iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet d9bd9d4c60 net_sched: add __rcu annotation to netdev->qdisc 
commit 5891cd5ec46c2c2eb6427cb54d214b149635dd0e upstream.

syzbot found a data-race [1] which lead me to add __rcu
annotations to netdev->qdisc, and proper accessors
to get LOCKDEP support.

[1]
BUG: KCSAN: data-race in dev_activate / qdisc_lookup_rcu

write to 0xffff888168ad6410 of 8 bytes by task 13559 on cpu 1:
 attach_default_qdiscs net/sched/sch_generic.c:1167 [inline]
 dev_activate+0x2ed/0x8f0 net/sched/sch_generic.c:1221
 __dev_open+0x2e9/0x3a0 net/core/dev.c:1416
 __dev_change_flags+0x167/0x3f0 net/core/dev.c:8139
 rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3150
 __rtnl_newlink net/core/rtnetlink.c:3489 [inline]
 rtnl_newlink+0xf4d/0x13e0 net/core/rtnetlink.c:3529
 rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594
 netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg net/socket.c:725 [inline]
 ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
 ___sys_sendmsg net/socket.c:2467 [inline]
 __sys_sendmsg+0x195/0x230 net/socket.c:2496
 __do_sys_sendmsg net/socket.c:2505 [inline]
 __se_sys_sendmsg net/socket.c:2503 [inline]
 __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

read to 0xffff888168ad6410 of 8 bytes by task 13560 on cpu 0:
 qdisc_lookup_rcu+0x30/0x2e0 net/sched/sch_api.c:323
 __tcf_qdisc_find+0x74/0x3a0 net/sched/cls_api.c:1050
 tc_del_tfilter+0x1c7/0x1350 net/sched/cls_api.c:2211
 rtnetlink_rcv_msg+0x5ba/0x7e0 net/core/rtnetlink.c:5585
 netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg net/socket.c:725 [inline]
 ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
 ___sys_sendmsg net/socket.c:2467 [inline]
 __sys_sendmsg+0x195/0x230 net/socket.c:2496
 __do_sys_sendmsg net/socket.c:2505 [inline]
 __se_sys_sendmsg net/socket.c:2503 [inline]
 __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

value changed: 0xffffffff85dee080 -> 0xffff88815d96ec00

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 13560 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: 470502de5bdb ("net: sched: unlock rules update API")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vlad Buslov <vladbu@mellanox.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-23 12:01:02 +01:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/net: fix missing error check in p9_check_errors
2021-11-18 14:04:29 +01:00
802
net/802/garp: fix memleak in garp_request_join()
2021-07-31 08:16:11 +02:00
8021q
net: vlan: fix underflow for the real_dev refcnt
2021-12-01 09:19:08 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net: atm: fix update of position index in lec_seq_next
2020-10-31 12:26:30 -07:00
ax25
ax25: improve the incomplete fix to avoid UAF and NPD bugs
2022-02-23 12:00:59 +01:00
batman-adv
batman-adv: allow netlink usage in unprivileged containers
2022-01-27 10:54:11 +01:00
bluetooth
Bluetooth: refactor malicious adv data check
2022-02-01 17:25:38 +01:00
bpf
bpf, test, cgroup: Use sk_{alloc,free} for test cases
2021-10-27 09:56:56 +02:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
net: bridge: vlan: fix memory leak in __allowed_ingress
2022-02-01 17:25:48 +01:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-22 12:27:56 +02:00
can
can: isotp: add SF_BROADCAST support for functional addressing
2022-02-23 12:00:56 +01:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-10-12 15:29:27 +02:00
core
net_sched: add __rcu annotation to netdev->qdisc
2022-02-23 12:01:02 +01:00
dcb
net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
2021-01-23 16:04:01 +01:00
dccp
tcp: switch orphan_count to bare per-cpu counters
2021-11-18 14:04:08 +01:00
decnet
net: decnet: Fix sleeping inside in af_decnet
2021-07-28 14:35:38 +02:00
dns_resolver
dsa
net: dsa: don't allocate the slave_mii_bus using devres
2021-09-30 10:11:02 +02:00
ethernet
ethtool
ethtool: do not perform operations on net devices being unregistered
2021-12-17 10:14:41 +01:00
hsr
net: hsr: fix mac_len checks
2021-06-03 09:00:50 +02:00
ieee802154
net: ieee802154: Return meaningful error codes from the netlink helpers
2022-02-08 18:30:37 +01:00
ife
ipv4
ping: fix the dif and sdif check in ping_lookup
2022-02-23 12:01:02 +01:00
ipv6
ipv6: per-netns exclusive flowlabel checks
2022-02-23 12:01:01 +01:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:34:05 +01:00
kcm
key
af_key: relax availability checks for skb size calculation
2021-02-13 13:55:02 +01:00
l2tp
net/l2tp: Fix reference count leak in l2tp_udp_recv_core
2021-09-22 12:27:56 +02:00
l3mdev
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
net: llc: fix skb_over_panic
2021-08-04 12:46:43 +02:00
mac80211
mac80211: allow non-standard VHT MCS-10/11
2022-01-27 10:54:19 +01:00
mac802154
net: mac802154: Fix general protection fault
2021-04-14 08:42:13 +02:00
mpls
net: mpls: Fix notifications when deleting a device
2021-12-08 09:03:23 +01:00
mptcp
mptcp: clear 'kern' flag from fallback sockets
2021-12-22 09:30:54 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: nft_synproxy: unregister hooks on init error path
2022-02-23 12:01:01 +01:00
netlabel
net: fix NULL pointer reference in cipso_v4_doi_free
2021-09-18 13:40:35 +02:00
netlink
net: netlink: af_netlink: Prevent empty skb by adding a check on len.
2021-12-17 10:14:40 +01:00
netrom
netrom: fix api breakage in nr_setsockopt()
2022-01-27 10:54:03 +01:00
nfc
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
2022-01-27 10:53:41 +01:00
nsh
openvswitch
ovs: clear skb->tstamp in forwarding path
2021-08-26 08:35:50 -04:00
packet
af_packet: fix data-race in packet_setsockopt / packet_setsockopt
2022-02-05 12:37:57 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:09:21 +02:00
rds
rds: memory leak in __rds_conn_create()
2021-12-22 09:30:54 +01:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-12 09:18:06 +01:00
rose
rose: Fix Null pointer dereference in rose_send_frame()
2020-11-20 10:04:58 -08:00
rxrpc
rxrpc: Adjust retransmission backoff
2022-02-01 17:25:46 +01:00
sched
net_sched: add __rcu annotation to netdev->qdisc
2022-02-23 12:01:02 +01:00
sctp
sctp: use call_rcu to free endpoint
2022-01-05 12:40:30 +01:00
smc
net/smc: Fix hung_task when removing SMC-R devices
2022-01-27 10:54:32 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
fsnotify: fix fsnotify hooks in pseudo filesystems
2022-02-01 17:25:39 +01:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: rate limit warning for received illegal binding update
2022-02-16 12:54:26 +01:00
tls
net/tls: Fix authentication failure in CCM mode
2021-12-08 09:03:29 +01:00
unix
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
2022-01-27 10:54:31 +01:00
vmw_vsock
vsock: remove vsock from connected table when connect is interrupted by a signal
2022-02-23 12:01:01 +01:00
wimax
genetlink: move to smaller ops wherever possible
2020-10-02 19:11:11 -07:00
wireless
cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
2021-11-26 10:39:20 +01:00
x25
net/x25: Return the correct errno code
2021-06-18 10:00:06 +02:00
xdp
Revert "xsk: Do not sleep in poll() when need_wakeup set"
2021-12-22 09:30:59 +01:00
xfrm
xfrm: Don't accidentally set RTO_ONLINK in decode_session4()
2022-01-27 10:54:33 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
drop_monitor: Convert to using devlink tracepoint
2020-09-30 18:01:26 -07:00
Makefile
socket.c
ethtool: improve compat ioctl handling
2021-09-18 13:40:21 +02:00
sysctl_net.c