• Eric Dumazet's avatar
    ipv4: fix data-races around inet->inet_id · f866fbc8
    Eric Dumazet authored
    UDP sendmsg() is lockless, so ip_select_ident_segs()
    can very well be run from multiple cpus [1]
    
    Convert inet->inet_id to an atomic_t, but implement
    a dedicated path for TCP, avoiding cost of a locked
    instruction (atomic_add_return())
    
    Note that this patch will cause a trivial merge conflict
    because we added inet->flags in net-next tree.
    
    v2: added missing change in
    drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
    (David Ahern)
    
    [1]
    
    BUG: KCSAN: data-race in __ip_make_skb / __ip_make_skb
    
    read-write to 0xffff888145af952a of 2 bytes by task 7803 on cpu 1:
    ip_select_ident_segs include/net/ip.h:542 [inline]
    ip_select_ident include/net/ip.h:556 [inline]
    __ip_make_skb+0x844/0xc70 net/ipv4/ip_output.c:1446
    ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
    udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
    inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
    sock_sendmsg_nosec net/socket.c:725 [inline]
    sock_sendmsg net/socket.c:748 [inline]
    ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
    ___sys_sendmsg net/socket.c:2548 [inline]
    __sys_sendmmsg+0x269/0x500 net/socket.c:2634
    __do_sys_sendmmsg net/socket.c:2663 [inline]
    __se_sys_sendmmsg net/socket.c:2660 [inline]
    __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    read to 0xffff888145af952a of 2 bytes by task 7804 on cpu 0:
    ip_select_ident_segs include/net/ip.h:541 [inline]
    ip_select_ident include/net/ip.h:556 [inline]
    __ip_make_skb+0x817/0xc70 net/ipv4/ip_output.c:1446
    ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
    udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
    inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
    sock_sendmsg_nosec net/socket.c:725 [inline]
    sock_sendmsg net/socket.c:748 [inline]
    ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
    ___sys_sendmsg net/socket.c:2548 [inline]
    __sys_sendmmsg+0x269/0x500 net/socket.c:2634
    __do_sys_sendmmsg net/socket.c:2663 [inline]
    __se_sys_sendmmsg net/socket.c:2660 [inline]
    __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    value changed: 0x184d -> 0x184e
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 0 PID: 7804 Comm: syz-executor.1 Not tainted 6.5.0-rc6-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
    ==================================================================
    
    Fixes: 23f57406 ("ipv4: avoid using shared IP generator for connected sockets")
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    f866fbc8
datagram.c 3.08 KB