CVE-2023-54283

KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READONCE() and WRITEONCE() pattern instead of data_race().

There is an existing bpflrunodeisref() and bpflrunodesetref(). This patch also adds bpflrunodeclearref() to do the WRITE_ONCE(node->ref, 0) also.

================================================================== BUG: KCSAN: data-race in __bpflrulist_rotate / _htablrupercpumapupdateelem

write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: __bpflrunode_move kernel/bpf/bpflrulist.c:113 [inline] __bpflrulistrotateactive kernel/bpf/bpflrulist.c:149 [inline] __bpflrulistrotate+0x1bf/0x750 kernel/bpf/bpflrulist.c:240 bpflrulistpopfreetolocal kernel/bpf/bpflrulist.c:329 [inline] bpfcommonlrupopfree kernel/bpf/bpflrulist.c:447 [inline] bpflrupopfree+0x638/0xe20 kernel/bpf/bpflrulist.c:499 prealloclrupop kernel/bpf/hashtab.c:290 [inline] __htablrupercpu_mapupdateelem+0xe7/0x820 kernel/bpf/hashtab.c:1316 bpfpercpuhashupdate+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpfmapupdatevalue+0x2a9/0x370 kernel/bpf/syscall.c:200 genericmapupdatebatch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpfmapdobatch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __dosysbpf kernel/bpf/syscall.c:5096 [inline] __sesysbpf kernel/bpf/syscall.c:5094 [inline] __x64sysbpf+0x43/0x50 kernel/bpf/syscall.c:5094 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: bpflrunodesetref kernel/bpf/bpflrulist.h:70 [inline] __htablrupercpu_mapupdateelem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 bpfpercpuhashupdate+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpfmapupdatevalue+0x2a9/0x370 kernel/bpf/syscall.c:200 genericmapupdatebatch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpfmapdobatch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __dosysbpf kernel/bpf/syscall.c:5096 [inline] __sesysbpf kernel/bpf/syscall.c:5094 [inline] __x64sysbpf+0x43/0x50 kernel/bpf/syscall.c:5094 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

value changed: 0x01 -> 0x00

Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54283.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3a08c2fd763450a927d1130de078d6f9e74944fb

Fixed

6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90

Fixed

a89d14410ea0352420f03cddc67e0002dcc8f9a5

Fixed

e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5

Fixed

b6d9a4062c944ad095b34dc112bf646a84156f60

Fixed

819ca25444b377935faa2dbb0aa3547519b5c80f

Fixed

c006fe361cfd947f51a56793deddf891e5cbfef8

Fixed

6e5e83b56f50fbd1c8f7dca7df7d72c67be25571

Fixed

ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54283.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.10.0

Fixed

4.14.322

Type: ECOSYSTEM
Events: Introduced

4.15.0

Fixed

4.19.291

Type: ECOSYSTEM
Events: Introduced

4.20.0

Fixed

5.4.251

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.188

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.150

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.42

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.4.7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54283.json"