iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Kuniyuki Iwashima 610fd07c13 af_unix: Fix a data race of sk->sk_receive_queue->qlen. 
[ Upstream commit 679ed006d416ea0cecfe24a99d365d1dea69c683 ]

KCSAN found a data race of sk->sk_receive_queue->qlen where recvmsg()
updates qlen under the queue lock and sendmsg() checks qlen under
unix_state_sock(), not the queue lock, so the reader side needs
READ_ONCE().

BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_wait_for_peer

write (marked) to 0xffff888019fe7c68 of 4 bytes by task 49792 on cpu 0:
 __skb_unlink include/linux/skbuff.h:2347 [inline]
 __skb_try_recv_from_queue+0x3de/0x470 net/core/datagram.c:197
 __skb_try_recv_datagram+0xf7/0x390 net/core/datagram.c:263
 __unix_dgram_recvmsg+0x109/0x8a0 net/unix/af_unix.c:2452
 unix_dgram_recvmsg+0x94/0xa0 net/unix/af_unix.c:2549
 sock_recvmsg_nosec net/socket.c:1019 [inline]
 ____sys_recvmsg+0x3a3/0x3b0 net/socket.c:2720
 ___sys_recvmsg+0xc8/0x150 net/socket.c:2764
 do_recvmmsg+0x182/0x560 net/socket.c:2858
 __sys_recvmmsg net/socket.c:2937 [inline]
 __do_sys_recvmmsg net/socket.c:2960 [inline]
 __se_sys_recvmmsg net/socket.c:2953 [inline]
 __x64_sys_recvmmsg+0x153/0x170 net/socket.c:2953
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

read to 0xffff888019fe7c68 of 4 bytes by task 49793 on cpu 1:
 skb_queue_len include/linux/skbuff.h:2127 [inline]
 unix_recvq_full net/unix/af_unix.c:229 [inline]
 unix_wait_for_peer+0x154/0x1a0 net/unix/af_unix.c:1445
 unix_dgram_sendmsg+0x13bc/0x14b0 net/unix/af_unix.c:2048
 sock_sendmsg_nosec net/socket.c:724 [inline]
 sock_sendmsg+0x148/0x160 net/socket.c:747
 ____sys_sendmsg+0x20e/0x620 net/socket.c:2503
 ___sys_sendmsg+0xc6/0x140 net/socket.c:2557
 __sys_sendmmsg+0x11d/0x370 net/socket.c:2643
 __do_sys_sendmmsg net/socket.c:2672 [inline]
 __se_sys_sendmmsg net/socket.c:2669 [inline]
 __x64_sys_sendmmsg+0x58/0x70 net/socket.c:2669
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x72/0xdc

value changed: 0x0000000b -> 0x00000001

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 49793 Comm: syz-executor.0 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-05-24 17:36:42 +01:00
..
6lowpan
9p
9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
2023-04-20 12:13:53 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2022-12-31 13:14:42 +01:00
8021q
vlan: partially enable SIOCSHWTSTAMP in container
2023-05-11 23:00:26 +09:00
appletalk
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-29 10:12:55 +02:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:22:01 +02:00
batman-adv
batman-adv: Use netif_rx_any_context() any.
2022-07-29 17:25:07 +02:00
bluetooth
bluetooth: Perform careful capability checks in hci_sock_ioctl()
2023-05-01 08:23:23 +09:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2022-12-31 13:14:11 +01:00
bpfilter
bridge
net: add vlan_get_protocol_and_depth() helper
2023-05-24 17:36:42 +01:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:48:54 +01:00
can
can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events
2023-04-13 16:48:25 +02:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:57:28 +02:00
core
net: datagram: fix data-races in datagram_poll()
2023-05-24 17:36:42 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:12:52 +01:00
dccp
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 13:51:54 +02:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-03 12:03:51 +02:00
dns_resolver
dsa
net: dsa: tag_brcm: legacy: fix daisy-chained switches
2023-03-30 12:47:48 +02:00
ethernet
move netdev_boot_setup into Space.c
2021-08-03 13:05:26 +01:00
ethtool
ethtool: Fix uninitialized number of lanes
2023-05-17 11:50:18 +02:00
hsr
hsr: ratelimit only when errors are printed
2023-04-05 11:25:02 +02:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:59:14 +09:00
ife
ipv4
tcp: add annotations around sk->sk_shutdown accesses
2023-05-24 17:36:42 +01:00
ipv6
sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()
2023-05-17 11:50:16 +02:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:31:28 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-26 09:24:50 +01:00
key
xfrm: Fix oops in __xfrm_state_delete()
2022-12-02 17:41:06 +01:00
l2tp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 13:51:54 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 14:38:53 +02:00
lapb
llc
net: deal with most data-races in sk_wait_event()
2023-05-24 17:36:42 +01:00
mac80211
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
2023-04-13 16:48:17 +02:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:37:25 +01:00
mctp
net: mctp: purge receive queues on sk destruction
2023-02-06 07:59:02 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:57:09 +01:00
mptcp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 13:51:54 +02:00
ncsi
net/ncsi: clear Tx enable mode when handling a Config required AEN
2023-05-17 11:50:16 +02:00
netfilter
netfilter: conntrack: fix possible bug_on with enable_hooks=1
2023-05-24 17:36:41 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 20:59:10 +02:00
netlink
netlink: annotate accesses to nlk->cb_running
2023-05-24 17:36:42 +01:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-02-09 11:26:36 +01:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-17 08:48:49 +01:00
nsh
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:57:09 +01:00
packet
net: add vlan_get_protocol_and_depth() helper
2023-05-24 17:36:42 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:35:16 +01:00
psample
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-20 12:13:53 +02:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-03-10 09:39:16 +01:00
rfkill
rfkill: make new event layout opt-in
2022-04-08 14:23:00 +02:00
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:57:02 +01:00
rxrpc
rxrpc: Fix hard call timeout units
2023-05-17 11:50:17 +02:00
sched
net/sched: act_mirred: Add carrier check
2023-05-17 11:50:17 +02:00
sctp
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 13:51:54 +02:00
smc
net: deal with most data-races in sk_wait_event()
2023-05-24 17:36:42 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 19:17:11 +01:00
sunrpc
SUNRPC: remove the maximum number of retries in call_bind_status
2023-05-11 23:00:37 +09:00
switchdev
net: make switchdev_bridge_port_{,unoffload} loosely coupled with the bridge
2021-08-04 12:35:07 +01:00
tipc
net: deal with most data-races in sk_wait_event()
2023-05-24 17:36:42 +01:00
tls
net: deal with most data-races in sk_wait_event()
2023-05-24 17:36:42 +01:00
unix
af_unix: Fix a data race of sk->sk_receive_queue->qlen.
2023-05-24 17:36:42 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2022-12-31 13:14:18 +01:00
wireless
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-13 10:20:37 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-09 11:26:40 +01:00
xdp
xsk: Fix unaligned descriptor validation
2023-05-11 23:00:27 +09:00
xfrm
xfrm: Zero padding when dumping algos and encap
2023-04-05 11:24:52 +02:00
compat.c
devres.c
Kconfig
Makefile
socket.c
net: annotate sk->sk_err write from do_recvmmsg()
2023-05-24 17:36:42 +01:00
sysctl_net.c