• Cong Wang's avatar
    net: fix dev_ifsioc_locked() race condition · 3b23a32a
    Cong Wang authored
    dev_ifsioc_locked() is called with only RCU read lock, so when
    there is a parallel writer changing the mac address, it could
    get a partially updated mac address, as shown below:
    
    Thread 1			Thread 2
    // eth_commit_mac_addr_change()
    memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
    				// dev_ifsioc_locked()
    				memcpy(ifr->ifr_hwaddr.sa_data,
    					dev->dev_addr,...);
    
    Close this race condition by guarding them with a RW semaphore,
    like netdev_get_name(). We can not use seqlock here as it does not
    allow blocking. The writers already take RTNL anyway, so this does
    not affect the slow path. To avoid bothering existing
    dev_set_mac_address() callers in drivers, introduce a new wrapper
    just for user-facing callers on ioctl and rtnetlink paths.
    
    Note, bonding also changes slave mac addresses but that requires
    a separate patch due to the complexity of bonding code.
    
    Fixes: 3710becf ("net: RCU locking for simple ioctl()")
    Reported-by: default avatar"Gong, Sishuai" <sishuai@purdue.edu>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    3b23a32a
tap.c 30 KB