Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp17941024ybl; Thu, 2 Jan 2020 15:14:18 -0800 (PST) X-Google-Smtp-Source: APXvYqxM1DEPWHvWNAU6Tfi0cbSYWGhKPwwMhXDjhsHWWvgvEZMzgZp8gp5UEigPpZKiDelWQUEo X-Received: by 2002:a9d:754a:: with SMTP id b10mr96389495otl.273.1578006858152; Thu, 02 Jan 2020 15:14:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578006858; cv=none; d=google.com; s=arc-20160816; b=QJZPdN1+iZczS94UR3uesocUsUEmNDYr7VQLQJMyn2AOspava7HSKFUlJm0rk6JsnO X1QqLSq5EMnvZ9ZrlO9WjrZJR5rDGjKc3XFmVlHud5rp7Q8n3tDkGyl/NczZ/IbAzOr7 I0OAJ+5svjcAu7SnOHn910iB4zXiYKGiA+OXIY4faVnsUlnmaj/gLO5k6QieN+NDaXhu DVaWmp31dngRsWK+PMJuzK0rNd9OLi+o/3/y6JU5ZaXVJJxaV9e37rUFMR6apVxmBU7O IxQtkdl8msuck68irznyY8D91kDq/ugQw0WQAbcTlLBdNxBUlp3IEW5QOJOQGB18WHy9 2QLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Fl2RvVyYWdNLSyj5jc8iThQI+wcE6p1nc1GnOOwuxlk=; b=js7ejcGUxoDg0+WBKmWXuh7cM4waRp7XN+THiExRiL1v3jqn06IuJAcvjx6d/Vh4P5 0tZ652vVx1Dom1MxV2rdUOqDxlaGqgSAAqbbbEJV4ndGXe6MDC1LBiq2+5t2HntRCWSR ZeHTghpSojsbSMwxqNlrmUInoSFkxB/oHcO2vPtRkyoq7nXWj9QgwP6J1c0cyGCjpbbd 4a8wvc+RwdiDk4k0Epd4HUOCbPsSdJyyaUng2YnkTDrFY6YeRr6UL99Z+C3clZ1wyjwb Tc5UEuxQmONhxuWNFRenbbje5D2hZY6nvDg4PNpqL4teiA3EtC0O7RIW6CrLV6o6CRDb ojyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pHVmF0g5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p16si31191709oto.287.2020.01.02.15.14.06; Thu, 02 Jan 2020 15:14:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pHVmF0g5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729617AbgABWxT (ORCPT + 99 others); Thu, 2 Jan 2020 17:53:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:41886 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728643AbgABWV6 (ORCPT ); Thu, 2 Jan 2020 17:21:58 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EA074222C3; Thu, 2 Jan 2020 22:21:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578003718; bh=xp112zKb8v80psbV/puqDOGOBn1/rLffnVodRk8j5xw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pHVmF0g5Mmagb81W1uCllsehk9OtXPlLFcwpGOzGimOsTYgI3SD/x4BYkKTbx+7xc eayvIMtvfBykQmQMnKsxoEPAv1q7IpOQJvo4WiPawxkVVZfXUm4OW2EfTrBgu+Dw9K wE5ss5FqjSOqj1FyDIWd/FhCcp2mej0pSOoZK2rk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.19 086/114] inetpeer: fix data-race in inet_putpeer / inet_putpeer Date: Thu, 2 Jan 2020 23:07:38 +0100 Message-Id: <20200102220037.855963462@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102220029.183913184@linuxfoundation.org> References: <20200102220029.183913184@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 upstream. We need to explicitely forbid read/store tearing in inet_peer_gc() and inet_putpeer(). The following syzbot report reminds us about inet_putpeer() running without a lock held. BUG: KCSAN: data-race in inet_putpeer / inet_putpeer write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0: inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 __do_softirq+0x115/0x33f kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0xbb/0xe0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 cpuidle_idle_call kernel/sched/idle.c:154 [inline] do_idle+0x1af/0x280 kernel/sched/idle.c:263 write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1: inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240 ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102 inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157 rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377 rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386 __do_softirq+0x115/0x33f kernel/softirq.c:292 run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 4b9d9be839fd ("inetpeer: remove unused list") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/inetpeer.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/net/ipv4/inetpeer.c +++ b/net/ipv4/inetpeer.c @@ -160,7 +160,12 @@ static void inet_peer_gc(struct inet_pee base->total / inet_peer_threshold * HZ; for (i = 0; i < gc_cnt; i++) { p = gc_stack[i]; - delta = (__u32)jiffies - p->dtime; + + /* The READ_ONCE() pairs with the WRITE_ONCE() + * in inet_putpeer() + */ + delta = (__u32)jiffies - READ_ONCE(p->dtime); + if (delta < ttl || !refcount_dec_if_one(&p->refcnt)) gc_stack[i] = NULL; } @@ -237,7 +242,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer); void inet_putpeer(struct inet_peer *p) { - p->dtime = (__u32)jiffies; + /* The WRITE_ONCE() pairs with itself (we run lockless) + * and the READ_ONCE() in inet_peer_gc() + */ + WRITE_ONCE(p->dtime, (__u32)jiffies); if (refcount_dec_and_test(&p->refcnt)) call_rcu(&p->rcu, inetpeer_free_rcu);