Re: [PATCH v3 net] dccp/tcp: fix ireq->opt races
Hi Eric, [auto build test WARNING on net/master] url: https://github.com/0day-ci/linux/commits/Eric-Dumazet/dccp-tcp-fix-ireq-opt-races/20171021-034024 config: powerpc-ppc6xx_defconfig (attached as .config) compiler: powerpc-linux-gnu-gcc (Debian 6.1.1-9) 6.1.1 20160705 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=powerpc All warnings (new ones prefixed by >>): In file included from arch/powerpc/include/asm/atomic.h:10:0, from include/linux/atomic.h:4, from include/linux/rcupdate.h:38, from net/ipv4/cipso_ipv4.c:40: net/ipv4/cipso_ipv4.c: In function 'cipso_v4_req_setattr': net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/powerpc/include/asm/cmpxchg.h:203:15: note: in definition of macro 'xchg_relaxed' __typeof__(*(ptr)) _x_ = (x); \ ^~~ include/linux/atomic.h:517:22: note: in expansion of macro '__atomic_op_fence' #define xchg(...) __atomic_op_fence(xchg, __VA_ARGS__) ^ net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ >> arch/powerpc/include/asm/cmpxchg.h:203:27: warning: initialization makes >> integer from pointer without a cast [-Wint-conversion] __typeof__(*(ptr)) _x_ = (x); \ ^ >> include/linux/atomic.h:65:9: note: in expansion of macro 'xchg_relaxed' typeof(op##_relaxed(args)) __ret;\ ^~ include/linux/atomic.h:517:22: note: in expansion of macro '__atomic_op_fence' #define xchg(...) __atomic_op_fence(xchg, __VA_ARGS__) ^ net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/powerpc/include/asm/cmpxchg.h:204:16: note: in definition of macro 'xchg_relaxed' (__typeof__(*(ptr))) __xchg_relaxed((ptr), \ ^~~ include/linux/atomic.h:517:22: note: in expansion of macro '__atomic_op_fence' #define xchg(...) __atomic_op_fence(xchg, __VA_ARGS__) ^ net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/powerpc/include/asm/cmpxchg.h:204:39: note: in definition of macro 'xchg_relaxed' (__typeof__(*(ptr))) __xchg_relaxed((ptr), \ ^~~ include/linux/atomic.h:517:22: note: in expansion of macro '__atomic_op_fence' #define xchg(...) __atomic_op_fence(xchg, __VA_ARGS__) ^ net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/powerpc/include/asm/cmpxchg.h:205:33: note: in definition of macro 'xchg_relaxed' (unsigned long)_x_, sizeof(*(ptr))); \ ^~~ include/linux/atomic.h:517:22: note: in expansion of macro '__atomic_op_fence' #define xchg(...) __atomic_op_fence(xchg, __VA_ARGS__) ^ net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/powerpc/include/asm/cmpxchg.h:203:15: note: in definition of macro 'xchg_relaxed' __typeof__(*(ptr)) _x_ = (x); \ ^~~ include/linux/atomic.h:517:22: note: in expansion of macro '__atomic_op_fence' #define xchg(...) __atomic_op_fence(xchg, __VA_ARGS__) ^ net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ >> arch/powerpc/include/asm/cmpxchg.h:203:27: warning: initialization makes >> integer from pointer without a cast [-Wint-conversion] __typeof__(*(ptr)) _x_ = (x); \ ^ include/linux/atomic.h:67:10: note: in expansion of macro 'xchg_relaxed' __ret = op##_relaxed(ar
Re: [PATCH v3 net] dccp/tcp: fix ireq->opt races
On Sat, 2017-10-21 at 05:26 +0800, kbuild test robot wrote: > Hi Eric, > > [auto build test WARNING on net/master] Obsolete report. v4 was sent few hours ago ;)
Re: [PATCH v3 net] dccp/tcp: fix ireq->opt races
Hi Eric, [auto build test WARNING on net/master] url: https://github.com/0day-ci/linux/commits/Eric-Dumazet/dccp-tcp-fix-ireq-opt-races/20171021-034024 config: alpha-allmodconfig (attached as .config) compiler: alpha-linux-gnu-gcc (Debian 6.1.1-9) 6.1.1 20160705 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=alpha All warnings (new ones prefixed by >>): In file included from arch/alpha/include/asm/atomic.h:6:0, from include/linux/atomic.h:4, from include/linux/rcupdate.h:38, from net/ipv4/cipso_ipv4.c:40: net/ipv4/cipso_ipv4.c: In function 'cipso_v4_req_setattr': net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:47:15: note: in definition of macro 'xchg' __typeof__(*(ptr)) _x_ = (x); \ ^~~ >> arch/alpha/include/asm/cmpxchg.h:47:27: warning: initialization makes >> integer from pointer without a cast [-Wint-conversion] __typeof__(*(ptr)) _x_ = (x); \ ^ net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:48:16: note: in definition of macro 'xchg' (__typeof__(*(ptr))) __xchg((ptr), (unsigned long)_x_, \ ^~~ net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:48:31: note: in definition of macro 'xchg' (__typeof__(*(ptr))) __xchg((ptr), (unsigned long)_x_, \ ^~~ net/ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:49:15: note: in definition of macro 'xchg' sizeof(*(ptr))); \ ^~~ net/ipv4/cipso_ipv4.c: In function 'cipso_v4_req_delattr': net/ipv4/cipso_ipv4.c:2073:16: error: 'struct inet_request_sock' has no member named 'opt' opt = req_inet->opt; ^~ net/ipv4/cipso_ipv4.c:2077:27: error: 'struct inet_request_sock' has no member named 'opt' cipso_v4_delopt(&req_inet->opt); ^~ -- In file included from arch/alpha/include/asm/atomic.h:6:0, from include/linux/atomic.h:4, from include/linux/rcupdate.h:38, from net//ipv4/cipso_ipv4.c:40: net//ipv4/cipso_ipv4.c: In function 'cipso_v4_req_setattr': net//ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:47:15: note: in definition of macro 'xchg' __typeof__(*(ptr)) _x_ = (x); \ ^~~ >> arch/alpha/include/asm/cmpxchg.h:47:27: warning: initialization makes >> integer from pointer without a cast [-Wint-conversion] __typeof__(*(ptr)) _x_ = (x); \ ^ net//ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro 'xchg' opt = xchg(&req_inet->opt, opt); ^~~~ net//ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:48:16: note: in definition of macro 'xchg' (__typeof__(*(ptr))) __xchg((ptr), (unsigned long)_x_, \ ^~~ net//ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:48:31: note: in definition of macro 'xchg' (__typeof__(*(ptr))) __xchg((ptr), (unsigned long)_x_, \ ^~~ net//ipv4/cipso_ipv4.c:1954:22: error: 'struct inet_request_sock' has no member named 'opt' opt = xchg(&req_inet->opt, opt); ^ arch/alpha/include/asm/cmpxchg.h:49:15: note: in definition of macro 'xchg' sizeof(*(ptr))); \ ^~~ net//ipv4/cipso_ipv4.c: In function 'cipso_v4_req_delattr': net//ipv4/cipso_ipv4.c:2073:16: error: 'struct inet_request_sock' has no member named 'opt' opt = req_inet->opt; ^~ net//ipv4/cipso_ipv4.c:2077:27: error: 'struct inet_request_sock' has no member named 'opt' cipso_v4_delopt(&req_inet->op
Re: [PATCH v3 net] dccp/tcp: fix ireq->opt races
On Fri, 2017-10-20 at 07:18 +0100, David Miller wrote: > From: David Miller > Date: Fri, 20 Oct 2017 07:04:58 +0100 (WEST) > > > Much better, applied and queued up for -stable. > > I take that back. > > Please build test your changes more thoroughly. Arg, sorry for wasting your time, I will send a v4.
Re: [PATCH v3 net] dccp/tcp: fix ireq->opt races
From: David Miller
Date: Fri, 20 Oct 2017 07:04:58 +0100 (WEST)
> Much better, applied and queued up for -stable.
I take that back.
Please build test your changes more thoroughly.
In file included from ./arch/x86/include/asm/atomic.h:7:0,
from ./include/linux/atomic.h:4,
from ./include/linux/rcupdate.h:38,
from net/ipv4/cipso_ipv4.c:40:
net/ipv4/cipso_ipv4.c: In function ‘cipso_v4_req_setattr’:
net/ipv4/cipso_ipv4.c:1954:22: error: ‘struct inet_request_sock’ has no member
named ‘opt’
opt = xchg(&req_inet->opt, opt);
^
./arch/x86/include/asm/cmpxchg.h:43:24: note: in definition of macro ‘__xchg_op’
__typeof__ (*(ptr)) __ret = (arg); \
^~~
net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro ‘xchg’
opt = xchg(&req_inet->opt, opt);
^~~~
./arch/x86/include/asm/cmpxchg.h:43:38: warning: initialization makes integer
from pointer without a cast [-Wint-conversion]
__typeof__ (*(ptr)) __ret = (arg); \
^
./arch/x86/include/asm/cmpxchg.h:77:22: note: in expansion of macro ‘__xchg_op’
#define xchg(ptr, v) __xchg_op((ptr), (v), xchg, "")
^
net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro ‘xchg’
opt = xchg(&req_inet->opt, opt);
^~~~
net/ipv4/cipso_ipv4.c:1954:22: error: ‘struct inet_request_sock’ has no member
named ‘opt’
opt = xchg(&req_inet->opt, opt);
^
./arch/x86/include/asm/cmpxchg.h:44:20: note: in definition of macro ‘__xchg_op’
switch (sizeof(*(ptr))) {\
^~~
net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro ‘xchg’
opt = xchg(&req_inet->opt, opt);
^~~~
net/ipv4/cipso_ipv4.c:1954:22: error: ‘struct inet_request_sock’ has no member
named ‘opt’
opt = xchg(&req_inet->opt, opt);
^
./arch/x86/include/asm/cmpxchg.h:47:35: note: in definition of macro ‘__xchg_op’
: "+q" (__ret), "+m" (*(ptr)) \
^~~
net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro ‘xchg’
opt = xchg(&req_inet->opt, opt);
^~~~
net/ipv4/cipso_ipv4.c:1954:22: error: ‘struct inet_request_sock’ has no member
named ‘opt’
opt = xchg(&req_inet->opt, opt);
^
./arch/x86/include/asm/cmpxchg.h:52:35: note: in definition of macro ‘__xchg_op’
: "+r" (__ret), "+m" (*(ptr)) \
^~~
net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro ‘xchg’
opt = xchg(&req_inet->opt, opt);
^~~~
net/ipv4/cipso_ipv4.c:1954:22: error: ‘struct inet_request_sock’ has no member
named ‘opt’
opt = xchg(&req_inet->opt, opt);
^
./arch/x86/include/asm/cmpxchg.h:57:35: note: in definition of macro ‘__xchg_op’
: "+r" (__ret), "+m" (*(ptr)) \
^~~
net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro ‘xchg’
opt = xchg(&req_inet->opt, opt);
^~~~
net/ipv4/cipso_ipv4.c:1954:22: error: ‘struct inet_request_sock’ has no member
named ‘opt’
opt = xchg(&req_inet->opt, opt);
^
./arch/x86/include/asm/cmpxchg.h:62:35: note: in definition of macro ‘__xchg_op’
: "+r" (__ret), "+m" (*(ptr)) \
^~~
net/ipv4/cipso_ipv4.c:1954:8: note: in expansion of macro ‘xchg’
opt = xchg(&req_inet->opt, opt);
^~~~
net/ipv4/cipso_ipv4.c:1954:6: warning: assignment makes pointer from integer
without a cast [-Wint-conversion]
opt = xchg(&req_inet->opt, opt);
^
net/ipv4/cipso_ipv4.c: In function ‘cipso_v4_req_delattr’:
net/ipv4/cipso_ipv4.c:2073:16: error: ‘struct inet_request_sock’ has no member
named ‘opt’
opt = req_inet->opt;
^~
net/ipv4/cipso_ipv4.c:2077:27: error: ‘struct inet_request_sock’ has no member
named ‘opt’
cipso_v4_delopt(&req_inet->opt);
^~
scripts/Makefile.build:313: recipe for target 'net/ipv4/cipso_ipv4.o' failed
make[2]: *** [net/ipv4/cipso_ipv4.o] Error 1
make[2]: *** Waiting for unfinished jobs
scripts/Makefile.build:572: recipe for target 'net/ipv4' failed
make[1]: *** [net/ipv4] Error 2
Makefile:1019: recipe for target 'net' failed
make: *** [net] Error 2
Re: [PATCH v3 net] dccp/tcp: fix ireq->opt races
From: Eric Dumazet
Date: Thu, 19 Oct 2017 15:24:49 -0700
> From: Eric Dumazet
>
> syzkaller found another bug in DCCP/TCP stacks [1]
>
> For the reasons explained in commit ce1050089c96 ("tcp/dccp: fix
> ireq->pktopts race"), we need to make sure we do not access
> ireq->opt unless we own the request sock.
...
> Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
> Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table")
> Signed-off-by: Eric Dumazet
> ---
> v3: fixed the whit space mangling
> v2: removed some lines from KASAN report that confuse patchwork.
Much better, applied and queued up for -stable.
[PATCH v3 net] dccp/tcp: fix ireq->opt races
From: Eric Dumazet
syzkaller found another bug in DCCP/TCP stacks [1]
For the reasons explained in commit ce1050089c96 ("tcp/dccp: fix
ireq->pktopts race"), we need to make sure we do not access
ireq->opt unless we own the request sock.
[1]
BUG: KASAN: use-after-free in ip_queue_xmit+0x1687/0x18e0
net/ipv4/ip_output.c:474
Read of size 1 at addr 8801c951039c by task syz-executor5/3295
CPU: 1 PID: 3295 Comm: syz-executor5 Not tainted 4.14.0-rc4+ #80
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
ip_queue_xmit+0x1687/0x18e0 net/ipv4/ip_output.c:474
tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1135
tcp_send_ack.part.37+0x3bb/0x650 net/ipv4/tcp_output.c:3587
tcp_send_ack+0x49/0x60 net/ipv4/tcp_output.c:3557
__tcp_ack_snd_check+0x2c6/0x4b0 net/ipv4/tcp_input.c:5072
tcp_ack_snd_check net/ipv4/tcp_input.c:5085 [inline]
tcp_rcv_state_process+0x2eff/0x4850 net/ipv4/tcp_input.c:6071
tcp_child_process+0x342/0x990 net/ipv4/tcp_minisocks.c:816
tcp_v4_rcv+0x1827/0x2f80 net/ipv4/tcp_ipv4.c:1682
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:249 [inline]
ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:464 [inline]
ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:249 [inline]
ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587
netif_receive_skb+0xae/0x390 net/core/dev.c:4611
tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372
tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766
tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:481
vfs_write+0x18f/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x40c341
RSP: 002b:7f469523ec10 EFLAGS: 0293 ORIG_RAX: 0001
RAX: ffda RBX: 00718000 RCX: 0040c341
RDX: 0037 RSI: 20004000 RDI: 0015
RBP: 0086 R08: R09:
R10: 000f4240 R11: 0293 R12: 004b7fd1
R13: R14: 2000 R15: 00025000
Allocated by task 3295:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3725 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3734
kmalloc include/linux/slab.h:498 [inline]
tcp_v4_save_options include/net/tcp.h:1962 [inline]
tcp_v4_init_req+0x2d3/0x3e0 net/ipv4/tcp_ipv4.c:1271
tcp_conn_request+0xf6d/0x3410 net/ipv4/tcp_input.c:6283
tcp_v4_conn_request+0x157/0x210 net/ipv4/tcp_ipv4.c:1313
tcp_rcv_state_process+0x8ea/0x4850 net/ipv4/tcp_input.c:5857
tcp_v4_do_rcv+0x55c/0x7d0 net/ipv4/tcp_ipv4.c:1482
tcp_v4_rcv+0x2d10/0x2f80 net/ipv4/tcp_ipv4.c:1711
ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
NF_HOOK include/linux/netfilter.h:249 [inline]
ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:464 [inline]
ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:249 [inline]
ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587
netif_receive_skb+0xae/0x390 net/core/dev.c:4611
tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372
tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766
tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x68a/0x970 fs/read_write.c:481
vfs_write+0x18f/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 3306:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
inet_sock_destruct+0x59d/0x950 net/ipv4/af_inet.c:157
__sk_destruct+0xfd/0x910 net/core/sock.c:1560
sk_destru
