Commit a5a7daa5 authored Nov 06, 2019 by Eric Dumazet Committed by David S. Miller Nov 06, 2019

tcp: fix data-race in tcp_recvmsg()



Reading tp->recvmsg_inq after socket lock is released
raises a KCSAN warning [1]

Replace has_tss & has_cmsg by cmsg_flags and make
sure to not read tp->recvmsg_inq a second time.

[1]
BUG: KCSAN: data-race in tcp_chrono_stop / tcp_recvmsg

write to 0xffff888126adef24 of 2 bytes by interrupt on cpu 0:
 tcp_chrono_set net/ipv4/tcp_output.c:2309 [inline]
 tcp_chrono_stop+0x14c/0x280 net/ipv4/tcp_output.c:2338
 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3165 [inline]
 tcp_ack+0x274f/0x3170 net/ipv4/tcp_input.c:3688
 tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
 tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
 tcp_v4_rcv+0x19dc/0x1bb0 net/ipv4/tcp_ipv4.c:1942
 ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:442 [inline]
 ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
 netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5214
 napi_skb_finish net/core/dev.c:5677 [inline]
 napi_gro_receive+0x28f/0x330 net/core/dev.c:5710

read to 0xffff888126adef25 of 1 bytes by task 7275 on cpu 1:
 tcp_recvmsg+0x77b/0x1a30 net/ipv4/tcp.c:2187
 inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
 sock_recvmsg_nosec net/socket.c:871 [inline]
 sock_recvmsg net/socket.c:889 [inline]
 sock_recvmsg+0x92/0xb0 net/socket.c:885
 sock_read_iter+0x15f/0x1e0 net/socket.c:967
 call_read_iter include/linux/fs.h:1889 [inline]
 new_sync_read+0x389/0x4f0 fs/read_write.c:414
 __vfs_read+0xb1/0xc0 fs/read_write.c:427
 vfs_read fs/read_write.c:461 [inline]
 vfs_read+0x143/0x2c0 fs/read_write.c:446
 ksys_read+0xd5/0x1b0 fs/read_write.c:587
 __do_sys_read fs/read_write.c:597 [inline]
 __se_sys_read fs/read_write.c:595 [inline]
 __x64_sys_read+0x4c/0x60 fs/read_write.c:595
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 7275 Comm: sshd Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: b75eba76 ("tcp: send in-queue bytes in cmsg upon read")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 9ed498c6

net/ipv4/tcp.c

+6 −8

Original line number	Diff line number	Diff line
		@@ -1958,8 +1958,7 @@ int tcp_recvmsg(struct sock sk, struct msghdr msg, size_t len, int nonblock,
		struct sk_buff skb, last;
		u32 urg_hole = 0;
		struct scm_timestamping_internal tss;
		bool has_tss = false;
		bool has_cmsg;
		int cmsg_flags;

		if (unlikely(flags & MSG_ERRQUEUE))
		return inet_recv_error(sk, msg, len, addr_len);
		@@ -1974,7 +1973,7 @@ int tcp_recvmsg(struct sock sk, struct msghdr msg, size_t len, int nonblock,
		if (sk->sk_state == TCP_LISTEN)
		goto out;

		has_cmsg = tp->recvmsg_inq;
		cmsg_flags = tp->recvmsg_inq ? 1 : 0;
		timeo = sock_rcvtimeo(sk, nonblock);

		/* Urgent data needs to be handled specially. */
		@@ -2157,8 +2156,7 @@ skip_copy:

		if (TCP_SKB_CB(skb)->has_rxtstamp) {
		tcp_update_recv_tstamps(skb, &tss);
		has_tss = true;
		has_cmsg = true;
		cmsg_flags \|= 2;
		}
		if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
		goto found_fin_ok;
		@@ -2183,10 +2181,10 @@ found_fin_ok:

		release_sock(sk);

		if (has_cmsg) {
		if (has_tss)
		if (cmsg_flags) {
		if (cmsg_flags & 2)
		tcp_recv_timestamp(msg, sk, &tss);
		if (tp->recvmsg_inq) {
		if (cmsg_flags & 1) {
		inq = tcp_inq_hint(sk);
		put_cmsg(msg, SOL_TCP, TCP_CM_INQ, sizeof(inq), &inq);
		}

Admin message