CVE-2022-49420

In the Linux kernel, the following vulnerability has been resolved:

net: annotate races around sk->skbounddev_if

UDP sendmsg() is lockless, and reads sk->skbounddev_if while this field can be changed by another thread.

Adds minimal annotations to avoid KCSAN splats for UDP. Following patches will add more annotations to potential lockless readers.

BUG: KCSAN: data-race in _ip6datagramconnect / udpv6sendmsg

write to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0: _ip6datagramconnect+0x6e2/0x930 net/ipv6/datagram.c:221 ip6datagramconnect+0x2a/0x40 net/ipv6/datagram.c:272 inetdgramconnect+0x107/0x190 net/ipv4/afinet.c:576 _sysconnectfile net/socket.c:1900 [inline] _sysconnect+0x197/0x1b0 net/socket.c:1917 _dosysconnect net/socket.c:1927 [inline] _sesysconnect net/socket.c:1924 [inline] _x64sysconnect+0x3d/0x50 net/socket.c:1924 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x50 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae

read to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1: udpv6sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436 inet6sendmsg+0x5f/0x80 net/ipv6/afinet6.c:652 socksendmsgnosec net/socket.c:705 [inline] socksendmsg net/socket.c:725 [inline] _syssendmsg+0x39a/0x510 net/socket.c:2413 syssendmsg net/socket.c:2467 [inline] _syssendmmsg+0x267/0x4c0 net/socket.c:2553 _dosyssendmmsg net/socket.c:2582 [inline] _sesyssendmmsg net/socket.c:2579 [inline] _x64syssendmmsg+0x53/0x60 net/socket.c:2579 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x50 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae

value changed: 0x00000000 -> 0xffffff9b

Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

I chose to not add Fixes: tag because race has minor consequences and stable teams busy enough.