github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
76101c8e0c
linux/net/ipv6
History
Eric Dumazet 49516e6ed9 ipv6: make ip6_rt_gc_expire an atomic_t 
[ Upstream commit 9cb7c01342 ]

Reads and Writes to ip6_rt_gc_expire always have been racy,
as syzbot reported lately [1]

There is a possible risk of under-flow, leading
to unexpected high value passed to fib6_run_gc(),
although I have not observed this in the field.

Hosts hitting ip6_dst_gc() very hard are under pretty bad
state anyway.

[1]
BUG: KCSAN: data-race in ip6_dst_gc / ip6_dst_gc

read-write to 0xffff888102110744 of 4 bytes by task 13165 on cpu 1:
 ip6_dst_gc+0x1f3/0x220 net/ipv6/route.c:3311
 dst_alloc+0x9b/0x160 net/core/dst.c:86
 ip6_dst_alloc net/ipv6/route.c:344 [inline]
 icmp6_dst_alloc+0xb2/0x360 net/ipv6/route.c:3261
 mld_sendpack+0x2b9/0x580 net/ipv6/mcast.c:1807
 mld_send_cr net/ipv6/mcast.c:2119 [inline]
 mld_ifc_work+0x576/0x800 net/ipv6/mcast.c:2651
 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289
 worker_thread+0x618/0xa70 kernel/workqueue.c:2436
 kthread+0x1a9/0x1e0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

read-write to 0xffff888102110744 of 4 bytes by task 11607 on cpu 0:
 ip6_dst_gc+0x1f3/0x220 net/ipv6/route.c:3311
 dst_alloc+0x9b/0x160 net/core/dst.c:86
 ip6_dst_alloc net/ipv6/route.c:344 [inline]
 icmp6_dst_alloc+0xb2/0x360 net/ipv6/route.c:3261
 mld_sendpack+0x2b9/0x580 net/ipv6/mcast.c:1807
 mld_send_cr net/ipv6/mcast.c:2119 [inline]
 mld_ifc_work+0x576/0x800 net/ipv6/mcast.c:2651
 process_one_work+0x3d3/0x720 kernel/workqueue.c:2289
 worker_thread+0x618/0xa70 kernel/workqueue.c:2436
 kthread+0x1a9/0x1e0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

value changed: 0x00000bb3 -> 0x00000ba9

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 11607 Comm: kworker/0:21 Not tainted 5.18.0-rc1-syzkaller-00037-g42e7a03d3bad-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: mld mld_ifc_work

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20220413181333.649424-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-04-27 13:53:51 +02:00
..
ila net: Add MODULE_DESCRIPTION entries to network modules 2020-06-20 21:33:57 -07:00
netfilter netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6 2021-10-27 09:56:47 +02:00
addrconf_core.c ipv6: add ipv6_fragment hook in ipv6_stub 2020-08-31 12:26:39 -07:00
addrconf.c ipv6: make mc_forwarding atomic 2022-04-13 21:00:56 +02:00
addrlabel.c ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init 2020-11-25 11:20:16 -08:00
af_inet6.c net: ipv6: add fib6_nh_release_dsts stub 2021-12-01 09:19:05 +01:00
ah6.c xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume 2021-04-14 08:42:05 +02:00
anycast.c ipv6: fix memory leaks on IPV6_ADDRFORM path 2020-07-30 16:30:55 -07:00
calipso.c cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-17 17:06:15 +01:00
datagram.c icmp6: support rfc 4884 2020-07-24 17:12:41 -07:00
esp6_offload.c esp: Fix BEET mode inter address family tunneling on GSO 2022-03-16 14:15:57 +01:00
esp6.c esp: limit skb_page_frag_refill use to a single page 2022-04-27 13:53:48 +02:00
exthdrs_core.c
exthdrs_offload.c
exthdrs.c ipv6: fix out-of-bound access in ip6_parse_tlv() 2021-07-14 16:56:28 +02:00
fib6_notifier.c
fib6_rules.c ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:03:21 +01:00
fou6.c net: Add MODULE_DESCRIPTION entries to network modules 2020-06-20 21:33:57 -07:00
icmp.c net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-04 11:38:46 +01:00
inet6_connection_sock.c
inet6_hashtables.c tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH. 2022-04-13 21:00:57 +02:00
ip6_checksum.c
ip6_fib.c ipv6: annotate accesses to fn->fn_sernum 2022-02-01 17:25:44 +01:00
ip6_flowlabel.c ipv6: per-netns exclusive flowlabel checks 2022-02-23 12:01:01 +01:00
ip6_gre.c ip6_gre: Fix skb_under_panic in __gre6_xmit() 2022-04-27 13:53:50 +02:00
ip6_icmp.c net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-04 11:38:46 +01:00
ip6_input.c ipv6: make mc_forwarding atomic 2022-04-13 21:00:56 +02:00
ip6_offload.c gso: do not skip outer ip header in case of ipip and net_failover 2022-03-02 11:42:49 +01:00
ip6_offload.h
ip6_output.c ipv6: fix panic when forwarding a pkt with no in6 dev 2022-04-20 09:23:28 +02:00
ip6_tunnel.c ipv6_tunnel: Rate limit warning messages 2022-02-01 17:25:43 +01:00
ip6_udp_tunnel.c net: Make locking in sock_bindtoindex optional 2020-06-01 14:57:14 -07:00
ip6_vti.c ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate 2022-01-11 15:25:02 +01:00
ip6mr.c ipv6: make mc_forwarding atomic 2022-04-13 21:00:56 +02:00
ipcomp6.c ipcomp: assign if_id to child tunnel from parent tunnel 2020-07-09 12:55:37 +02:00
ipv6_sockglue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
Kconfig net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC 2020-09-18 17:45:04 -07:00
Makefile net: ipv6: add rpl sr tunnel 2020-03-29 22:30:57 -07:00
mcast_snoop.c net: bridge: mcast: fix broken length + header check for MRDv6 Adv. 2021-05-14 09:50:44 +02:00
mcast.c mld: fix panic in mld_newpack() 2021-06-03 09:00:48 +02:00
mip6.c
ndisc.c net: Exempt multicast addresses from five-second neighbor lifetime 2020-11-13 14:24:39 -08:00
netfilter.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-10-30 12:57:39 +01:00
output_core.c ipv6: use prandom_u32() for ID generation 2021-07-19 09:44:44 +02:00
ping.c ipv6/ping: set skb->mark on icmpv6 sockets 2020-07-03 14:36:04 -07:00
proc.c
protocol.c
raw.c ipv6: raw: check passed optlen before reading 2022-01-11 15:25:02 +01:00
reassembly.c ipv6: record frag_max_size in atomic fragments in input path 2021-06-03 09:00:50 +02:00
route.c ipv6: make ip6_rt_gc_expire an atomic_t 2022-04-27 13:53:51 +02:00
rpl_iptunnel.c net: ipv6: Use struct_size() helper and kcalloc() 2020-06-23 20:27:09 -07:00
rpl.c ipv6: rpl: fix full address compression 2020-04-18 15:04:27 -07:00
seg6_hmac.c crypto: lib/sha1 - remove unnecessary includes of linux/cryptohash.h 2020-05-08 15:32:17 +10:00
seg6_iptunnel.c seg6: fix the iif in the IPv6 socket control block 2021-12-14 11:32:36 +01:00
seg6_local.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
seg6.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
sit.c sit: do not call ipip6_dev_free() from sit_init_net() 2021-12-22 09:30:56 +01:00
syncookies.c net: Update window_clamp if SOCK_RCVBUF is set 2020-11-10 17:42:35 -08:00
sysctl_net_ipv6.c ipv6: Fix sysctl max for fib_multipath_hash_policy 2020-09-02 15:44:53 -07:00
tcp_ipv6.c ipv6: tcp: drop silly ICMPv6 packet too big messages 2021-07-25 14:36:21 +02:00
tcpv6_offload.c
tunnel6.c tunnel6: add tunnel6_input_afinfo for ipip and ipv6 tunnels 2020-07-09 12:52:37 +02:00
udp_impl.h net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
udp_offload.c udp: ipv4: manipulate network header of NATed UDP GRO fraglist 2021-02-10 09:29:23 +01:00
udp.c udp: call udp_encap_enable for v6 sockets when enabling encap 2022-04-08 14:39:54 +02:00
udplite.c net/ipv6: remove compat_ipv6_{get,set}sockopt 2020-07-19 18:16:41 -07:00
xfrm6_input.c xfrm: state: remove extract_input indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_output.c xfrm: fix tunnel model fragmentation behavior 2022-04-08 14:39:47 +02:00
xfrm6_policy.c
xfrm6_protocol.c xfrm: add support for UDPv6 encapsulation of ESP 2020-04-28 11:28:36 +02:00
xfrm6_state.c xfrm: remove output_finish indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_tunnel.c xfrm: interface: fix the priorities for ipip and ipv6 tunnels 2020-10-09 12:29:48 +02:00