Blaster4385/linux-IllusionX
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux-IllusionX/net
History
Eric Dumazet 1bef4c223b ipv6: fixes rt6_probe() and fib6_nh->last_probe init 
While looking at a syzbot KCSAN report [1], I found multiple
issues in this code :

1) fib6_nh->last_probe has an initial value of 0.

   While probably okay on 64bit kernels, this causes an issue
   on 32bit kernels since the time_after(jiffies, 0 + interval)
   might be false ~24 days after boot (for HZ=1000)

2) The data-race found by KCSAN
   I could use READ_ONCE() and WRITE_ONCE(), but we also can
   take the opportunity of not piling-up too many rt6_probe_deferred()
   works by using instead cmpxchg() so that only one cpu wins the race.

[1]
BUG: KCSAN: data-race in find_match / find_match

write to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 1:
 rt6_probe net/ipv6/route.c:663 [inline]
 find_match net/ipv6/route.c:757 [inline]
 find_match+0x5bd/0x790 net/ipv6/route.c:733
 __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831
 find_rr_leaf net/ipv6/route.c:852 [inline]
 rt6_select net/ipv6/route.c:896 [inline]
 fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164
 ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200
 ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452
 fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117
 ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484
 ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497
 ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049
 ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150
 inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106
 inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121
 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
 tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
 tcp_xmit_probe_skb+0x19b/0x1d0 net/ipv4/tcp_output.c:3735

read to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 0:
 rt6_probe net/ipv6/route.c:657 [inline]
 find_match net/ipv6/route.c:757 [inline]
 find_match+0x521/0x790 net/ipv6/route.c:733
 __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831
 find_rr_leaf net/ipv6/route.c:852 [inline]
 rt6_select net/ipv6/route.c:896 [inline]
 fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164
 ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200
 ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452
 fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117
 ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484
 ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497
 ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049
 ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150
 inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106
 inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121
 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 18894 Comm: udevd Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: cc3a86c802 ("ipv6: Change rt6_probe to take a fib6_nh")
Fixes: f547fac624 ("ipv6: rate-limit probes for neighbourless routes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-11-07 16:13:13 -08:00
..
6lowpan
9p 9p pull request for inclusion in 5.4 2019-09-27 15:10:34 -07:00
802
8021q net: remove unnecessary variables and callback 2019-10-24 14:53:49 -07:00
appletalk appletalk: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
atm net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
ax25 ax25: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
batman-adv Here are two batman-adv bugfixes: 2019-10-28 16:39:07 -07:00
bluetooth net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
bpf
bpfilter
bridge bridge: ebtables: don't crash when using dnat target in output chains 2019-11-04 20:58:34 +01:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
can can: j1939: transport: j1939_xtp_rx_eoma_one(): Add sanity check for correct total message size 2019-11-04 21:47:23 +01:00
ceph
core net/tls: fix sk_msg trim on fallback to copy mode 2019-11-05 18:07:47 -08:00
dcb
dccp dccp: do not leak jiffies on the wire 2019-11-04 11:36:31 -08:00
decnet net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
dns_resolver
dsa net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
ethernet
hsr
ieee802154 net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
ife net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
ipv4 inet: stop leaking jiffies on the wire 2019-11-01 14:57:52 -07:00
ipv6 ipv6: fixes rt6_probe() and fib6_nh->last_probe init 2019-11-07 16:13:13 -08:00
iucv
kcm kcm: disable preemption in kcm_parse_func_strparser() 2019-09-27 10:27:14 +02:00
key
l2tp net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
l3mdev
lapb
llc net: silence KCSAN warnings around sk_add_backlog() calls 2019-10-09 21:42:59 -07:00
mac80211 mac80211: fix scan when operating on DFS channels in ETSI domains 2019-10-07 22:10:50 +02:00
mac802154
mpls
ncsi net/ncsi: Disable global multicast filter 2019-09-19 18:04:40 -07:00
netfilter Merge branch 'master' of git://blackhole.kfki.hu/nf 2019-11-04 20:59:00 +01:00
netlabel
netlink
netrom net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
nfc nfc: netlink: fix double device reference drop 2019-11-07 15:23:19 -08:00
nsh
openvswitch netns: fix GFP flags in rtnl_net_notifyid() 2019-10-25 20:14:42 -07:00
packet netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
psample
qrtr net: qrtr: Stop rx_worker before freeing node 2019-09-21 18:45:46 -07:00
rds net/rds: Fix error handling in rds_ib_add_one() 2019-10-02 12:16:57 -04:00
rfkill
rose net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
rxrpc rxrpc: Fix handling of last subpacket of jumbo packet 2019-10-31 12:23:09 -07:00
sched net: sched: prevent duplicate flower rules from tcf_proto destroy race 2019-11-05 17:47:26 -08:00
sctp inet: stop leaking jiffies on the wire 2019-11-01 14:57:52 -07:00
smc net/smc: fix ethernet interface refcounting 2019-11-06 17:44:32 -08:00
strparser
sunrpc SUNRPC: Destroy the back channel when we destroy the host transport 2019-10-30 12:04:35 -04:00
switchdev
tipc net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
tls net/tls: add a TX lock 2019-11-06 17:33:32 -08:00
unix net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
vmw_vsock net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
wimax
wireless nl80211: fix validation of mesh path nexthop 2019-10-30 10:11:18 +01:00
x25 net: silence KCSAN warnings around sk_add_backlog() calls 2019-10-09 21:42:59 -07:00
xdp xsk: Fix registration of Rx-only sockets 2019-10-23 20:22:11 -07:00
xfrm netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
compat.c
Kconfig
Makefile
socket.c
sysctl_net.c