• C
    soreuseport: fix initialization race · 1b5f962e
    Craig Gallek 提交于
    Syzkaller stumbled upon a way to trigger
    WARNING: CPU: 1 PID: 13881 at net/core/sock_reuseport.c:41
    reuseport_alloc+0x306/0x3b0 net/core/sock_reuseport.c:39
    
    There are two initialization paths for the sock_reuseport structure in a
    socket: Through the udp/tcp bind paths of SO_REUSEPORT sockets or through
    SO_ATTACH_REUSEPORT_[CE]BPF before bind.  The existing implementation
    assumedthat the socket lock protected both of these paths when it actually
    only protects the SO_ATTACH_REUSEPORT path.  Syzkaller triggered this
    double allocation by running these paths concurrently.
    
    This patch moves the check for double allocation into the reuseport_alloc
    function which is protected by a global spin lock.
    
    Fixes: e32ea7e7 ("soreuseport: fast reuseport UDP socket selection")
    Fixes: c125e80b ("soreuseport: fast reuseport TCP socket selection")
    Signed-off-by: NCraig Gallek <kraig@google.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    1b5f962e
udp.c 72.5 KB