20160816; b=dR5Lt/3YDJE90dUzc7VoGTh6GapZ5fC+eERD0gkUbkauEvRqLUOhchzOgEbtguxO35 ciLxwpFwDFJDNor5I6qnRMSjdSdCS9PzIXB676weizP7jSK2sUedFTgsdEUtv0HfdKB8 voygF3B4l0Ipz9EuU5qHp/wr6BfhqnYf9H2HVX+Iydvh01prF6Fm9lTjhPO6JEU50iku eloJSc7k2ITI4FRXmPmPYgCs2Zn9D+5hT5NPd52OemLCDlWcn60LnV0+uNcBY33F+GID o4B0TG1c3lAnzCAQDZhTIufUnpHFx4NPwOv3HQmqaCxxm32wwr94VNaljuNRtFGNRIFb YYKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0RPSvQx7uSzE3/3yzO12Pw/+qIfDGMvXUpJ2wqy7GKk=; b=k5Qj5fAv8EGcnDVbewuttQypRSZ5YELhf9Yi/69IPmSQrxakCCnqmdQsmUF6t82vec /A3KZ0K+OA4BEwpLDCIzwR4BTlPXKNt90G29gHK02jnfbyyX/1laS/zEpD6ABiXQY3Ab C4QZ+FMWNgSiDOBx6eQO1EICr0bSauPpouZ+v1SwcMVp99/mBHdND2d/j/RLAnDZCJpT Hi0WS1Y/PLB034/DfGi3EK+AC3AArjUFYwYiog4vGuODS0zIPbRxIYmgNT+cs9uTPjB5 OzO2vN09+qL5JgR/CfvTZsEcjhDWEkG9IeMjIkXNAj7rnal5rMScL9AHfC+zQ0ZWtFWu Ct1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SLPfqFGj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v21si26029865otf.87.2019.12.29.09.35.34; Sun, 29 Dec 2019 09:35:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SLPfqFGj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729625AbfL2ReV (ORCPT + 99 others); Sun, 29 Dec 2019 12:34:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:37276 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728869AbfL2ReR (ORCPT ); Sun, 29 Dec 2019 12:34:17 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6B854207FD; Sun, 29 Dec 2019 17:34:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1577640856; bh=lnZntBm7+vS9ivFVCtiYcHqf82smGP4ysvQWPpzchOQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SLPfqFGjWtFdnGnZiwYcNTaI0O3450Zj2prqZDHPz8+DrnD5gLYOUr7v04vB0vzpR Jvsch4kbk71mt/MPtjkQjmxPownKFJZC1504LuWgAORZy3iT0Wo4fXi7H8kJZ99uvD rIOmMykDPoCEymjMYSGkSLXZr++XJMBGjMKbOMs4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Petar Penkov , syzbot , Eric Dumazet , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 166/219] tun: fix data-race in gro_normal_list() Date: Sun, 29 Dec 2019 18:19:28 +0100 Message-Id: <20191229162533.836350462@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191229162508.458551679@linuxfoundation.org> References: <20191229162508.458551679@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Petar Penkov [ Upstream commit c39e342a050a4425348e6fe7f75827c0a1a7ebc5 ] There is a race in the TUN driver between napi_busy_loop and napi_gro_frags. This commit resolves the race by adding the NAPI struct via netif_tx_napi_add, instead of netif_napi_add, which disables polling for the NAPI struct. KCSAN reported: BUG: KCSAN: data-race in gro_normal_list.part.0 / napi_busy_loop write to 0xffff8880b5d474b0 of 4 bytes by task 11205 on cpu 0: gro_normal_list.part.0+0x77/0xb0 net/core/dev.c:5682 gro_normal_list net/core/dev.c:5678 [inline] gro_normal_one net/core/dev.c:5692 [inline] napi_frags_finish net/core/dev.c:5705 [inline] napi_gro_frags+0x625/0x770 net/core/dev.c:5778 tun_get_user+0x2150/0x26a0 drivers/net/tun.c:1976 tun_chr_write_iter+0x79/0xd0 drivers/net/tun.c:2022 call_write_iter include/linux/fs.h:1895 [inline] do_iter_readv_writev+0x487/0x5b0 fs/read_write.c:693 do_iter_write fs/read_write.c:970 [inline] do_iter_write+0x13b/0x3c0 fs/read_write.c:951 vfs_writev+0x118/0x1c0 fs/read_write.c:1015 do_writev+0xe3/0x250 fs/read_write.c:1058 __do_sys_writev fs/read_write.c:1131 [inline] __se_sys_writev fs/read_write.c:1128 [inline] __x64_sys_writev+0x4e/0x60 fs/read_write.c:1128 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 read to 0xffff8880b5d474b0 of 4 bytes by task 11168 on cpu 1: gro_normal_list net/core/dev.c:5678 [inline] napi_busy_loop+0xda/0x4f0 net/core/dev.c:6126 sk_busy_loop include/net/busy_poll.h:108 [inline] __skb_recv_udp+0x4ad/0x560 net/ipv4/udp.c:1689 udpv6_recvmsg+0x29e/0xe90 net/ipv6/udp.c:288 inet6_recvmsg+0xbb/0x240 net/ipv6/af_inet6.c:592 sock_recvmsg_nosec net/socket.c:871 [inline] sock_recvmsg net/socket.c:889 [inline] sock_recvmsg+0x92/0xb0 net/socket.c:885 sock_read_iter+0x15f/0x1e0 net/socket.c:967 call_read_iter include/linux/fs.h:1889 [inline] new_sync_read+0x389/0x4f0 fs/read_write.c:414 __vfs_read+0xb1/0xc0 fs/read_write.c:427 vfs_read fs/read_write.c:461 [inline] vfs_read+0x143/0x2c0 fs/read_write.c:446 ksys_read+0xd5/0x1b0 fs/read_write.c:587 __do_sys_read fs/read_write.c:597 [inline] __se_sys_read fs/read_write.c:595 [inline] __x64_sys_read+0x4c/0x60 fs/read_write.c:595 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 11168 Comm: syz-executor.0 Not tainted 5.4.0-rc6+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver") Signed-off-by: Petar Penkov Reported-by: syzbot Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/tun.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index e1ac1c57089f..bbd92221c6ca 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -319,8 +319,8 @@ static void tun_napi_init(struct tun_struct *tun, struct tun_file *tfile, tfile->napi_enabled = napi_en; tfile->napi_frags_enabled = napi_en && napi_frags; if (napi_en) { - netif_napi_add(tun->dev, &tfile->napi, tun_napi_poll, - NAPI_POLL_WEIGHT); + netif_tx_napi_add(tun->dev, &tfile->napi, tun_napi_poll, + NAPI_POLL_WEIGHT); napi_enable(&tfile->napi); } } -- 2.20.1