github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-17 02:56:31 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
fe018cf2a1
linux/include/net
History
Peilin Ye 84ad0af0bc net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting 
mini_Qdisc_pair::p_miniq is a double pointer to mini_Qdisc, initialized
in ingress_init() to point to net_device::miniq_ingress.  ingress Qdiscs
access this per-net_device pointer in mini_qdisc_pair_swap().  Similar
for clsact Qdiscs and miniq_egress.

Unfortunately, after introducing RTNL-unlocked RTM_{NEW,DEL,GET}TFILTER
requests (thanks Hillf Danton for the hint), when replacing ingress or
clsact Qdiscs, for example, the old Qdisc ("@old") could access the same
miniq_{in,e}gress pointer(s) concurrently with the new Qdisc ("@new"),
causing race conditions [1] including a use-after-free bug in
mini_qdisc_pair_swap() reported by syzbot:

 BUG: KASAN: slab-use-after-free in mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573
 Write of size 8 at addr ffff888045b31308 by task syz-executor690/14901
...
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
  print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319
  print_report mm/kasan/report.c:430 [inline]
  kasan_report+0x11c/0x130 mm/kasan/report.c:536
  mini_qdisc_pair_swap+0x1c2/0x1f0 net/sched/sch_generic.c:1573
  tcf_chain_head_change_item net/sched/cls_api.c:495 [inline]
  tcf_chain0_head_change.isra.0+0xb9/0x120 net/sched/cls_api.c:509
  tcf_chain_tp_insert net/sched/cls_api.c:1826 [inline]
  tcf_chain_tp_insert_unique net/sched/cls_api.c:1875 [inline]
  tc_new_tfilter+0x1de6/0x2290 net/sched/cls_api.c:2266
...

@old and @new should not affect each other.  In other words, @old should
never modify miniq_{in,e}gress after @new, and @new should not update
@old's RCU state.

Fixing without changing sch_api.c turned out to be difficult (please
refer to Closes: for discussions).  Instead, make sure @new's first call
always happen after @old's last call (in {ingress,clsact}_destroy()) has
finished:

In qdisc_graft(), return -EBUSY if @old has any ongoing filter requests,
and call qdisc_destroy() for @old before grafting @new.

Introduce qdisc_refcount_dec_if_one() as the counterpart of
qdisc_refcount_inc_nz() used for filter requests.  Introduce a
non-static version of qdisc_destroy() that does a TCQ_F_BUILTIN check,
just like qdisc_put() etc.

Depends on patch "net/sched: Refactor qdisc_graft() for ingress and
clsact Qdiscs".

[1] To illustrate, the syzkaller reproducer adds ingress Qdiscs under
TC_H_ROOT (no longer possible after commit c7cfbd1150 ("net/sched:
sch_ingress: Only create under TC_H_INGRESS")) on eth0 that has 8
transmission queues:

  Thread 1 creates ingress Qdisc A (containing mini Qdisc a1 and a2),
  then adds a flower filter X to A.

  Thread 2 creates another ingress Qdisc B (containing mini Qdisc b1 and
  b2) to replace A, then adds a flower filter Y to B.

 Thread 1               A's refcnt   Thread 2
  RTM_NEWQDISC (A, RTNL-locked)
   qdisc_create(A)               1
   qdisc_graft(A)                9

  RTM_NEWTFILTER (X, RTNL-unlocked)
   __tcf_qdisc_find(A)          10
   tcf_chain0_head_change(A)
   mini_qdisc_pair_swap(A) (1st)
            |
            |                         RTM_NEWQDISC (B, RTNL-locked)
         RCU sync                2     qdisc_graft(B)
            |                    1     notify_and_destroy(A)
            |
   tcf_block_release(A)          0    RTM_NEWTFILTER (Y, RTNL-unlocked)
   qdisc_destroy(A)                    tcf_chain0_head_change(B)
   tcf_chain0_head_change_cb_del(A)    mini_qdisc_pair_swap(B) (2nd)
   mini_qdisc_pair_swap(A) (3rd)                |
           ...                                 ...

Here, B calls mini_qdisc_pair_swap(), pointing eth0->miniq_ingress to
its mini Qdisc, b1.  Then, A calls mini_qdisc_pair_swap() again during
ingress_destroy(), setting eth0->miniq_ingress to NULL, so ingress
packets on eth0 will not find filter Y in sch_handle_ingress().

This is just one of the possible consequences of concurrently accessing
miniq_{in,e}gress pointers.

Fixes: 7a096d579e ("net: sched: ingress: set 'unlocked' flag for Qdisc ops")
Fixes: 87f373921c ("net: sched: ingress: set 'unlocked' flag for clsact Qdisc ops")
Reported-by: syzbot+b53a9c0d1ea4ad62da8b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/0000000000006cf87705f79acf1a@google.com/
Cc: Hillf Danton <hdanton@sina.com>
Cc: Vlad Buslov <vladbu@mellanox.com>
Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2023-06-14 10:31:39 +02:00
..
9p 9p: Add additional debug flags and open modes 2023-03-27 02:33:48 +00:00
bluetooth Bluetooth: ISO: use correct CIS order in Set CIG Parameters event 2023-06-05 17:14:07 -07:00
caif
iucv
mana net: mana: Fix perf regression: remove rx_cqes, tx_cqes counters 2023-05-30 12:05:22 +02:00
netfilter net/sched: act_ct: Fix promotion of offloaded unreplied tuple 2023-06-14 09:56:50 +02:00
netns net/ipv6: convert skip_notify_on_dev_down sysctl to u8 2023-06-02 22:55:43 -07:00
nfc
phonet
sctp sctp: delete the nested flexible array peer_init 2023-04-21 08:19:30 +01:00
tc_act net/sched: act_connmark: transition to percpu stats and rcu 2023-02-16 10:39:28 +01:00
6lowpan.h
act_api.h net/sched: Rename user cookie and act cookie 2023-02-20 16:46:10 -08:00
addrconf.h ipv6: constify inet6_mc_check() 2023-03-17 08:56:37 +00:00
af_ieee802154.h
af_rxrpc.h rxrpc: Fix timeout of a call that hasn't yet been granted a channel 2023-05-01 07:43:19 +01:00
af_unix.h af_unix: preserve const qualifier in unix_sk() 2023-03-18 12:23:33 +00:00
af_vsock.h vsock: support sockmap 2023-03-29 08:19:38 +01:00
ah.h
amt.h
arp.h neighbour: switch to standard rcu, instead of rcu_bh 2023-03-21 21:32:18 -07:00
atmclip.h
ax25.h x25: preserve const qualifier in [a]x25_sk() 2023-03-18 12:23:34 +00:00
ax88796.h
bareudp.h
bond_3ad.h
bond_alb.h
bond_options.h
bonding.h net: fix stack overflow when LRO is disabled for virtual interfaces 2023-05-19 22:46:37 -07:00
bpf_sk_storage.h
busy_poll.h
calipso.h
cfg80211-wext.h
cfg80211.h wifi: nl80211: make nl80211_send_chandef non-static 2023-03-24 11:45:51 +01:00
cfg802154.h ieee802154: Add support for user beaconing requests 2023-01-28 13:51:22 +01:00
checksum.h net: checksum: drop the linux/uaccess.h include 2023-01-27 11:19:46 +00:00
cipso_ipv4.h
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h net: dcb: add helper functions to retrieve PCP and DSCP rewrite maps 2023-01-20 09:33:22 +00:00
devlink.h devlink: fix the name of value arg of devl_param_driverinit_value_get() 2023-02-13 09:49:14 +00:00
dropreason-core.h net: extend drop reasons for multiple subsystems 2023-04-20 20:20:49 -07:00
dropreason.h mac80211: use the new drop reasons infrastructure 2023-04-20 20:20:49 -07:00
dsa_stubs.h net: dsa: replace NETDEV_PRE_CHANGE_HWTSTAMP notifier with a stub 2023-04-09 15:35:49 +01:00
dsa.h net: create a netdev notifier for DSA to reject PTP on DSA master 2023-04-03 10:04:27 +01:00
dsfield.h
dst_cache.h
dst_metadata.h xfrm: interface: Add unstable helpers for setting/getting XFRM metadata from TC-BPF 2022-12-05 21:58:27 -08:00
dst_ops.h ipv6: remove max_size check inline with ipv4 2023-01-13 20:59:14 -08:00
dst.h net: dst: Switch to rcuref_t reference counting 2023-03-28 18:52:28 -07:00
erspan.h
esp.h
espintcp.h
ethoc.h
failover.h
fib_notifier.h
fib_rules.h
firewire.h
flow_dissector.h flow_dissector: Address kdoc warnings 2023-04-20 19:25:02 -07:00
flow_offload.h net/sched: cls_api: Support hardware miss to tc action 2023-02-20 16:46:10 -08:00
flow.h net: remove unnecessary includes from net/flow.h 2023-01-27 11:19:46 +00:00
fou.h bpf,fou: Add bpf_skb_{set,get}_fou_encap kfuncs 2023-04-12 16:40:39 -07:00
fq_impl.h wifi: mac80211: add support for restricting netdev features per vif 2022-12-01 15:09:10 +01:00
fq.h
garp.h
gen_stats.h
genetlink.h
geneve.h
gre.h
gro_cells.h
gro.h
gtp.h
gue.h
handshake.h net/handshake: Enable the SNI extension to work properly 2023-05-24 22:05:24 -07:00
hwbm.h
icmp.h
ieee80211_radiotap.h wifi: radiotap: separate vendor TLV into header/content 2023-03-07 20:11:36 +01:00
ieee802154_netdev.h mac802154: Handle basic beaconing 2023-01-28 13:55:10 +01:00
if_inet6.h
ife.h
ila.h
inet_common.h
inet_connection_sock.h
inet_dscp.h
inet_ecn.h
inet_frag.h net: move dropreason.h to dropreason-core.h 2023-04-20 20:20:49 -07:00
inet_hashtables.h tcp: Add TIME_WAIT sockets in bhash2. 2022-12-30 07:25:52 +00:00
inet_sock.h inet: preserve const qualifier in inet_sk() 2023-03-17 08:56:37 +00:00
inet_timewait_sock.h tcp: Add TIME_WAIT sockets in bhash2. 2022-12-30 07:25:52 +00:00
inet6_connection_sock.h
inet6_hashtables.h
inetpeer.h
ioam6.h
ip_fib.h
ip_tunnels.h bpf-next-for-netdev 2023-04-13 16:43:38 -07:00
ip_vs.h ipvs: Correct spelling in comments 2023-04-22 01:39:41 +02:00
ip.h ipv{4,6}/raw: fix output xfrm lookup wrt protocol 2023-05-23 15:38:59 +02:00
ip6_checksum.h
ip6_fib.h ipv6: Remove in6addr_any alternatives. 2023-03-29 08:22:52 +01:00
ip6_route.h net: dst: Prevent false sharing vs. dst_entry:: __refcnt 2023-03-28 18:52:22 -07:00
ip6_tunnel.h
ipcomp.h
ipconfig.h
ipv6_frag.h
ipv6_stubs.h
ipv6.h ipv6: icmp6: add drop reason support to icmpv6_notify() 2023-02-13 19:55:32 -08:00
iw_handler.h
kcm.h
l3mdev.h
lag.h
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
lwtunnel.h
mac80211.h wifi: mac80211: remove ieee80211_tx_status_8023 2023-04-18 14:48:01 +02:00
mac802154.h
macsec.h
mctp.h
mctpdevice.h
mip6.h
mld.h
mpls_iptunnel.h
mpls.h
mptcp.h mptcp: remove MPTCP 'ifdef' in TCP SYN cookies 2022-12-12 13:11:24 -08:00
mrp.h
ncsi.h
ndisc.h neighbour: switch to standard rcu, instead of rcu_bh 2023-03-21 21:32:18 -07:00
neighbour.h neighbour: fix unaligned access to pneigh_entry 2023-06-01 21:36:37 -07:00
net_debug.h
net_failover.h
net_namespace.h
net_ratelimit.h
net_trackers.h
netdev_queues.h net: add macro netif_subqueue_completed_wake 2023-04-18 12:59:01 +02:00
netevent.h
netlabel.h
netlink.h net: netlink: recommend policy range validation 2023-01-28 00:33:51 -08:00
netprio_cgroup.h
netrom.h
nexthop.h ipv6: remove nexthop_fib6_nh_bh() 2023-05-11 18:07:05 -07:00
nl802154.h ieee802154: Add support for user beaconing requests 2023-01-28 13:51:22 +01:00
nsh.h
p8022.h
page_pool.h page_pool: fix inconsistency for page_pool_ring_[un]lock() 2023-05-23 20:25:13 -07:00
pie.h
ping.h net/ipv4: ping_group_range: allow GID from 2147483648 to 4294967294 2023-06-02 09:55:22 +01:00
pkt_cls.h net/sched: cls_api: Support hardware miss to tc action 2023-02-20 16:46:10 -08:00
pkt_sched.h net: sched: move rtm_tca_policy declaration to include file 2023-06-07 12:19:28 +01:00
pptp.h
protocol.h
psample.h
psnap.h
raw.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-04-06 12:01:20 -07:00
rawv6.h ipv6: raw: constify raw_v6_match() socket argument 2023-03-17 08:56:37 +00:00
red.h
regulatory.h
request_sock.h
rose.h
route.h net: dst: Prevent false sharing vs. dst_entry:: __refcnt 2023-03-28 18:52:22 -07:00
rpl.h ipv6: rpl: Fix Route of Death. 2023-06-06 20:59:08 -07:00
rsi_91x.h
rtnetlink.h
rtnh.h
sch_generic.h net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting 2023-06-14 10:31:39 +02:00
scm.h scm: fix MSG_CTRUNC setting condition for SO_PASSSEC 2023-03-15 08:20:12 +00:00
secure_seq.h
seg6_hmac.h
seg6_local.h
seg6.h
selftests.h
slhc_vj.h
smc.h net/smc: Introduce explicit check for v2 support 2023-03-15 08:18:35 +00:00
snmp.h
sock_reuseport.h
sock.h rfs: annotate lockless accesses to sk->sk_rxhash 2023-06-07 10:08:45 +01:00
Space.h
stp.h
strparser.h
switchdev.h
tc_wrapper.h net/sched: Retire rsvp classifier 2023-02-16 09:27:07 +01:00
tcp_states.h
tcp.h tcp: fix mishandling when the sack compression is deferred. 2023-06-01 13:15:12 +02:00
timewait_sock.h
tipc.h
tls_toe.h
tls.h tls: rx: strp: preserve decryption status of skbs when needed 2023-05-19 08:37:37 +01:00
transp_v6.h
tso.h net: tso: inline tso_count_descs() 2022-12-12 15:04:39 -08:00
tun_proto.h
udp_tunnel.h
udp.h
udplite.h
vsock_addr.h
vxlan.h vxlan: Expose helper vxlan_build_gbp_hdr 2023-03-17 22:41:16 -07:00
wext.h
x25.h x25: preserve const qualifier in [a]x25_sk() 2023-03-18 12:23:34 +00:00
x25device.h
xdp_priv.h
xdp_sock_drv.h
xdp_sock.h bpf, net: xskmap memory usage 2023-03-07 09:33:43 -08:00
xdp.h bpf-next-for-netdev 2023-04-13 16:43:38 -07:00
xfrm.h xfrm: add new device offload acquire flag 2023-03-20 11:29:33 +02:00
xsk_buff_pool.h xsk: Fix unaligned descriptor validation 2023-04-06 09:53:05 -07:00