linux/net/sctp
Eric Dumazet f866fbc842 ipv4: fix data-races around inet->inet_id
UDP sendmsg() is lockless, so ip_select_ident_segs()
can very well be run from multiple cpus [1]

Convert inet->inet_id to an atomic_t, but implement
a dedicated path for TCP, avoiding cost of a locked
instruction (atomic_add_return())

Note that this patch will cause a trivial merge conflict
because we added inet->flags in net-next tree.

v2: added missing change in
drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
(David Ahern)

[1]

BUG: KCSAN: data-race in __ip_make_skb / __ip_make_skb

read-write to 0xffff888145af952a of 2 bytes by task 7803 on cpu 1:
ip_select_ident_segs include/net/ip.h:542 [inline]
ip_select_ident include/net/ip.h:556 [inline]
__ip_make_skb+0x844/0xc70 net/ipv4/ip_output.c:1446
ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg net/socket.c:748 [inline]
____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
___sys_sendmsg net/socket.c:2548 [inline]
__sys_sendmmsg+0x269/0x500 net/socket.c:2634
__do_sys_sendmmsg net/socket.c:2663 [inline]
__se_sys_sendmmsg net/socket.c:2660 [inline]
__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff888145af952a of 2 bytes by task 7804 on cpu 0:
ip_select_ident_segs include/net/ip.h:541 [inline]
ip_select_ident include/net/ip.h:556 [inline]
__ip_make_skb+0x817/0xc70 net/ipv4/ip_output.c:1446
ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg net/socket.c:748 [inline]
____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
___sys_sendmsg net/socket.c:2548 [inline]
__sys_sendmmsg+0x269/0x500 net/socket.c:2634
__do_sys_sendmmsg net/socket.c:2663 [inline]
__se_sys_sendmmsg net/socket.c:2660 [inline]
__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x184d -> 0x184e

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 7804 Comm: syz-executor.1 Not tainted 6.5.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
==================================================================

Fixes: 23f57406b8 ("ipv4: avoid using shared IP generator for connected sockets")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-08-20 11:40:49 +01:00
..
associola.c sctp: delete the nested flexible array peer_init 2023-04-21 08:19:30 +01:00
auth.c sctp: delete the nested flexible array hmac 2023-04-21 08:19:30 +01:00
bind_addr.c sctp: fail if no bound addresses can be used for a given scope 2023-01-24 18:32:33 -08:00
chunk.c
debug.c
diag.c sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list 2023-02-10 19:28:29 -08:00
endpointola.c sctp: add dif and sdif check in asoc and ep lookup 2022-11-18 11:42:54 +00:00
input.c sctp: delete the nested flexible array params 2023-04-21 08:19:29 +01:00
inqueue.c
ipv6.c net: annotate lockless accesses to sk->sk_err_soft 2023-03-17 08:25:05 +00:00
Kconfig
Makefile sctp: add fair capacity stream scheduler 2023-03-09 11:31:44 +01:00
objcnt.c
offload.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
output.c
outqueue.c sctp: delete the nested flexible array variable 2023-04-21 08:19:29 +01:00
primitive.c
proc.c
protocol.c sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
sm_make_chunk.c sctp: delete the nested flexible array peer_init 2023-04-21 08:19:30 +01:00
sm_sideeffect.c sctp: handle invalid error codes without calling BUG() 2023-06-12 09:36:27 +01:00
sm_statefuns.c sctp: fix an error code in sctp_sf_eat_auth() 2023-06-12 09:36:27 +01:00
sm_statetable.c
socket.c ipv4: fix data-races around inet->inet_id 2023-08-20 11:40:49 +01:00
stream_interleave.c sctp: delete the nested flexible array skip 2023-04-21 08:19:29 +01:00
stream_sched_fc.c sctp: add weighted fair queueing stream scheduler 2023-03-09 11:31:44 +01:00
stream_sched_prio.c sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop 2023-02-23 12:59:40 -08:00
stream_sched_rr.c sctp: delete free member from struct sctp_sched_ops 2022-12-01 20:14:23 -08:00
stream_sched.c sctp: fix a potential OOB access in sctp_sched_set_sched() 2023-05-10 12:10:15 +01:00
stream.c sctp: delete the nested flexible array params 2023-04-21 08:19:29 +01:00
sysctl.c sctp: sysctl: make extra pointers netns aware 2022-12-12 12:57:29 -08:00
transport.c sctp: fix an issue that plpmtu can never go to complete state 2023-05-22 11:05:20 +01:00
tsnmap.c
ulpevent.c
ulpqueue.c sctp: remove unnecessary NULL check in sctp_ulpq_tail_event() 2022-10-20 21:43:10 -07:00