lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 7 Sep 2023 16:25:29 +0200
From: Simon Horman <horms@...nel.org>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S. Miller" <davem@...emloft.net>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	netdev@...r.kernel.org, eric.dumazet@...il.com,
	syzbot <syzkaller@...glegroups.com>,
	Steffen Klassert <steffen.klassert@...unet.com>
Subject: Re: [PATCH net] xfrm: interface: use DEV_STATS_INC()

On Tue, Sep 05, 2023 at 01:23:03PM +0000, Eric Dumazet wrote:
> syzbot/KCSAN reported data-races in xfrm whenever dev->stats fields
> are updated.
> 
> It appears all of these updates can happen from multiple cpus.
> 
> Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
> 
> BUG: KCSAN: data-race in xfrmi_xmit / xfrmi_xmit
> 
> read-write to 0xffff88813726b160 of 8 bytes by task 23986 on cpu 1:
> xfrmi_xmit+0x74e/0xb20 net/xfrm/xfrm_interface_core.c:583
> __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
> netdev_start_xmit include/linux/netdevice.h:4903 [inline]
> xmit_one net/core/dev.c:3544 [inline]
> dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
> __dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
> dev_queue_xmit include/linux/netdevice.h:3082 [inline]
> neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
> neigh_output include/net/neighbour.h:542 [inline]
> ip_finish_output2+0x74a/0x850 net/ipv4/ip_output.c:230
> ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:318
> NF_HOOK_COND include/linux/netfilter.h:293 [inline]
> ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:432
> dst_output include/net/dst.h:458 [inline]
> ip_local_out net/ipv4/ip_output.c:127 [inline]
> ip_send_skb+0x72/0xe0 net/ipv4/ip_output.c:1487
> udp_send_skb+0x6a4/0x990 net/ipv4/udp.c:963
> udp_sendmsg+0x1249/0x12d0 net/ipv4/udp.c:1246
> inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:840
> sock_sendmsg_nosec net/socket.c:730 [inline]
> sock_sendmsg net/socket.c:753 [inline]
> ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2540
> ___sys_sendmsg net/socket.c:2594 [inline]
> __sys_sendmmsg+0x269/0x500 net/socket.c:2680
> __do_sys_sendmmsg net/socket.c:2709 [inline]
> __se_sys_sendmmsg net/socket.c:2706 [inline]
> __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2706
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> read-write to 0xffff88813726b160 of 8 bytes by task 23987 on cpu 0:
> xfrmi_xmit+0x74e/0xb20 net/xfrm/xfrm_interface_core.c:583
> __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
> netdev_start_xmit include/linux/netdevice.h:4903 [inline]
> xmit_one net/core/dev.c:3544 [inline]
> dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
> __dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
> dev_queue_xmit include/linux/netdevice.h:3082 [inline]
> neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
> neigh_output include/net/neighbour.h:542 [inline]
> ip_finish_output2+0x74a/0x850 net/ipv4/ip_output.c:230
> ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:318
> NF_HOOK_COND include/linux/netfilter.h:293 [inline]
> ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:432
> dst_output include/net/dst.h:458 [inline]
> ip_local_out net/ipv4/ip_output.c:127 [inline]
> ip_send_skb+0x72/0xe0 net/ipv4/ip_output.c:1487
> udp_send_skb+0x6a4/0x990 net/ipv4/udp.c:963
> udp_sendmsg+0x1249/0x12d0 net/ipv4/udp.c:1246
> inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:840
> sock_sendmsg_nosec net/socket.c:730 [inline]
> sock_sendmsg net/socket.c:753 [inline]
> ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2540
> ___sys_sendmsg net/socket.c:2594 [inline]
> __sys_sendmmsg+0x269/0x500 net/socket.c:2680
> __do_sys_sendmmsg net/socket.c:2709 [inline]
> __se_sys_sendmmsg net/socket.c:2706 [inline]
> __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2706
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> value changed: 0x00000000000010d7 -> 0x00000000000010d8
> 
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 0 PID: 23987 Comm: syz-executor.5 Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
> 
> Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Steffen Klassert <steffen.klassert@...unet.com>

Reviewed-by: Simon Horman <horms@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ