Development discussion of WireGuard
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	netdev <netdev@vger.kernel.org>,
	 Eric Dumazet <eric.dumazet@gmail.com>,
	syzbot <syzkaller@googlegroups.com>,
	WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: [PATCH net] wireguard: fix race in wg_index_hashtable_replace()
Date: Tue, 8 Sep 2020 17:25:58 +0200	[thread overview]
Message-ID: <CAHmME9qG6ceo+ZYncHOJ1+PE_bv74suN5LAv1gFUTHaBy31p7A@mail.gmail.com> (raw)
In-Reply-To: <20200908145911.4090480-1-edumazet@google.com>

Hey Eric,

On Tue, Sep 8, 2020 at 4:59 PM Eric Dumazet <edumazet@google.com> wrote:
>
> syzbot got a NULL dereference in wg_index_hashtable_replace() [1]
>
> Issue here is that right after checking hlist_unhashed(&old->index_hash)
> another cpu might have removed @old already from the hash.
>
> Since we are dealing with a very unlikely case, we can simply
> acquire the table lock earlier.

That's a nice bug. It looks like this is triggered by a teardown race,
when wg_index_hashtable_replace races with wg_index_hashtable_remove.

Since all the other hashtable mutator functions are protected by that
spinlock, it doesn't seem harmful to fix this by doing the same, even
if formally that spinlock is supposed to protect hash bucket heads
rather than entry pointers.

I'm playing with your patch and a variant of it, which I'll have
queued up in my tree in the next hour or so.

Thanks a lot for triaging this.

Jason

      reply	other threads:[~2020-09-08 15:26 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-08 14:59 Eric Dumazet
2020-09-08 15:25 ` Jason A. Donenfeld [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9qG6ceo+ZYncHOJ1+PE_bv74suN5LAv1gFUTHaBy31p7A@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).