Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2739767rwd; Fri, 26 May 2023 10:28:08 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6FCFSWpVOUFs1vk1P1/WhgIwF1M5Hfs8cr/XKoZsRbcElyH+FzY6XNmP2VKVlUxhoNhA9d X-Received: by 2002:a05:6a20:9c92:b0:101:4e04:cef1 with SMTP id mj18-20020a056a209c9200b001014e04cef1mr35198pzb.27.1685122087764; Fri, 26 May 2023 10:28:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685122087; cv=none; d=google.com; s=arc-20160816; b=ARD/FP0D70uiGPM45s++o7VBerV58aTAJcmFzSZgjt3wWAuoiXqtVspQTKoibdfzPu LvzZlXPolqlYvNh0VB9V8iX46/j9VYpBDzFUQGp18S6ns+1PECKak+u+deDX+WG6iV0U Ykof45WQ/o6cjX1Z9ltGRro7+MgMiXqIqg2r0DEXZmVBmhUbCk2pSNHIMNSV7e1wZLz1 k0cw/Zexx4+wM1VkSkX9df3YFLaJrOurZqtrm7Hhs8ONLPce5Vhmxr+lvuNpovtXM0s7 pMjdGWICCxpSfbtL4TBT2zoW3kTYNOdeArDHj/5o0ieuAYkWvhyWc4JnnhkvM4OvE/2m y7Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-filter; bh=c84dgllaeAzbre9/T1wlXCItwbcLWSfy8pwOc1pg/N8=; b=Q/BikRk+xHzvpMzAio1+t6tmCwK8GJ18Q4z94J0NE7G/CLsuG5KVauWEajcu4eWNxn hYs2R0ru8ViLELVI+ulr03CEsnhrkjuQrGmLvH5JJBzD8z5q0KW2K8QmUseWhDxMu8RM vB21Yd8yPbp+pzjUZclCXQXFzD0ZE8ug1ssmZHAiXJqzTTaEBhjFXZgGkRvTR1G5D/e/ AB99D5pbCKa6gbef1x//eeuIfA9Cal/esHbWsw4ZAZeSyBOQkxawNyOQsEuA8zA+0YEg eXEOF2kEd42q94gEzgrYQtyQzhmn1zDCntgb7vXSApHEyFUA1TiBNEXBXYdPx4wu1L3b s6iQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=YAp+x9ZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c18-20020a637252000000b00524ecfa05d8si4349807pgn.15.2023.05.26.10.27.54; Fri, 26 May 2023 10:28:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=YAp+x9ZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236740AbjEZQ5x (ORCPT + 99 others); Fri, 26 May 2023 12:57:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231530AbjEZQ5w (ORCPT ); Fri, 26 May 2023 12:57:52 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ACF8194; Fri, 26 May 2023 09:57:49 -0700 (PDT) Received: from [10.10.2.69] (unknown [10.10.2.69]) by mail.ispras.ru (Postfix) with ESMTPSA id 68F9344C100F; Fri, 26 May 2023 16:57:47 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 68F9344C100F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1685120267; bh=c84dgllaeAzbre9/T1wlXCItwbcLWSfy8pwOc1pg/N8=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=YAp+x9ZMWEfLyCsB3E2S3nA08iZuQdEHO+MGDMvVpOklJgXRGIfmWcFCiZh72Bmkt mlGkC9sbdwIozmMqe/3x8uS4Llxbd5ku7+8xECcKB7dJZLTmiBWad3PUbAE7PN5we3 t2MCxQwqnOy8sK1JPEKwqNcqSvrIn0yX8Z3TwVYM= Message-ID: Date: Fri, 26 May 2023 19:57:47 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect Content-Language: ru To: Eric Dumazet Cc: Willem de Bruijn , "David S. Miller" , David Ahern , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org References: <20230526150806.1457828-1-VEfanov@ispras.ru> From: Vlad Efanov In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yes. There is no lock for this lines and my patch does not broken this logic. I sugessted to set lock only for lines 1566-1571 (ip6_sk_dst_lookup_flow() call). Best regards, Vlad. On 26.05.2023 19:46, Eric Dumazet wrote: > On Fri, May 26, 2023 at 6:09 PM Vlad Efanov wrote: >> Eric, >> >> >> udp6_sendmsg() currently still locks the socket (on line 1595). >> > Not really, look more closely at lines 1580 -> 1594 > > >> Best regards, >> >> Vlad. >> >> >> On 26.05.2023 18:29, Eric Dumazet wrote: >>> On Fri, May 26, 2023 at 5:08 PM Vladislav Efanov wrote: >>>> Syzkaller got the following report: >>>> BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018 >>>> Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255 >>> Please include a full report. >>> >>>> The function sk_setup_caps (called by ip6_sk_dst_store_flow-> >>>> ip6_dst_store) referenced already freed memory as this memory was >>>> freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow-> >>>> sk_dst_check. >>>> >>>> task1 (connect) task2 (udp6_sendmsg) >>>> sk_setup_caps->sk_dst_set | >>>> | sk_dst_check-> >>>> | sk_dst_set >>>> | dst_release >>>> sk_setup_caps references | >>>> to already freed dst_entry| >>>> The reason for this race condition is: udp6_sendmsg() calls >>>> ip6_sk_dst_lookup() without lock for sock structure and tries to >>>> allocate/add dst_entry structure to sock structure in parallel with >>>> "connect" task. >>>> >>>> Found by Linux Verification Center (linuxtesting.org) with syzkaller. >>>> >>>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") >>> This is a bogus Fixes: tag >>> >>> In old times, UDP sendmsg() was using the socket lock. >>> >>> Then, in linux-4.0 Vlad Yasevich made UDP v6 sendmsg() lockless (and >>> racy in many points) >>> >>> >>>> Signed-off-by: Vladislav Efanov >>>> --- >>>> net/ipv6/udp.c | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c >>>> index e5a337e6b970..a5ecd5d93b0a 100644 >>>> --- a/net/ipv6/udp.c >>>> +++ b/net/ipv6/udp.c >>>> @@ -1563,12 +1563,15 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) >>>> >>>> fl6->flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6->flowlabel); >>>> >>>> + lock_sock(sk); >>>> dst = ip6_sk_dst_lookup_flow(sk, fl6, final_p, connected); >>>> if (IS_ERR(dst)) { >>>> err = PTR_ERR(dst); >>>> dst = NULL; >>>> + release_sock(sk); >>>> goto out; >>>> } >>>> + release_sock(sk); >>>> >>>> if (ipc6.hlimit < 0) >>>> ipc6.hlimit = ip6_sk_dst_hoplimit(np, fl6, dst); >>>> -- >>>> 2.34.1 >>>> >>> There must be another way really. >>> You just killed UDP performance.