leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

af_packet: fix tracking issues in packet_do_bind()

Browse Source 
It appears that my changes in packet_do_bind() were
slightly wrong.

syzbot found that calling bind() twice would trigger
a false positive.

Remove proto_curr/dev_curr variables and rewrite things
to be less confusing (like not having to use netdev_tracker_alloc(),
and instead use the standard dev_hold_track())

Fixes: f1d9268e06 ("net: add net device refcount tracker to struct packet_type")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20220107183953.3886647-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Eric Dumazet 2022-01-07 10:39:53 -08:00 committed by Jakub Kicinski
parent d8caa2ed47
commit bf44077c1b
1 changed files with 8 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
net/packet/af_packet.c
View File

@ -3162,12 +3162,10 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
__be16 proto) __be16 proto)
{ {
struct packet_sock *po = pkt_sk(sk); struct packet_sock *po = pkt_sk(sk);
struct net_device *dev_curr;
__be16 proto_curr;
bool need_rehook;
struct net_device *dev = NULL; struct net_device *dev = NULL;
int ret = 0;
bool unlisted = false; bool unlisted = false;
bool need_rehook;
int ret = 0;
lock_sock(sk); lock_sock(sk);
spin_lock(&po->bind_lock); spin_lock(&po->bind_lock);
@ -3192,14 +3190,10 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
} }
} }
dev_hold(dev); need_rehook = po->prot_hook.type != proto || po->prot_hook.dev != dev;
proto_curr = po->prot_hook.type;
dev_curr = po->prot_hook.dev;
need_rehook = proto_curr != proto || dev_curr != dev;
if (need_rehook) { if (need_rehook) {
dev_hold(dev);
if (po->running) { if (po->running) {
rcu_read_unlock(); rcu_read_unlock();
/* prevents packet_notifier() from calling /* prevents packet_notifier() from calling
@ -3208,7 +3202,6 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
WRITE_ONCE(po->num, 0); WRITE_ONCE(po->num, 0);
__unregister_prot_hook(sk, true); __unregister_prot_hook(sk, true);
rcu_read_lock(); rcu_read_lock();
dev_curr = po->prot_hook.dev;
if (dev) if (dev)
unlisted = !dev_get_by_index_rcu(sock_net(sk), unlisted = !dev_get_by_index_rcu(sock_net(sk),
dev->ifindex); dev->ifindex);
@ -3218,25 +3211,21 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
WRITE_ONCE(po->num, proto); WRITE_ONCE(po->num, proto);
po->prot_hook.type = proto; po->prot_hook.type = proto;
dev_put_track(dev_curr, &po->prot_hook.dev_tracker); dev_put_track(po->prot_hook.dev, &po->prot_hook.dev_tracker);
dev_curr = NULL;
if (unlikely(unlisted)) { if (unlikely(unlisted)) {
dev_put(dev);
po->prot_hook.dev = NULL; po->prot_hook.dev = NULL;
WRITE_ONCE(po->ifindex, -1); WRITE_ONCE(po->ifindex, -1);
packet_cached_dev_reset(po); packet_cached_dev_reset(po);
} else { } else {
if (dev) dev_hold_track(dev, &po->prot_hook.dev_tracker,
netdev_tracker_alloc(dev, GFP_ATOMIC);
&po->prot_hook.dev_tracker,
GFP_ATOMIC);
po->prot_hook.dev = dev; po->prot_hook.dev = dev;
WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0); WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0);
packet_cached_dev_assign(po, dev); packet_cached_dev_assign(po, dev);
} }
dev_put(dev);
} }
dev_put_track(dev_curr, &po->prot_hook.dev_tracker);
if (proto == 0 || !need_rehook) if (proto == 0 || !need_rehook)
goto out_unlock; goto out_unlock;