iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 47419f2aef ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr 
commit 195374d893681da43a39796e53b30ac4f20400c4 upstream.

syzbot reported a data-race while accessing nh->nh_saddr_genid [1]

Add annotations, but leave the code lazy as intended.

[1]
BUG: KCSAN: data-race in fib_select_path / fib_select_path

write to 0xffff8881387166f0 of 4 bytes by task 6778 on cpu 1:
fib_info_update_nhc_saddr net/ipv4/fib_semantics.c:1334 [inline]
fib_result_prefsrc net/ipv4/fib_semantics.c:1354 [inline]
fib_select_path+0x292/0x330 net/ipv4/fib_semantics.c:2269
ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810
ip_route_output_key_hash net/ipv4/route.c:2644 [inline]
__ip_route_output_key include/net/route.h:134 [inline]
ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872
send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61
wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
worker_thread+0x525/0x730 kernel/workqueue.c:2784
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

read to 0xffff8881387166f0 of 4 bytes by task 6759 on cpu 0:
fib_result_prefsrc net/ipv4/fib_semantics.c:1350 [inline]
fib_select_path+0x1cb/0x330 net/ipv4/fib_semantics.c:2269
ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810
ip_route_output_key_hash net/ipv4/route.c:2644 [inline]
__ip_route_output_key include/net/route.h:134 [inline]
ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872
send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61
wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
worker_thread+0x525/0x730 kernel/workqueue.c:2784
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

value changed: 0x959d3217 -> 0x959d3218

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 6759 Comm: kworker/u4:15 Not tainted 6.6.0-rc4-syzkaller-00029-gcbf3a2cb156a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker

Fixes: 436c3b66ec98 ("ipv4: Invalidate nexthop cache nh_saddr more correctly.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20231017192304.82626-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-10-25 11:53:21 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:47:31 +02:00
9p
9p: virtio: make sure 'offs' is initialized in zc_request
2023-09-23 10:59:37 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-18 11:41:37 +01:00
8021q
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
2023-05-30 12:44:06 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 14:47:41 +02:00
atm
atm: hide unused procfs functions
2023-06-09 10:28:59 +02:00
ax25
ax25: Fix UAF bugs in ax25 timers
2022-04-20 09:19:40 +02:00
batman-adv
batman-adv: Hold rtnl lock during MTU update via netlink
2023-08-30 16:27:25 +02:00
bluetooth
Bluetooth: avoid memcmp() out of bounds warning
2023-10-25 11:53:20 +02:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-18 11:41:04 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:53:33 +02:00
bridge
net: bridge: use DEV_STATS_INC()
2023-10-10 21:46:37 +02:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:32:51 +01:00
can
can: bcm: Fix UAF in bcm_proc_show()
2023-07-27 08:37:40 +02:00
ceph
libceph: use kernel_connect()
2023-10-25 11:53:19 +02:00
core
net: fix possible store tearing in neigh_periodic_work()
2023-10-10 21:46:44 +02:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-11 11:53:57 +02:00
dccp
dccp: fix dccp_v4_err()/dccp_v6_err() again
2023-10-10 21:46:37 +02:00
decnet
Remove DECnet support from kernel
2023-06-21 15:44:10 +02:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:36:45 +02:00
dsa
net: dsa: tag_sja1105: fix MAC DA patching from meta frames
2023-07-27 08:37:24 +02:00
ethernet
hsr
hsr: Avoid double remove of a node.
2023-01-18 11:41:09 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:56:54 +09:00
ife
ipv4
ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
2023-10-25 11:53:21 +02:00
ipv6
net: ipv6: fix return value check in esp_remove_trailer
2023-10-25 11:53:21 +02:00
iucv
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
2023-04-20 12:07:32 +02:00
kcm
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
2023-09-23 11:00:02 +02:00
key
net: af_key: fix sadb_x_filter validation
2023-08-30 16:27:16 +02:00
l2tp
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
2023-10-10 21:46:44 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:50:47 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:25:28 +01:00
llc
llc: Don't drop packet from non-root netns.
2023-07-27 08:37:44 +02:00
mac80211
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
2023-04-20 12:07:33 +02:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:30:45 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:50:41 +01:00
ncsi
ncsi: Propagate carrier gain/loss events to the NCSI controller
2023-10-10 21:46:40 +02:00
netfilter
netfilter: nft_payload: fix wrong mac header matching
2023-10-25 11:53:21 +02:00
netlabel
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
2023-09-23 10:59:39 +02:00
netlink
netlink: Add __sock_i_ino() for __netlink_diag_dump().
2023-07-27 08:37:12 +02:00
netrom
netrom: Deny concurrent connect().
2023-09-23 10:59:43 +02:00
nfc
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
2023-10-25 11:53:20 +02:00
nsh
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-30 12:44:05 +01:00
openvswitch
net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
2023-02-22 12:50:25 +01:00
packet
net/packet: annotate data-races around tp->status
2023-08-16 18:19:23 +02:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:23:33 +01:00
psample
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:08:12 +02:00
rds
net: prevent address rewrite in kernel_bind()
2023-10-25 11:53:18 +02:00
rfkill
net: rfkill: gpio: prevent value glitch during probe
2023-10-25 11:53:21 +02:00
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:50:34 +01:00
rxrpc
rxrpc: Fix hard call timeout units
2023-05-17 11:35:59 +02:00
sched
net/sched: Retire rsvp classifier
2023-09-23 11:00:07 +02:00
sctp
sctp: update hb timer immediately after users change hb_interval
2023-10-10 21:46:45 +02:00
smc
net/smc: fix fallback failed while sendmsg with fastopen
2023-03-17 08:32:51 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-17 09:48:48 +01:00
sunrpc
SUNRPC: Mark the cred for revalidation if the server rejects it
2023-10-10 21:46:35 +02:00
switchdev
net: switchdev: do not propagate bridge updates across bridges
2021-10-27 09:54:24 +02:00
tipc
net: tipc: resize nlattr array to correct size
2023-06-21 15:44:12 +02:00
tls
net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
2023-09-23 11:00:02 +02:00
unix
af_unix: Fix data-race around unix_tot_inflight.
2023-09-23 10:59:58 +02:00
vmw_vsock
vsock: avoid to close connected socket after the timeout
2023-05-30 12:44:05 +01:00
wimax
wireless
wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
2023-07-27 08:37:42 +02:00
x25
net/x25: Fix to not accept on connected socket
2023-02-22 12:50:26 +01:00
xdp
xsk: Honor SO_BINDTODEVICE on bind
2023-07-27 08:37:23 +02:00
xfrm
xfrm: interface: use DEV_STATS_INC()
2023-10-25 11:53:21 +02:00
compat.c
net: Return the correct errno code
2021-06-18 09:59:00 +02:00
Kconfig
Remove DECnet support from kernel
2023-06-21 15:44:10 +02:00
Makefile
Remove DECnet support from kernel
2023-06-21 15:44:10 +02:00
socket.c
net: prevent address rewrite in kernel_bind()
2023-10-25 11:53:18 +02:00
sysctl_net.c