From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 03/45] net: igmp: add a missing rcu locking section
Date: Thu, 15 Feb 2018 16:16:54 +0100 [thread overview]
Message-ID: <20180215144116.595763805@linuxfoundation.org> (raw)
In-Reply-To: <20180215144115.863307741@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e7aadb27a5415e8125834b84a74477bfbee4eff5 ]
Newly added igmpv3_get_srcaddr() needs to be called under rcu lock.
Timer callbacks do not ensure this locking.
=============================
WARNING: suspicious RCU usage
4.15.0+ #200 Not tainted
-----------------------------
./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syzkaller616973/4074:
#0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355
#1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
#1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316
#2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
#2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600
stack backtrace:
CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
__in_dev_get_rcu include/linux/inetdevice.h:216 [inline]
igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389
add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432
add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565
igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605
igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722
igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831
call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/igmp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -384,7 +384,11 @@ static struct sk_buff *igmpv3_newpack(st
pip->frag_off = htons(IP_DF);
pip->ttl = 1;
pip->daddr = fl4.daddr;
+
+ rcu_read_lock();
pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
+ rcu_read_unlock();
+
pip->protocol = IPPROTO_IGMP;
pip->tot_len = 0; /* filled in later */
ip_select_ident(skb, NULL);
next prev parent reply other threads:[~2018-02-15 15:16 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-15 15:16 [PATCH 3.18 00/45] 3.18.95-stable review Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 01/45] vhost_net: stop device during reset owner Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 02/45] ip6mr: fix stale iterator Greg Kroah-Hartman
2018-02-15 15:16 ` Greg Kroah-Hartman [this message]
2018-02-15 15:16 ` [PATCH 3.18 04/45] qlcnic: fix deadlock bug Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 05/45] r8169: fix RTL8168EP take too long to complete driver initialization Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 06/45] tcp: release sk_frag.page in tcp_disconnect Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 07/45] ARM: exynos_defconfig: Enable options to mount a rootfs via NFS Greg Kroah-Hartman
2018-02-15 15:16 ` [PATCH 3.18 08/45] ARM: exynos_defconfig: Enable NFSv4 client Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 09/45] KEYS: encrypted: fix buffer overread in valid_master_desc() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 10/45] ipv4: Map neigh lookup keys in __ipv4_neigh_lookup_noref() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 11/45] cifs: Fix missing put_xid in cifs_file_strict_mmap Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 12/45] cifs: Fix autonegotiate security settings mismatch Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 13/45] CIFS: zero sensitive data when freeing Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 14/45] posix-timer: Properly check sigevent->sigev_notify Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 15/45] usbip: fix stub_rx: get_pipe() to validate endpoint number Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 16/45] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 17/45] usbip: prevent vhci_hcd driver from leaking a socket pointer address Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 18/45] usbip: Fix potential format overflow in userspace tools Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 19/45] usb: usbip: Fix possible deadlocks reported by lockdep Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 20/45] usbip: vhci-hcd: Add USB3 SuperSpeed support Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 21/45] usbip: prevent leaking socket pointer address in messages Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 22/45] usbip: stub: stop printing kernel pointer addresses " Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 23/45] usbip: vhci: " Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 24/45] dccp: CVE-2017-8824: use-after-free in DCCP code Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 25/45] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 26/45] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 27/45] mtd: nand: Fix nand_do_read_oob() return value Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 28/45] NFS: Add a cond_resched() to nfs_commit_release_pages() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 29/45] NFS: commit direct writes even if they fail partially Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 30/45] kernfs: fix regression in kernfs_fop_write caused by wrong type Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 31/45] crypto: hash - introduce crypto_hash_alg_has_setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 32/45] crypto: cryptd - pass through absence of ->setkey() Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 33/45] crypto: caam - fix endless loop when DECO acquire fails Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 34/45] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 35/45] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 36/45] kernel/async.c: revert "async: simplify lowest_in_progress()" Greg Kroah-Hartman
2018-02-15 15:17 ` [OpenRISC] [PATCH 3.18 37/45] signal/openrisc: Fix do_unaligned_access to send the proper signal Greg Kroah-Hartman
2018-02-15 15:17 ` Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 38/45] signal/sh: Ensure si_signo is initialized in do_divide_error Greg Kroah-Hartman
2018-02-15 15:17 ` Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 39/45] alpha: fix crash if pthread_create races with signal delivery Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 40/45] alpha: fix reboot on Avanti platform Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 41/45] xtensa: fix futex_atomic_cmpxchg_inatomic Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 42/45] EDAC, octeon: Fix an uninitialized variable warning Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 43/45] pktcdvd: Fix pkt_setup_dev() error path Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 44/45] ACPI: sbshc: remove raw pointer from printk() message Greg Kroah-Hartman
2018-02-15 15:17 ` [PATCH 3.18 45/45] mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy Greg Kroah-Hartman
2018-02-15 15:35 ` [PATCH 3.18 00/45] 3.18.95-stable review Harsh Shandilya
2018-02-15 16:44 ` Greg Kroah-Hartman
2018-02-15 16:44 ` Greg Kroah-Hartman
2018-02-15 19:16 ` kernelci.org bot
2018-02-16 20:07 ` Kevin Hilman
2018-02-16 20:12 ` Greg Kroah-Hartman
2018-02-15 22:01 ` Shuah Khan
2018-02-16 14:11 ` Guenter Roeck
2018-02-16 19:13 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180215144116.595763805@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.