• Xin Long's avatar
    sctp: cache netns in sctp_ep_common · 31243461
    Xin Long authored
    This patch is to fix a data-race reported by syzbot:
    
      BUG: KCSAN: data-race in sctp_assoc_migrate / sctp_hash_obj
    
      write to 0xffff8880b67c0020 of 8 bytes by task 18908 on cpu 1:
        sctp_assoc_migrate+0x1a6/0x290 net/sctp/associola.c:1091
        sctp_sock_migrate+0x8aa/0x9b0 net/sctp/socket.c:9465
        sctp_accept+0x3c8/0x470 net/sctp/socket.c:4916
        inet_accept+0x7f/0x360 net/ipv4/af_inet.c:734
        __sys_accept4+0x224/0x430 net/socket.c:1754
        __do_sys_accept net/socket.c:1795 [inline]
        __se_sys_accept net/socket.c:1792 [inline]
        __x64_sys_accept+0x4e/0x60 net/socket.c:1792
        do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
      read to 0xffff8880b67c0020 of 8 bytes by task 12003 on cpu 0:
        sctp_hash_obj+0x4f/0x2d0 net/sctp/input.c:894
        rht_key_get_hash include/linux/rhashtable.h:133 [inline]
        rht_key_hashfn include/linux/rhashtable.h:159 [inline]
        rht_head_hashfn include/linux/rhashtable.h:174 [inline]
        head_hashfn lib/rhashtable.c:41 [inline]
        rhashtable_rehash_one lib/rhashtable.c:245 [inline]
        rhashtable_rehash_chain lib/rhashtable.c:276 [inline]
        rhashtable_rehash_table lib/rhashtable.c:316 [inline]
        rht_deferred_worker+0x468/0xab0 lib/rhashtable.c:420
        process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
        worker_thread+0xa0/0x800 kernel/workqueue.c:2415
        kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
        ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
    
    It was caused by rhashtable access asoc->base.sk when sctp_assoc_migrate
    is changing its value. However, what rhashtable wants is netns from asoc
    base.sk, and for an asoc, its netns won't change once set. So we can
    simply fix it by caching netns since created.
    
    Fixes: d6c0256a ("sctp: add the rhashtable apis for sctp global transport hashtable")
    Reported-by: syzbot+e3b35fe7918ff0ee474e@syzkaller.appspotmail.com
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
    31243461
endpointola.c 10.1 KB