linux/net/ipv6
Wang Liang 073d89808c net: fix data-races around sk->sk_forward_alloc
Syzkaller reported this warning:
 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0
 Modules linked in:
 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0
 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00
 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206
 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007
 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00
 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007
 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00
 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78
 FS:  0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 Call Trace:
  <TASK>
  ? __warn+0x88/0x130
  ? inet_sock_destruct+0x1c5/0x1e0
  ? report_bug+0x18e/0x1a0
  ? handle_bug+0x53/0x90
  ? exc_invalid_op+0x18/0x70
  ? asm_exc_invalid_op+0x1a/0x20
  ? inet_sock_destruct+0x1c5/0x1e0
  __sk_destruct+0x2a/0x200
  rcu_do_batch+0x1aa/0x530
  ? rcu_do_batch+0x13b/0x530
  rcu_core+0x159/0x2f0
  handle_softirqs+0xd3/0x2b0
  ? __pfx_smpboot_thread_fn+0x10/0x10
  run_ksoftirqd+0x25/0x30
  smpboot_thread_fn+0xdd/0x1d0
  kthread+0xd3/0x100
  ? __pfx_kthread+0x10/0x10
  ret_from_fork+0x34/0x50
  ? __pfx_kthread+0x10/0x10
  ret_from_fork_asm+0x1a/0x30
  </TASK>
 ---[ end trace 0000000000000000 ]---

Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()
concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked,
which triggers a data-race around sk->sk_forward_alloc:
tcp_v6_rcv
    tcp_v6_do_rcv
        skb_clone_and_charge_r
            sk_rmem_schedule
                __sk_mem_schedule
                    sk_forward_alloc_add()
            skb_set_owner_r
                sk_mem_charge
                    sk_forward_alloc_add()
        __kfree_skb
            skb_release_all
                skb_release_head_state
                    sock_rfree
                        sk_mem_uncharge
                            sk_forward_alloc_add()
                            sk_mem_reclaim
                                // set local var reclaimable
                                __sk_mem_reclaim
                                    sk_forward_alloc_add()

In this syzkaller testcase, two threads call
tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like
this:
 (cpu 1)             | (cpu 2)             | sk_forward_alloc
 ...                 | ...                 | 0
 __sk_mem_schedule() |                     | +4096 = 4096
                     | __sk_mem_schedule() | +4096 = 8192
 sk_mem_charge()     |                     | -768  = 7424
                     | sk_mem_charge()     | -768  = 6656
 ...                 |    ...              |
 sk_mem_uncharge()   |                     | +768  = 7424
 reclaimable=7424    |                     |
                     | sk_mem_uncharge()   | +768  = 8192
                     | reclaimable=8192    |
 __sk_mem_reclaim()  |                     | -4096 = 4096
                     | __sk_mem_reclaim()  | -8192 = -4096 != 0

The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when
sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().
Fix the same issue in dccp_v6_do_rcv().

Suggested-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Fixes: e994b2f0fb ("tcp: do not lock listener to process SYN packets")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Link: https://patch.msgid.link/20241107023405.889239-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-11-11 15:29:33 -08:00
..
ila ila: call nf_unregister_net_hooks() sooner 2024-09-05 14:57:12 -07:00
netfilter netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() 2024-10-30 13:17:36 +01:00
addrconf_core.c ipv6: Ensure natural alignment of const ipv6 loopback and router addresses 2024-01-30 12:43:18 +01:00
addrconf.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
addrlabel.c ipv6: remove RTNL protection from ip6addrlbl_dump() 2024-04-08 11:01:05 +01:00
af_inet6.c tcp: add SO_PEEK_OFF socket option tor TCPv6 2024-08-29 13:00:36 -07:00
ah6.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
anycast.c ipv6: anycast: use call_rcu_hurry() in aca_put() 2024-05-01 11:46:21 +01:00
calipso.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
datagram.c ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
esp6_offload.c xfrm: Log input direction mismatch error in one place 2024-06-17 13:53:19 +02:00
esp6.c net: support non paged skb frags 2024-09-11 20:44:31 -07:00
exthdrs_core.c
exthdrs_offload.c net: gso: add HBH extension header offload support 2024-01-05 08:11:49 -08:00
exthdrs.c net: ipv6: exthdrs: get rid of ipv6_skb_net() 2024-03-11 15:15:08 -07:00
fib6_notifier.c
fib6_rules.c ipv6: fib_rules: Add DSCP selector support 2024-09-13 21:15:45 -07:00
fou6.c
icmp.c icmp: move icmp_global.credit and icmp_global.stamp to per netns storage 2024-08-30 11:14:06 -07:00
inet6_connection_sock.c
inet6_hashtables.c inet6: constify 'struct net' parameter of various lookup helpers 2024-08-05 16:27:26 -07:00
ioam6_iptunnel.c ioam6: improve checks on user data 2024-09-03 11:38:32 -07:00
ioam6.c ipv6/addrconf: annotate data-races around devconf fields (II) 2024-03-01 08:42:33 +00:00
ip6_checksum.c
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-20 13:49:59 -07:00
ip6_flowlabel.c
ip6_gre.c netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
ip6_icmp.c
ip6_input.c net/ipv6: make use of the helper macro LIST_HEAD() 2024-09-06 18:10:21 -07:00
ip6_offload.c net: gro: initialize network_offset in network layer 2024-05-27 16:46:59 -07:00
ip6_offload.h
ip6_output.c ipv6: prevent possible UAF in ip6_xmit() 2024-08-21 17:35:49 -07:00
ip6_tunnel.c ip6_tunnel: Unmask upper DSCP bits in ip4ip6_err() 2024-09-04 16:57:11 -07:00
ip6_udp_tunnel.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
ip6_vti.c net: annotate writes on dev->mtu from ndo_change_mtu() 2024-05-07 16:19:14 -07:00
ip6mr.c netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
ipcomp6.c
ipv6_sockglue.c ipv6: avoid indirect calls for SOL_IP socket options 2024-08-26 14:53:50 -07:00
Kconfig net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL 2024-09-22 19:52:07 +01:00
Makefile
mcast_snoop.c
mcast.c ipv6: mcast: use min() to simplify the code 2024-08-26 09:48:53 -07:00
mip6.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
ndisc.c net/ipv6: replace deprecated strcpy with strscpy 2024-08-29 12:33:07 -07:00
netfilter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-13 13:13:46 -07:00
output_core.c ipv6: annotate data-races around cnf.hop_limit 2024-03-01 08:42:31 +00:00
ping.c ipv6: introduce dst_rt6_info() helper 2024-04-29 13:32:01 +01:00
proc.c minmax: add a few more MIN_T/MAX_T users 2024-07-28 13:41:14 -07:00
protocol.c
raw.c net: raw: use sk_skb_reason_drop to free rx packets 2024-06-19 12:44:22 +01:00
reassembly.c net: Rename mono_delivery_time to tstamp_type for scalabilty 2024-05-23 14:14:23 -07:00
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-15 09:13:19 -07:00
rpl_iptunnel.c net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input 2024-09-13 19:55:49 -07:00
rpl.c
seg6_hmac.c ipv6: sr: fix memleak in seg6_hmac_init_algo 2024-05-21 13:16:25 +02:00
seg6_iptunnel.c ipv6: sr: block BH in seg6_output_core() and seg6_input_core() 2024-06-03 18:50:08 -07:00
seg6_local.c seg6: Use nested-BH locking for seg6_bpf_srh_states. 2024-06-24 16:41:23 -07:00
seg6.c ipv6: sr: restruct ifdefines 2024-05-30 18:29:38 -07:00
sit.c ipv6: sit: Unmask upper DSCP bits in ipip6_tunnel_bind_dev() 2024-09-04 16:57:11 -07:00
syncookies.c tcp: use sk_skb_reason_drop to free rx packets 2024-06-19 12:44:22 +01:00
sysctl_net_ipv6.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
tcp_ao.c
tcp_ipv6.c net: fix data-races around sk->sk_forward_alloc 2024-11-11 15:29:33 -08:00
tcpv6_offload.c net: gso: fix tcp fraglist segmentation after pull from frag_list 2024-10-02 17:21:47 -07:00
tunnel6.c net: fill in MODULE_DESCRIPTION()s for ipv6 modules 2024-02-09 14:12:01 -08:00
udp_impl.h
udp_offload.c net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb 2024-05-02 11:02:48 +02:00
udp.c udp: Compute L4 checksum as usual when not segmenting the skb 2024-10-15 18:12:33 -07:00
udplite.c
xfrm6_input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-05-09 10:01:01 -07:00
xfrm6_output.c
xfrm6_policy.c xfrm: respect ip protocols rules criteria when performing dst lookups 2024-09-23 07:02:07 +02:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c ipsec-next-2024-03-06 2024-03-08 10:56:05 +00:00