From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.16 14/72] inetpeer: fix uninit-value in inet_getpeer
Date: Mon, 14 May 2018 08:48:31 +0200 [thread overview]
Message-ID: <20180514064823.648455591@linuxfoundation.org> (raw)
In-Reply-To: <20180514064823.033169170@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit b6a37e5e25414df4b8e9140a5c6f5ee0ec6f3b90 upstream.
syzbot/KMSAN reported that p->dtime was read while it was
not yet initialized in :
delta = (__u32)jiffies - p->dtime;
if (delta < ttl || !refcount_dec_if_one(&p->refcnt))
gc_stack[i] = NULL;
This is a false positive, because the inetpeer wont be erased
from rb-tree if the refcount_dec_if_one(&p->refcnt) does not
succeed. And this wont happen before first inet_putpeer() call
for this inetpeer has been done, and ->dtime field is written
exactly before the refcount_dec_and_test(&p->refcnt).
The KMSAN report was :
BUG: KMSAN: uninit-value in inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
BUG: KMSAN: uninit-value in inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
CPU: 0 PID: 9494 Comm: syz-executor5 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
icmpv4_xrlim_allow net/ipv4/icmp.c:330 [inline]
icmp_send+0x2b44/0x3050 net/ipv4/icmp.c:725
ip_options_compile+0x237c/0x29f0 net/ipv4/ip_options.c:472
ip_rcv_options net/ipv4/ip_input.c:284 [inline]
ip_rcv_finish+0xda8/0x16d0 net/ipv4/ip_input.c:365
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
__netif_receive_skb net/core/dev.c:4627 [inline]
netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
netif_receive_skb+0x230/0x240 net/core/dev.c:4725
tun_rx_batched drivers/net/tun.c:1555 [inline]
tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
do_iter_write+0x30d/0xd40 fs/read_write.c:932
vfs_writev fs/read_write.c:977 [inline]
do_writev+0x3c9/0x830 fs/read_write.c:1012
SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
SyS_writev+0x56/0x80 fs/read_write.c:1082
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x455111
RSP: 002b:00007fae0365cba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000002e RCX: 0000000000455111
RDX: 0000000000000001 RSI: 00007fae0365cbf0 RDI: 00000000000000fc
RBP: 0000000020000040 R08: 00000000000000fc R09: 0000000000000000
R10: 000000000000002e R11: 0000000000000293 R12: 00000000ffffffff
R13: 0000000000000658 R14: 00000000006fc8e0 R15: 0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
inet_getpeer+0xed8/0x1e70 net/ipv4/inetpeer.c:210
inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
ip4_frag_init+0x4d1/0x740 net/ipv4/ip_fragment.c:153
inet_frag_alloc net/ipv4/inet_fragment.c:369 [inline]
inet_frag_create net/ipv4/inet_fragment.c:385 [inline]
inet_frag_find+0x7da/0x1610 net/ipv4/inet_fragment.c:418
ip_find net/ipv4/ip_fragment.c:275 [inline]
ip_defrag+0x448/0x67a0 net/ipv4/ip_fragment.c:676
ip_check_defrag+0x775/0xda0 net/ipv4/ip_fragment.c:724
packet_rcv_fanout+0x2a8/0x8d0 net/packet/af_packet.c:1447
deliver_skb net/core/dev.c:1897 [inline]
deliver_ptype_list_skb net/core/dev.c:1912 [inline]
__netif_receive_skb_core+0x314a/0x4a80 net/core/dev.c:4545
__netif_receive_skb net/core/dev.c:4627 [inline]
netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
netif_receive_skb+0x230/0x240 net/core/dev.c:4725
tun_rx_batched drivers/net/tun.c:1555 [inline]
tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
do_iter_write+0x30d/0xd40 fs/read_write.c:932
vfs_writev fs/read_write.c:977 [inline]
do_writev+0x3c9/0x830 fs/read_write.c:1012
SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
SyS_writev+0x56/0x80 fs/read_write.c:1082
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inetpeer.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -210,6 +210,7 @@ struct inet_peer *inet_getpeer(struct in
p = kmem_cache_alloc(peer_cachep, GFP_ATOMIC);
if (p) {
p->daddr = *daddr;
+ p->dtime = (__u32)jiffies;
refcount_set(&p->refcnt, 2);
atomic_set(&p->rid, 0);
p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
next prev parent reply other threads:[~2018-05-14 6:48 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-14 6:48 [PATCH 4.16 00/72] 4.16.9-stable review Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 01/72] ipvs: fix rtnl_lock lockups caused by start_sync_thread Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 02/72] netfilter: ebtables: dont attempt to allocate 0-sized compat array Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 03/72] clk: ti: fix flag space conflict with clkctrl clocks Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 04/72] kcm: Call strp_stop before strp_done in kcm_attach Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 05/72] rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 06/72] crypto: af_alg - fix possible uninit-value in alg_bind() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 07/72] netlink: fix uninit-value in netlink_sendmsg Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 08/72] net: fix rtnh_ok() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 09/72] net: initialize skb->peeked when cloning Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 10/72] net: fix uninit-value in __hw_addr_add_ex() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 11/72] dccp: initialize ireq->ir_mark Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 12/72] ipv4: fix uninit-value in ip_route_output_key_hash_rcu() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 13/72] soreuseport: initialise timewait reuseport field Greg Kroah-Hartman
2018-05-14 6:48 ` Greg Kroah-Hartman [this message]
2018-05-14 6:48 ` [PATCH 4.16 15/72] bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 16/72] memcg: fix per_node_info cleanup Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 17/72] perf: Remove superfluous allocation error check Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 18/72] i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 19/72] tcp: fix TCP_REPAIR_QUEUE bound checking Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 20/72] bdi: wake up concurrent wb_shutdown() callers Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 21/72] bdi: Fix use after free bug in debugfs_remove() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 22/72] bdi: Fix oops in wb_workfn() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 23/72] compat: fix 4-byte infoleak via uninitialized struct field Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 24/72] gpioib: do not free unrequested descriptors Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 25/72] gpio: fix aspeed_gpio unmask irq Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 26/72] gpio: fix error path in lineevent_create Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 27/72] rfkill: gpio: fix memory leak in probe error path Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 28/72] libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 29/72] dm integrity: use kvfree for kvmallocd memory Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 30/72] tracing: Fix regex_match_front() to not over compare the test string Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 31/72] z3fold: fix reclaim lock-ups Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 32/72] mm: sections are not offlined during memory hotremove Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 33/72] mm, oom: fix concurrent munlock and oom reaper unmap, v3 Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 34/72] ceph: fix rsize/wsize capping in ceph_direct_read_write() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 35/72] can: flexcan: fix endianess detection Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 36/72] can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 37/72] can: hi311x: Acquire SPI lock on ->do_get_berr_counter Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 38/72] can: hi311x: Work around TX complete interrupt erratum Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 39/72] mtd: rawnand: marvell: pass ms delay to wait_op Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 40/72] mtd: rawnand: marvell: fix command xtype in BCH write hook Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 41/72] mtd: rawnand: Make sure we wait tWB before polling the STATUS reg Greg Kroah-Hartman
2018-05-14 7:32 ` Geert Uytterhoeven
2018-05-14 9:04 ` Greg Kroah-Hartman
2018-05-14 9:09 ` Boris Brezillon
2018-05-14 10:54 ` Geert Uytterhoeven
2018-05-14 9:32 ` Geert Uytterhoeven
2018-05-14 16:50 ` Greg Kroah-Hartman
2018-05-14 6:48 ` [PATCH 4.16 42/72] drm/vc4: Fix scaling of uni-planar formats Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 43/72] drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 44/72] drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 45/72] drm/i915: Adjust eDPs logical vco in a reliable place Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 46/72] drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 47/72] drm/nouveau/ttm: dont dereference nvbo::cli, it can outlive client Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 48/72] drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 49/72] drm/atomic: Clean private obj " Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 50/72] net: atm: Fix potential Spectre v1 Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 51/72] atm: zatm: " Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 52/72] PCI / PM: Always check PME wakeup capability for runtime wakeup support Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 53/72] PCI / PM: Check device_may_wakeup() in pci_enable_wake() Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 54/72] cpufreq: schedutil: Avoid using invalid next_freq Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 55/72] arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25s flexcan Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 56/72] Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 57/72] Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 58/72] Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 59/72] thermal: exynos: Reading temperature makes sense only when TMU is turned on Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 60/72] thermal: exynos: Propagate error value from tmu_read() Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 61/72] nvme: add quirk to force medium priority for SQ creation Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 62/72] nvme: Fix sync controller reset return Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 63/72] smb3: directory sync should not return an error Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 64/72] swiotlb: silent unwanted warning "buffer is full" Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 65/72] sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 66/72] sched/autogroup: " Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 67/72] tracing/uprobe_event: Fix strncpy corner case Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 68/72] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 69/72] perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 70/72] perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 71/72] perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Greg Kroah-Hartman
2018-05-14 6:49 ` [PATCH 4.16 72/72] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Greg Kroah-Hartman
2018-05-14 13:45 ` [PATCH 4.16 00/72] 4.16.9-stable review kernelci.org bot
2018-05-14 16:27 ` Guenter Roeck
2018-05-14 16:51 ` Greg Kroah-Hartman
2018-05-14 22:01 ` Shuah Khan
2018-05-15 6:47 ` Greg Kroah-Hartman
2018-05-15 5:31 ` Naresh Kamboju
2018-05-15 6:47 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180514064823.648455591@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.