--- /dev/null
+From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 8 Sep 2021 17:00:29 -0700
+Subject: net/af_unix: fix a data-race in unix_dgram_poll
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream.
+
+syzbot reported another data-race in af_unix [1]
+
+Lets change __skb_insert() to use WRITE_ONCE() when changing
+skb head qlen.
+
+Also, change unix_dgram_poll() to use lockless version
+of unix_recvq_full()
+
+It is verry possible we can switch all/most unix_recvq_full()
+to the lockless version, this will be done in a future kernel version.
+
+[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1
+
+BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll
+
+write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0:
+ __skb_insert include/linux/skbuff.h:1938 [inline]
+ __skb_queue_before include/linux/skbuff.h:2043 [inline]
+ __skb_queue_tail include/linux/skbuff.h:2076 [inline]
+ skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264
+ unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532
+ __do_sys_sendmmsg net/socket.c:2561 [inline]
+ __se_sys_sendmmsg net/socket.c:2558 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1:
+ skb_queue_len include/linux/skbuff.h:1869 [inline]
+ unix_recvq_full net/unix/af_unix.c:194 [inline]
+ unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777
+ sock_poll+0x23e/0x260 net/socket.c:1288
+ vfs_poll include/linux/poll.h:90 [inline]
+ ep_item_poll fs/eventpoll.c:846 [inline]
+ ep_send_events fs/eventpoll.c:1683 [inline]
+ ep_poll fs/eventpoll.c:1798 [inline]
+ do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226
+ __do_sys_epoll_wait fs/eventpoll.c:2238 [inline]
+ __se_sys_epoll_wait fs/eventpoll.c:2233 [inline]
+ __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x0000001b -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()")
+Cc: Qian Cai <cai@lca.pw>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 2 +-
+ net/unix/af_unix.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1502,7 +1502,7 @@ static inline void __skb_insert(struct s
+ newsk->next = next;
+ newsk->prev = prev;
+ next->prev = prev->next = newsk;
+- list->qlen++;
++ WRITE_ONCE(list->qlen, list->qlen + 1);
+ }
+
+ static inline void __skb_queue_splice(const struct sk_buff_head *list,
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2700,7 +2700,7 @@ static unsigned int unix_dgram_poll(stru
+
+ other = unix_peer(sk);
+ if (other && unix_peer(other) != sk &&
+- unix_recvq_full(other) &&
++ unix_recvq_full_lockless(other) &&
+ unix_dgram_peer_wake_me(sk, other))
+ writable = 0;
+
--- /dev/null
+From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001
+From: Yajun Deng <yajun.deng@linux.dev>
+Date: Mon, 13 Sep 2021 12:04:42 +0800
+Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+commit d7807a9adf4856171f8441f13078c33941df48ab upstream.
+
+This reverts commit 919483096bfe75dda338e98d56da91a263746a0a.
+
+There is only when ip_options_get() return zero need to free.
+It already called kfree() when return error.
+
+Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ping.c | 4 +---
+ net/ipv4/raw.c | 4 +---
+ net/ipv4/udp.c | 4 +---
+ 4 files changed, 4 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -253,7 +253,7 @@ int ip_cmsg_send(struct net *net, struct
+ case IP_RETOPTS:
+ err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr));
+
+- /* Our caller is responsible for freeing ipc->opt */
++ /* Our caller is responsible for freeing ipc->opt when err = 0 */
+ err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg),
+ err < 40 ? err : 40);
+ if (err)
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -753,10 +753,8 @@ static int ping_v4_sendmsg(struct sock *
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sock_net(sk), msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ return err;
+- }
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -557,10 +557,8 @@ static int raw_sendmsg(struct sock *sk,
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(net, msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ goto out;
+- }
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -966,10 +966,8 @@ int udp_sendmsg(struct sock *sk, struct
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sock_net(sk), msg, &ipc,
+ sk->sk_family == AF_INET6);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ return err;
+- }
+ if (ipc.opt)
+ free = 1;
+ connected = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
