From patchwork Wed Sep 9 11:58:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 249460 Delivered-To: patch@linaro.org Received: by 2002:a92:5b9c:0:0:0:0:0 with SMTP id c28csp503840ilg; Wed, 9 Sep 2020 08:11:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwRWXcPIYtaPFKXpkfPeVvM3k4VCssr8+MmY6ckV6v6P1kIsBu0l/FVRdyKHTpeUKoHbBdZ X-Received: by 2002:a17:906:b086:: with SMTP id x6mr4322496ejy.204.1599664279668; Wed, 09 Sep 2020 08:11:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599664279; cv=none; d=google.com; s=arc-20160816; b=jCc5B35Jl+o3qBapLXOkDJ02PJryLS0sbZdBbLpS+w39ZU52JYopp0TWbeCjf96klf jJif/kxAXqfDQvK93u6G0pVHGKq5KfDViP9gH3C9LwomuHIW19HkoiBOWQ7YjTfFp4KJ Icva8JtDpRO619Dco64ZTlab+/+7Nuy8EMSx90bAyMhDD8HaWIys/N04LJewmIdrvC9U 4DqTOR/eW7zIc2Fa9xz4M8ma6thBbM3AG/w9RgoPC7FicwYAWB0yUJfdZAMtHI0Fk+nO 9EGPfOD8pFFSnS34pEoaJhQvIPTdTVyX9BavtypIjdV94z0H9Lli6k8UkckDVoMiduyp s45g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=baSCMNCVucHFZ/C4Pe6ERaKx6Th801XIFAZCisyGOHg=; b=fFukQBnv+BLiZV+HZXUV7Oeuoyv/bFwthnT6tMAddrRFWu+mtjsua+EuI1uwLyYrxX WFfWDfTudNf2n29QMjZE4SgLbQbHcrJh4fcGO7ZIk3VrI/7uY9flo1NBSHm+MfuaRUnJ 5/KiA9I/Arlk5hxY1d7eEbuHvJl/Q8rchTL1WOlLbQTHHiklHLONvhsAY2zKHoWPeo2Z c4eUWVzimv2wdG1mhRKOxPz7bHhWhznM8WcUzK2nRw1ISMUpUv97BGQT8l4KjGjziFsv z8gEIfpLeFj2uZx4up1l8fetSWgrb+NqAlw1AC2yT2ij1NwutZIojL5noRdnDl5fruQT IrNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=Sb3Wpqz8; spf=pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b5si1673351edu.163.2020.09.09.08.11.19; Wed, 09 Sep 2020 08:11:19 -0700 (PDT) Received-SPF: pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=Sb3Wpqz8; spf=pass (google.com: domain of netdev-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729941AbgIIPLJ (ORCPT + 9 others); Wed, 9 Sep 2020 11:11:09 -0400 Received: from mail.zx2c4.com ([192.95.5.64]:44203 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730068AbgIIL7O (ORCPT ); Wed, 9 Sep 2020 07:59:14 -0400 Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 2996529b; Wed, 9 Sep 2020 11:29:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:mime-version:content-transfer-encoding; s=mail; bh=sGX1PxzU4jdQsmH2mBtiSUZwnic=; b=Sb3Wpqz8qw9lGhX9Xsaf Bxu+0gc+y8jYBw76K3qivyWmWu9NrC2546YmjIXVUTpGVneg9IMyc1nnOsMykRbi NYr9bit7+T9V+T2deJ4/W4H4t9QjcBB5ckJ5kNE/JsvlAGLh1Yetd1OstyFb/+Tf 74MSJscWtGgOoOwjWAZgPg2vligdYUYetUB8HGa1xmfHJtgwbbHO4BnTi0ReAC+1 XIO0RI2AX5TdHNk2PAPuSIz/apE7azK7xHaopZa1EYPmVrOHxOnN1L/gf+MVQbGV iSjK6AJYSu02QfHsj2GdNX3JH3xS7vIjq2AHHfajnzxU2Ldhn3EePupaIQFVNldL Bw== Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 3d93d117 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 9 Sep 2020 11:29:27 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, davem@davemloft.net Cc: "Jason A. Donenfeld" , Eric Dumazet Subject: [PATCH net 0/2] wireguard fixes for 5.9-rc5 Date: Wed, 9 Sep 2020 13:58:13 +0200 Message-Id: <20200909115815.522168-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi Dave, Yesterday, Eric reported a race condition found by syzbot. This series contains two commits, one that fixes the direct issue, and another that addresses the more general issue, as a defense in depth. 1) The basic problem syzbot unearthed was that one particular mutation of handshake->entry was not protected by the handshake mutex like the other cases, so this patch basically just reorders a line to make sure the mutex is actually taken at the right point. Most of the work here went into making sure the race was fully understood and making a reproducer (which syzbot was unable to do itself, due to the rarity of the race). 2) Eric's initial suggestion for fixing this was taking a spinlock around the hash table replace function where the null ptr deref was happening. This doesn't address the main problem in the most precise possible way like (1) does, but it is a good suggestion for defense-in-depth, in case related issues come up in the future, and basically costs nothing from a performance perspective. I thought it aided in implementing a good general rule: all mutators of that hash table take the table lock. So that's part of this series as a companion. Both of these contain Fixes: tags and are good candidates for stable. Jason A. Donenfeld (2): wireguard: noise: take lock when removing handshake entry from table wireguard: peerlookup: take lock before checking hash in replace operation drivers/net/wireguard/noise.c | 5 +---- drivers/net/wireguard/peerlookup.c | 11 ++++++++--- 2 files changed, 9 insertions(+), 7 deletions(-) Cc: Eric Dumazet -- 2.28.0