linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00

History

Eric Dumazet 0c78a0e690 net: icmp: fix data-race in cmp_global_allow() commit `bbab7ef235` upstream. This code reads two global variables without protection of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to avoid load/store-tearing and better document the intent. KCSAN reported : BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0: icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254 icmpv6_global_allow net/ipv6/icmp.c:184 [inline] icmpv6_global_allow net/ipv6/icmp.c:179 [inline] icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 dst_link_failure include/net/dst.h:419 [inline] vti_xmit net/ipv4/ip_vti.c:243 [inline] vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 __netdev_start_xmit include/linux/netdevice.h:4420 [inline] netdev_start_xmit include/linux/netdevice.h:4434 [inline] xmit_one net/core/dev.c:3280 [inline] dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 neigh_output include/net/neighbour.h:511 [inline] ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1: icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272 icmpv6_global_allow net/ipv6/icmp.c:184 [inline] icmpv6_global_allow net/ipv6/icmp.c:179 [inline] icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514 icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43 ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640 dst_link_failure include/net/dst.h:419 [inline] vti_xmit net/ipv4/ip_vti.c:243 [inline] vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279 __netdev_start_xmit include/linux/netdevice.h:4420 [inline] netdev_start_xmit include/linux/netdevice.h:4434 [inline] xmit_one net/core/dev.c:3280 [inline] dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296 __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873 dev_queue_xmit+0x21/0x30 net/core/dev.c:3906 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 neigh_output include/net/neighbour.h:511 [inline] ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: `4cdf507d54` ("icmp: add a global rate limitation") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-01-04 19:13:30 +01:00
..
6lowpan
9p	9p: Transport error uninitialized	2019-10-11 18:21:12 +02:00
802
8021q	vlan: disable SIOCSHWTSTAMP in container	2019-05-16 19:41:30 +02:00
appletalk	appletalk: Set error code if register_snap_client failed	2019-12-13 08:52:59 +01:00
atm	net: use skb_queue_empty_lockless() in poll() handlers	2019-11-10 11:27:48 +01:00
ax25	ax25: enforce CAP_NET_RAW for raw sockets	2019-10-05 13:09:32 +02:00
batman-adv	batman-adv: Avoid free/alloc race when handling OGM buffer	2019-11-06 13:06:22 +01:00
bluetooth	Bluetooth: Fix advertising duplicated flags	2019-12-31 16:35:34 +01:00
bpf
bpfilter
bridge	netfilter: bridge: make sure to pull arp header in br_nf_forward_arp()	2020-01-04 19:13:28 +01:00
caif	net: use skb_queue_empty_lockless() in poll() handlers	2019-11-10 11:27:48 +01:00
can	can: gw: Fix error path of cgw_module_init	2019-08-29 08:28:30 +02:00
ceph	libceph: fix PG split vs OSD (re)connect race	2019-08-29 08:28:50 +02:00
core	net, sysctl: Fix compiler warning when only cBPF is present	2020-01-04 19:13:20 +01:00
dcb
dccp	inet: stop leaking jiffies on the wire	2019-11-10 11:27:37 +01:00
decnet	decnet: fix DN_IFREQ_SIZE	2019-12-05 09:21:07 +01:00
dns_resolver
dsa	net: dsa: fix switch tree list	2019-11-10 11:27:53 +01:00
ethernet
hsr	net/hsr: fix possible crash in add_timer()	2019-03-19 13:12:38 +01:00
ieee802154	ieee802154: enforce CAP_NET_RAW for raw sockets	2019-10-05 13:09:32 +02:00
ife
ipv4	net: icmp: fix data-race in cmp_global_allow()	2020-01-04 19:13:30 +01:00
ipv6	net/ipv6: re-do dad when interface has IFF_NOARP flag change	2019-12-13 08:51:41 +01:00
iucv
kcm	kcm: switch order of device registration to fix a crash	2019-04-17 08:38:40 +02:00
key	af_key: fix leaks in key_pol_get_resp and dump_sp.	2019-07-26 09:14:01 +02:00
l2tp	compat_ioctl: pppoe: fix PPPOEIOCSFWD handling	2019-08-09 17:52:34 +02:00
l3mdev
lapb	lapb: fixed leak of control-blocks.	2019-06-22 08:15:13 +02:00
llc	llc: avoid blocking in llc_sap_close()	2019-11-20 18:46:35 +01:00
mac80211	mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED	2019-12-31 16:36:13 +01:00
mac802154
mpls	mpls: Return error for RTA_GATEWAY attribute	2019-03-10 07:17:19 +01:00
ncsi
netfilter	netfilter: nf_queue: enqueue skbs with NULL dst	2020-01-04 19:13:21 +01:00
netlabel	netlabel: fix out-of-bounds memory accesses	2019-03-10 07:17:18 +01:00
netlink	genetlink: Fix a memory leak on error path	2019-04-03 06:26:15 +02:00
netrom	netrom: hold sock when setting skb->destructor	2019-07-28 08:29:27 +02:00
nfc	net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()	2019-12-31 16:34:38 +01:00
nsh
openvswitch	openvswitch: support asymmetric conntrack	2019-12-21 10:57:14 +01:00
packet	af_packet: set defaule value for tmo	2019-12-31 16:34:35 +01:00
phonet	net: use skb_queue_empty_lockless() in poll() handlers	2019-11-10 11:27:48 +01:00
psample	net: psample: fix skb_over_panic	2019-12-05 09:21:30 +01:00
qrtr	net: qrtr: fix memort leak in qrtr_tun_write_iter	2019-12-13 08:52:58 +01:00
rds	net/rds: Fix error handling in rds_ib_add_one()	2019-10-07 18:57:24 +02:00
rfkill	rfkill: allocate static minor	2019-12-31 16:35:38 +01:00
rose	net/rose: fix unbound loop in rose_loopback_timer()	2019-05-02 09:59:00 +02:00
rxrpc	rxrpc: Fix trace-after-put looking at the put peer record	2019-11-06 13:06:24 +01:00
sched	net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues	2019-12-21 10:57:12 +01:00
sctp	sctp: fully initialize v4 addr in some functions	2019-12-31 16:34:40 +01:00
smc	net/smc: do not wait under send_lock	2019-12-17 20:35:33 +01:00
strparser	net: strparser: partially revert "strparser: Call skb_unclone conditionally"	2019-05-16 19:41:27 +02:00
sunrpc	sunrpc: fix crash when cache_head become valid before update	2019-12-17 20:35:52 +01:00
switchdev
tipc	tipc: fix ordering of tipc module init and exit routine	2019-12-21 10:57:16 +01:00
tls	net: tls, fix sk_write_space NULL write when tx disabled	2019-09-06 10:22:04 +02:00
unix	net: fix warning in af_unix	2019-12-01 09:16:33 +01:00
vmw_vsock	VSOCK: bind to random port for VMADDR_PORT_ANY	2019-12-05 09:20:19 +01:00
wimax
wireless	cfg80211: call disconnect_wk when AP stops	2019-12-01 09:17:34 +01:00
x25	net/x25: fix null_x25_address handling	2019-12-13 08:52:15 +01:00
xdp	xsk: proper AF_XDP socket teardown ordering	2019-11-24 08:20:32 +01:00
xfrm	xfrm interface: fix management of phydev	2019-12-13 08:52:42 +01:00
compat.c	sock: Make sock->sk_stamp thread-safe	2019-01-09 17:38:33 +01:00
Kconfig
Makefile
socket.c	net: socket: set sock->sk to NULL after calling proto_ops::release()	2019-03-10 07:17:18 +01:00
sysctl_net.c