lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a80d4260-08ed-48fe-8c0b-54abf0d99b1f@linux.dev>
Date: Fri, 10 Jan 2025 11:11:57 -0800
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Eric Dumazet <edumazet@...gle.com>
Cc: netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Simon Horman <horms@...nel.org>, eric.dumazet@...il.com,
 syzbot+b3e02953598f447d4d2a@...kaller.appspotmail.com,
 Martin KaFai Lau <kafai@...com>
Subject: Re: [PATCH v2 net] net: restrict SO_REUSEPORT to inet sockets

On 12/31/24 8:05 AM, Eric Dumazet wrote:
> After blamed commit, crypto sockets could accidentally be destroyed
> from RCU call back, as spotted by zyzbot [1].
> 
> Trying to acquire a mutex in RCU callback is not allowed.
> 
> Restrict SO_REUSEPORT socket option to inet sockets.
> 
> v1 of this patch supported TCP, UDP and SCTP sockets,
> but fcnal-test.sh test needed RAW and ICMP support.
> 
> [1]
> BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562
> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1
> preempt_count: 100, expected: 0
> RCU nest depth: 0, expected: 0
> 1 lock held by ksoftirqd/1/24:
>    #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
>    #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline]
>    #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823
> Preemption disabled at:
>   [<ffffffff8161c8c8>] softirq_handle_begin kernel/softirq.c:402 [inline]
>   [<ffffffff8161c8c8>] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537
> CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> Call Trace:
>   <TASK>
>    __dump_stack lib/dump_stack.c:94 [inline]
>    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
>    __might_resched+0x5d4/0x780 kernel/sched/core.c:8758
>    __mutex_lock_common kernel/locking/mutex.c:562 [inline]
>    __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735
>    crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179
>    aead_release+0x3d/0x50 crypto/algif_aead.c:489
>    alg_do_release crypto/af_alg.c:118 [inline]
>    alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502
>    __sk_destruct+0x58/0x5f0 net/core/sock.c:2260
>    rcu_do_batch kernel/rcu/tree.c:2567 [inline]
>    rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
>    handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
>    run_ksoftirqd+0xca/0x130 kernel/softirq.c:950
>    smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
>    kthread+0x2f0/0x390 kernel/kthread.c:389
>    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
>    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
>   </TASK>
> 
> Fixes: 8c7138b33e5c ("net: Unpublish sk from sk_reuseport_cb before call_rcu")
> Reported-by: syzbot+b3e02953598f447d4d2a@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/6772f2f4.050a0220.2f3838.04cb.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Martin KaFai Lau <kafai@...com>
> ---
>   net/core/sock.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 74729d20cd0099e748f4c4fe0be42a2d2d47e77a..be84885f9290a6ada1e0a3f987273a017a524ece 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -1295,7 +1295,10 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
>   		sk->sk_reuse = (valbool ? SK_CAN_REUSE : SK_NO_REUSE);
>   		break;
>   	case SO_REUSEPORT:
> -		sk->sk_reuseport = valbool;
> +		if (valbool && !sk_is_inet(sk))
> +			ret = -EOPNOTSUPP;
> +		else
> +			sk->sk_reuseport = valbool;

Thanks for the fix. fwiw,

Reviewed-by: Martin KaFai Lau <martin.lau@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ