Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a6361f0c authored by Willem de Bruijn's avatar Willem de Bruijn Committed by David S. Miller
Browse files

packet: fix bitfield update race 



Updates to the bitfields in struct packet_sock are not atomic.
Serialize these read-modify-write cycles.

Move po->running into a separate variable. Its writes are protected by
po->bind_lock (except for one startup case at packet_create). Also
replace a textual precondition warning with lockdep annotation.

All others are set only in packet_setsockopt. Serialize these
updates by holding the socket lock. Analogous to other field updates,
also hold the lock when testing whether a ring is active (pg_vec).

Fixes: 8dc41944 ("[PACKET]: Add optional checksum computation for recvmsg")
Reported-by: default avatarDaeRyong Jeong <threeearcat@gmail.com>
Reported-by: default avatarByoungyoung Lee <byoungyoung@purdue.edu>
Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9cf2f437

net/packet/af_packet.c

+44 −16
Original line number Diff line number Diff line
@@ -329,11 +329,11 @@ static void packet_pick_tx_queue(struct net_device *dev, struct sk_buff *skb) 
	skb_set_queue_mapping(skb, queue_index);

}



/* register_prot_hook must be invoked with the po->bind_lock held,

/* __register_prot_hook must be invoked through register_prot_hook

 * or from a context in which asynchronous accesses to the packet

 * socket is not possible (packet_create()).

 */

static void register_prot_hook(struct sock *sk)

static void __register_prot_hook(struct sock *sk)

{

	struct packet_sock *po = pkt_sk(sk);
@@ -348,8 +348,13 @@ static void register_prot_hook(struct sock *sk) 
	}

}



/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock

 * held.   If the sync parameter is true, we will temporarily drop

static void register_prot_hook(struct sock *sk)

{

	lockdep_assert_held_once(&pkt_sk(sk)->bind_lock);

	__register_prot_hook(sk);

}



/* If the sync parameter is true, we will temporarily drop

 * the po->bind_lock and do a synchronize_net to make sure no

 * asynchronous packet processing paths still refer to the elements

 * of po->prot_hook.  If the sync parameter is false, it is the
@@ -359,6 +364,8 @@ static void __unregister_prot_hook(struct sock *sk, bool sync) 
{

	struct packet_sock *po = pkt_sk(sk);



	lockdep_assert_held_once(&po->bind_lock);



	po->running = 0;



	if (po->fanout)
@@ -3252,7 +3259,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, 


	if (proto) {

		po->prot_hook.type = proto;

		register_prot_hook(sk);

		__register_prot_hook(sk);

	}



	mutex_lock(&net->packet.sklist_lock);
@@ -3732,12 +3739,18 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv 


		if (optlen != sizeof(val))

			return -EINVAL;

		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)

			return -EBUSY;

		if (copy_from_user(&val, optval, sizeof(val)))

			return -EFAULT;



		lock_sock(sk);

		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {

			ret = -EBUSY;

		} else {

			po->tp_loss = !!val;

		return 0;

			ret = 0;

		}

		release_sock(sk);

		return ret;

	}

	case PACKET_AUXDATA:

	{
@@ -3748,7 +3761,9 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv 
		if (copy_from_user(&val, optval, sizeof(val)))

			return -EFAULT;



		lock_sock(sk);

		po->auxdata = !!val;

		release_sock(sk);

		return 0;

	}

	case PACKET_ORIGDEV:
@@ -3760,7 +3775,9 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv 
		if (copy_from_user(&val, optval, sizeof(val)))

			return -EFAULT;



		lock_sock(sk);

		po->origdev = !!val;

		release_sock(sk);

		return 0;

	}

	case PACKET_VNET_HDR:
@@ -3769,15 +3786,20 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv 


		if (sock->type != SOCK_RAW)

			return -EINVAL;

		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)

			return -EBUSY;

		if (optlen < sizeof(val))

			return -EINVAL;

		if (copy_from_user(&val, optval, sizeof(val)))

			return -EFAULT;



		lock_sock(sk);

		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {

			ret = -EBUSY;

		} else {

			po->has_vnet_hdr = !!val;

		return 0;

			ret = 0;

		}

		release_sock(sk);

		return ret;

	}

	case PACKET_TIMESTAMP:

	{
@@ -3815,11 +3837,17 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv 


		if (optlen != sizeof(val))

			return -EINVAL;

		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)

			return -EBUSY;

		if (copy_from_user(&val, optval, sizeof(val)))

			return -EFAULT;



		lock_sock(sk);

		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {

			ret = -EBUSY;

		} else {

			po->tp_tx_has_off = !!val;

			ret = 0;

		}

		release_sock(sk);

		return 0;

	}

	case PACKET_QDISC_BYPASS:

net/packet/internal.h

+5 −5
Original line number Diff line number Diff line
@@ -112,10 +112,12 @@ struct packet_sock { 
	int			copy_thresh;

	spinlock_t		bind_lock;

	struct mutex		pg_vec_lock;

	unsigned int		running:1,	/* prot_hook is attached*/

				auxdata:1,

	unsigned int		running;	/* bind_lock must be held */

	unsigned int		auxdata:1,	/* writer must hold sock lock */

				origdev:1,

				has_vnet_hdr:1;

				has_vnet_hdr:1,

				tp_loss:1,

				tp_tx_has_off:1;

	int			pressure;

	int			ifindex;	/* bound device		*/

	__be16			num;
@@ -125,8 +127,6 @@ struct packet_sock { 
	enum tpacket_versions	tp_version;

	unsigned int		tp_hdrlen;

	unsigned int		tp_reserve;

	unsigned int		tp_loss:1;

	unsigned int		tp_tx_has_off:1;

	unsigned int		tp_tstamp;

	struct net_device __rcu	*cached_dev;

	int			(*xmit)(struct sk_buff *skb);