iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 3fe9be220c net: icmp: fix data-race in cmp_global_allow() 
commit bbab7ef235031f6733b5429ae7877bfa22339712 upstream.

This code reads two global variables without protection
of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to
avoid load/store-tearing and better document the intent.

KCSAN reported :
BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow

read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0:
 icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254
 icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
 icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
 icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
 icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
 ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
 dst_link_failure include/net/dst.h:419 [inline]
 vti_xmit net/ipv4/ip_vti.c:243 [inline]
 vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
 __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
 netdev_start_xmit include/linux/netdevice.h:4434 [inline]
 xmit_one net/core/dev.c:3280 [inline]
 dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
 __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
 dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
 neigh_output include/net/neighbour.h:511 [inline]
 ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
 __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
 dst_output include/net/dst.h:436 [inline]
 ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179

write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1:
 icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272
 icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
 icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
 icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
 icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
 ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
 dst_link_failure include/net/dst.h:419 [inline]
 vti_xmit net/ipv4/ip_vti.c:243 [inline]
 vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
 __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
 netdev_start_xmit include/linux/netdevice.h:4434 [inline]
 xmit_one net/core/dev.c:3280 [inline]
 dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
 __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
 dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
 neigh_output include/net/neighbour.h:511 [inline]
 ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
 __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-04 19:18:40 +01:00
..
6lowpan
6lowpan: no need to check return value of debugfs_create functions
2019-07-06 12:50:01 +02:00
9p
9p pull request for inclusion in 5.4
2019-09-27 15:10:34 -07:00
802
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
8021q
net: remove unnecessary variables and callback
2019-10-24 14:53:49 -07:00
appletalk
appletalk: enforce CAP_NET_RAW for raw sockets
2019-09-24 16:37:18 +02:00
atm
net: atm: Reduce the severity of logging in unlink_clip_vcc
2019-11-18 17:08:20 -08:00
ax25
ax25: enforce CAP_NET_RAW for raw sockets
2019-09-24 16:37:18 +02:00
batman-adv
Here are two batman-adv bugfixes:
2019-10-28 16:39:07 -07:00
bluetooth
Bluetooth: Fix advertising duplicated flags
2019-12-31 16:44:33 +01:00
bpf
bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN
2019-07-25 18:00:41 -07:00
bpfilter
Kbuild updates for v5.3
2019-07-12 16:03:16 -07:00
bridge
netfilter: bridge: make sure to pull arp header in br_nf_forward_arp()
2020-01-04 19:18:38 +01:00
caif
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
can
can: j1939: j1939_sk_bind(): take priv after lock is held
2019-12-31 16:45:56 +01:00
ceph
libceph: use ceph_kvmalloc() for osdmap arrays
2019-09-16 12:06:25 +02:00
core
neighbour: remove neigh_cleanup() method
2019-12-31 16:41:37 +01:00
dcb
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201
2019-05-30 11:29:52 -07:00
dccp
net: ipv6: add net argument to ip6_dst_lookup_flow
2019-12-18 16:08:40 +01:00
decnet
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
dns_resolver
Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"
2019-07-10 18:43:43 -07:00
dsa
net: dsa: tag_8021q: Fix dsa_8021q_restore_pvid for an absent pvid
2019-11-16 12:23:53 -08:00
ethernet
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-07 11:00:14 -07:00
hsr
hsr: fix a NULL pointer dereference in hsr_dev_xmit()
2019-12-18 16:08:54 +01:00
ieee802154
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
ife
net: Fix Kconfig indentation
2019-09-26 08:56:17 +02:00
ipv4
net: icmp: fix data-race in cmp_global_allow()
2020-01-04 19:18:40 +01:00
ipv6
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2019-12-18 16:08:42 +01:00
iucv
net/af_iucv: mark expected switch fall-throughs
2019-07-29 10:26:14 -07:00
kcm
kcm: disable preemption in kcm_parse_func_strparser()
2019-09-27 10:27:14 +02:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-07-08 19:48:57 -07:00
l2tp
net: ipv6: add net argument to ip6_dst_lookup_flow
2019-12-18 16:08:40 +01:00
l3mdev
ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF
2019-06-23 13:24:17 -07:00
lapb
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-17 20:20:36 -07:00
llc
net: silence KCSAN warnings around sk_add_backlog() calls
2019-10-09 21:42:59 -07:00
mac80211
mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED
2019-12-31 16:45:44 +01:00
mac802154
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174
2019-05-30 11:26:41 -07:00
mpls
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2019-12-18 16:08:42 +01:00
ncsi
net/ncsi: Disable global multicast filter
2019-09-19 18:04:40 -07:00
netfilter
net: core: rename indirect block ingress cb function
2019-12-18 16:08:47 +01:00
netlabel
netlabel: remove redundant assignment to pointer iter
2019-09-01 11:45:02 -07:00
netlink
net: remove empty netlink_tap_exit_net
2019-06-14 19:50:33 -07:00
netrom
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
nfc
net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()
2019-12-31 16:41:23 +01:00
nsh
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
openvswitch
net: Fixed updating of ethertype in skb_mpls_push()
2019-12-18 16:08:56 +01:00
packet
af_packet: set defaule value for tmo
2019-12-31 16:41:12 +01:00
phonet
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
psample
net: psample: fix skb_over_panic
2019-12-04 22:30:54 +01:00
qrtr
net: qrtr: Stop rx_worker before freeing node
2019-09-21 18:45:46 -07:00
rds
rds: ib: update WR sizes when bringing up connection
2019-11-16 12:59:08 -08:00
rfkill
rfkill: allocate static minor
2019-12-13 08:43:18 +01:00
rose
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
rxrpc
rxrpc: Fix handling of last subpacket of jumbo packet
2019-10-31 12:23:09 -07:00
sched
act_ct: support asymmetric conntrack
2019-12-18 16:08:59 +01:00
sctp
sctp: fix err handling of stream initialization
2020-01-04 19:18:34 +01:00
smc
net/smc: add fallback check to connect()
2020-01-04 19:18:37 +01:00
strparser
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-22 08:59:24 -04:00
sunrpc
SUNRPC: Avoid RPC delays when exiting suspend
2019-12-13 08:42:34 +01:00
switchdev
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
tipc
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2019-12-18 16:08:42 +01:00
tls
net/tls: Fix return values to avoid ENOTSUPP
2019-12-18 16:08:31 +01:00
unix
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
vmw_vsock
vsock/virtio: fix sock refcnt holding during the shutdown
2019-11-08 12:17:50 -08:00
wimax
wimax: no need to check return value of debugfs_create functions
2019-08-10 15:25:47 -07:00
wireless
nl80211: fix validation of mesh path nexthop
2019-10-30 10:11:18 +01:00
x25
net: silence KCSAN warnings around sk_add_backlog() calls
2019-10-09 21:42:59 -07:00
xdp
xsk: Fix registration of Rx-only sockets
2019-10-23 20:22:11 -07:00
xfrm
xfrm: release device reference for invalid state
2019-11-12 08:24:38 +01:00
compat.c
uio: make import_iovec()/compat_import_iovec() return bytes on success
2019-05-31 15:30:03 -06:00
Kconfig
devlink: Add packet trap infrastructure
2019-08-17 12:40:08 -07:00
Makefile
socket.c
net: disallow ancillary data for __sys_{send,recv}msg_file()
2019-12-04 22:30:44 +01:00
sysctl_net.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00