mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 23:25:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/ipv6
History
Eric Dumazet 26e398dcb3 ipv6: fixes rt6_probe() and fib6_nh->last_probe init 
[ Upstream commit 1bef4c223b ]

While looking at a syzbot KCSAN report [1], I found multiple
issues in this code :

1) fib6_nh->last_probe has an initial value of 0.

   While probably okay on 64bit kernels, this causes an issue
   on 32bit kernels since the time_after(jiffies, 0 + interval)
   might be false ~24 days after boot (for HZ=1000)

2) The data-race found by KCSAN
   I could use READ_ONCE() and WRITE_ONCE(), but we also can
   take the opportunity of not piling-up too many rt6_probe_deferred()
   works by using instead cmpxchg() so that only one cpu wins the race.

[1]
BUG: KCSAN: data-race in find_match / find_match

write to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 1:
 rt6_probe net/ipv6/route.c:663 [inline]
 find_match net/ipv6/route.c:757 [inline]
 find_match+0x5bd/0x790 net/ipv6/route.c:733
 __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831
 find_rr_leaf net/ipv6/route.c:852 [inline]
 rt6_select net/ipv6/route.c:896 [inline]
 fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164
 ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200
 ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452
 fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117
 ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484
 ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497
 ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049
 ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150
 inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106
 inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121
 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
 tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
 tcp_xmit_probe_skb+0x19b/0x1d0 net/ipv4/tcp_output.c:3735

read to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 0:
 rt6_probe net/ipv6/route.c:657 [inline]
 find_match net/ipv6/route.c:757 [inline]
 find_match+0x521/0x790 net/ipv6/route.c:733
 __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831
 find_rr_leaf net/ipv6/route.c:852 [inline]
 rt6_select net/ipv6/route.c:896 [inline]
 fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164
 ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200
 ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452
 fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117
 ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484
 ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497
 ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049
 ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150
 inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106
 inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121
 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 18894 Comm: udevd Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: cc3a86c802 ("ipv6: Change rt6_probe to take a fib6_nh")
Fixes: f547fac624 ("ipv6: rate-limit probes for neighbourless routes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-12 19:20:33 +01:00
..
ila ila: Fix rhashtable walker list corruption 2019-04-03 06:26:18 +02:00
netfilter netfilter: Fix rpfilter dropping vrf packets by mistake 2019-08-16 10:12:43 +02:00
addrconf.c ipv6: Handle missing host route in __ipv6_ifa_notify 2019-10-07 18:57:21 +02:00
addrconf_core.c net/ipv6: Add helper to return path MTU based on fib result 2018-05-22 10:51:09 +02:00
addrlabel.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
af_inet6.c ipv6: Consider sk_bound_dev_if when binding a socket to an address 2019-02-06 17:30:06 +01:00
ah6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
anycast.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
calipso.c ipv6: make ipv6_renew_options() interrupt/kernel safe 2018-07-05 20:15:26 +09:00
datagram.c udp: correct reuseport selection with connected sockets 2019-09-21 07:16:43 +02:00
esp6.c esp: Skip TX bytes accounting when sending from a request socket 2019-03-23 20:09:48 +01:00
esp6_offload.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2018-07-27 09:33:37 -07:00
exthdrs.c ipv6: make ipv6_renew_options() interrupt/kernel safe 2018-07-05 20:15:26 +09:00
exthdrs_core.c net: ipv6: Fix typo in ipv6_find_hdr() documentation 2018-05-07 23:50:27 -04:00
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c net/ipv6: Add fib6_lookup 2018-05-11 00:10:56 +02:00
fou6.c
icmp.c ipv6: make icmp6_send() robust against null skb->dev 2019-01-22 21:40:35 +01:00
inet6_connection_sock.c
inet6_hashtables.c net: annotate accesses to sk->sk_incoming_cpu 2019-11-10 11:27:38 +01:00
ip6_checksum.c net: udp: fix handling of CHECKSUM_COMPLETE packets 2018-11-04 14:50:51 +01:00
ip6_fib.c ipv6: Unlink sibling route in case of failure 2019-07-28 08:29:24 +02:00
ip6_flowlabel.c ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero 2019-06-22 08:15:13 +02:00
ip6_gre.c erspan: fix the tun_info options_len check for erspan 2019-11-10 11:27:37 +01:00
ip6_icmp.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip6_input.c net: ipv6: fix listify ip6_rcv_finish in case of forwarding 2019-10-29 09:19:42 +01:00
ip6_offload.c gso_segment: Reset skb->mac_len after modifying network header 2018-09-13 12:09:32 -07:00
ip6_offload.h
ip6_output.c ipv6: Fix dangling pointer when ipv6 fragment 2019-04-17 08:38:40 +02:00
ip6_tunnel.c ip6_tunnel: fix possible use-after-free on xmit 2019-08-09 17:52:30 +02:00
ip6_udp_tunnel.c ipv6: explicitly initialize udp6_addr in udp_sock_create6() 2019-01-09 17:38:31 +01:00
ip6_vti.c ip: validate header length on virtual device xmit 2019-01-09 17:38:31 +01:00
ip6mr.c ip6mr: Do not call __IP6_INC_STATS() from preemptible context 2019-03-10 07:17:16 +01:00
ipcomp6.c
ipv6_sockglue.c Merge ra.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux 2018-07-20 21:17:12 -07:00
Kconfig net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mcast.c mld: fix memory leak in mld_del_delrec() 2019-09-10 10:33:38 +01:00
mcast_snoop.c
mip6.c
ndisc.c ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called 2018-11-04 14:50:51 +01:00
netfilter.c netfilter: ipv6: Don't preserve original oif for loopback address 2019-02-27 10:09:03 +01:00
output_core.c inet: switch IP ID generator to siphash 2019-06-04 08:02:30 +02:00
ping.c ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' 2019-09-19 09:09:28 +02:00
proc.c proc: introduce proc_create_net_single 2018-05-16 07:24:30 +02:00
protocol.c
raw.c ipv6: fix EFAULT on sendto with icmpv6 and hdrincl 2019-06-11 12:20:50 +02:00
reassembly.c net: IP6 defrag: use rbtrees for IPv6 defrag 2019-04-27 09:36:33 +02:00
route.c ipv6: fixes rt6_probe() and fib6_nh->last_probe init 2019-11-12 19:20:33 +01:00
seg6.c ipv6: propagate genlmsg_reply return code 2019-02-27 10:08:58 +01:00
seg6_hmac.c Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-07-03 10:29:26 +09:00
seg6_iptunnel.c ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation 2019-02-06 17:30:06 +01:00
seg6_local.c bpf: add End.DT6 action to bpf_lwt_seg6_action helper 2018-07-31 09:22:48 +02:00
sit.c vrf: sit mtu should not be updated when vrf netdev is the link 2019-05-16 19:41:30 +02:00
syncookies.c net/ipv4: disable SMC TCP option with SYN Cookies 2018-03-25 20:53:54 -04:00
sysctl_net_ipv6.c ipv6: sr: Compute flowlabel for outer IPv6 header of seg6 encap mode 2018-04-25 13:02:15 -04:00
tcp_ipv6.c tcp: do not use ipv6 header for ipv4 flow 2019-04-03 06:26:18 +02:00
tcpv6_offload.c net: Convert GRO SKB handling to list_head. 2018-06-26 11:33:04 +09:00
tunnel6.c
udp.c net: annotate accesses to sk->sk_incoming_cpu 2019-11-10 11:27:38 +01:00
udp_impl.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udp_offload.c net: Convert GRO SKB handling to list_head. 2018-06-26 11:33:04 +09:00
udplite.c proc: introduce proc_create_net{,_data} 2018-05-16 07:24:30 +02:00
xfrm6_input.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-09-04 10:26:30 +02:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c ipv6: xfrm: use 64-bit timestamps 2018-07-11 15:26:35 +02:00
xfrm6_mode_transport.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-09-04 10:26:30 +02:00
xfrm6_mode_tunnel.c xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto 2018-03-07 10:54:29 +01:00
xfrm6_output.c xfrm6: call kfree_skb when skb is toobig 2018-09-03 07:37:57 +02:00
xfrm6_policy.c net/xfrm: fix out-of-bounds packet access 2018-10-11 13:24:46 +02:00
xfrm6_protocol.c
xfrm6_state.c xfrm: remove VLA usage in __xfrm6_sort() 2018-04-26 07:51:48 +02:00
xfrm6_tunnel.c xfrm: clean up xfrm protocol checks 2019-05-25 18:23:41 +02:00