[PATCH 4.14 005/105] net: fix data-race in neigh_event_send()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	syzbot <syzkaller@googlegroups.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 005/105] net: fix data-race in neigh_event_send()
Date: Mon, 11 Nov 2019 19:27:35 +0100	[thread overview]
Message-ID: <20191111181424.282111152@linuxfoundation.org> (raw)
In-Reply-To: <20191111181421.390326245@linuxfoundation.org>

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 1b53d64435d56902fc234ff2507142d971a09687 ]

KCSAN reported the following data-race [1]

The fix will also prevent the compiler from optimizing out
the condition.

[1]

BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output

write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1:
 neigh_event_send include/net/neighbour.h:443 [inline]
 neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474
 neigh_output include/net/neighbour.h:511 [inline]
 ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
 ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:436 [inline]
 ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
 __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
 ip_queue_xmit+0x45/0x60 include/net/ip.h:237
 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
 tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
 __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
 tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
 tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
 tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
 tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618

read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0:
 neigh_event_send include/net/neighbour.h:442 [inline]
 neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474
 neigh_output include/net/neighbour.h:511 [inline]
 ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
 ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:436 [inline]
 ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
 __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
 ip_queue_xmit+0x45/0x60 include/net/ip.h:237
 __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
 tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
 __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
 tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
 tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
 tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/neighbour.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -429,8 +429,8 @@ static inline int neigh_event_send(struc
 {
 	unsigned long now = jiffies;
 	
-	if (neigh->used != now)
-		neigh->used = now;
+	if (READ_ONCE(neigh->used) != now)
+		WRITE_ONCE(neigh->used, now);
 	if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE)))
 		return __neigh_event_send(neigh, skb);
 	return 0;

next prev parent reply	other threads:[~2019-11-11 18:36 UTC|newest]

Thread overview: 116+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-11 18:27 [PATCH 4.14 000/105] 4.14.154-stable review Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 001/105] bonding: fix state transition issue in link monitoring Greg Kroah-Hartman
2019-11-13  9:55   ` Po-Hsu Lin
2019-11-11 18:27 ` [PATCH 4.14 002/105] CDC-NCM: handle incomplete transfer of MTU Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 003/105] ipv4: Fix table id reference in fib_sync_down_addr Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 004/105] net: ethernet: octeon_mgmt: Account for second possible VLAN header Greg Kroah-Hartman
2019-11-11 18:27 ` Greg Kroah-Hartman [this message]
2019-11-11 18:27 ` [PATCH 4.14 006/105] net: qualcomm: rmnet: Fix potential UAF when unregistering Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 007/105] net: usb: qmi_wwan: add support for DW5821e with eSIM support Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 008/105] NFC: fdp: fix incorrect free object Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 009/105] nfc: netlink: fix double device reference drop Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 010/105] NFC: st21nfca: fix double free Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 011/105] qede: fix NULL pointer deref in __qede_remove() Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 012/105] ALSA: timer: Fix incorrectly assigned timer instance Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 013/105] ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 014/105] ALSA: hda/ca0132 - Fix possible workqueue stall Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 015/105] mm, meminit: recalculate pcpu batch and high limits after init completes Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 016/105] mm: thp: handle page cache THP correctly in PageTransCompoundMap Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 017/105] mm, vmstat: hide /proc/pagetypeinfo from normal users Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 018/105] dump_stack: avoid the livelock of the dump_lock Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 019/105] tools: gpio: Use !building_out_of_srctree to determine srctree Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 020/105] perf tools: Fix time sorting Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 021/105] drm/radeon: fix si_enable_smc_cac() failed issue Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 022/105] HID: wacom: generic: Treat serial number and related fields as unsigned Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 023/105] arm64: Do not mask out PTE_RDONLY in pte_same() Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 024/105] ceph: fix use-after-free in __ceph_remove_cap() Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 025/105] ceph: add missing check in d_revalidate snapdir handling Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 026/105] iio: adc: stm32-adc: fix stopping dma Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 027/105] iio: imu: adis16480: make sure provided frequency is positive Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 028/105] iio: srf04: fix wrong limitation in distance measuring Greg Kroah-Hartman
2019-11-11 18:27 ` [PATCH 4.14 029/105] netfilter: nf_tables: Align nft_expr private data to 64-bit Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 030/105] netfilter: ipset: Fix an error code in ip_set_sockfn_get() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 031/105] intel_th: pci: Add Comet Lake PCH support Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 032/105] intel_th: pci: Add Jasper " Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 033/105] can: usb_8dev: fix use-after-free on disconnect Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 034/105] can: c_can: c_can_poll(): only read status register after status IRQ Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 035/105] can: peak_usb: fix a potential out-of-sync while decoding packets Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 036/105] can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 037/105] can: gs_usb: gs_can_open(): prevent memory leak Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 038/105] can: mcba_usb: fix use-after-free on disconnect Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 039/105] can: peak_usb: fix slab info leak Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 040/105] configfs: Fix bool initialization/comparison Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 041/105] configfs: stash the data we need into configfs_buffer at open time Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 042/105] configfs_register_group() shouldnt be (and isnt) called in rmdirable parts Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 043/105] configfs: new object reprsenting tree fragments Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 044/105] configfs: provide exclusion between IO and removals Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 045/105] configfs: fix a deadlock in configfs_symlink() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 046/105] usb: dwc3: Allow disabling of metastability workaround Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 047/105] mfd: palmas: Assign the right powerhold mask for tps65917 Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 048/105] ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 049/105] mtd: spi-nor: enable 4B opcodes for mx66l51235l Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 050/105] mtd: spi-nor: cadence-quadspi: add a delay in write sequence Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 051/105] misc: pci_endpoint_test: Prevent some integer overflows Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 052/105] PCI: dra7xx: Add shutdown handler to cleanly turn off clocks Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 053/105] misc: pci_endpoint_test: Fix BUG_ON error during pci_disable_msi() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 054/105] mailbox: reset txdone_method TXDONE_BY_POLL if client knows_txdone Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 055/105] ASoC: tlv320dac31xx: mark expected switch fall-through Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 056/105] ASoC: davinci-mcasp: Handle return value of devm_kasprintf Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 057/105] ASoC: davinci: Kill BUG_ON() usage Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 058/105] ASoC: davinci-mcasp: Fix an error handling path in davinci_mcasp_probe() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 059/105] i2c: omap: Trigger bus recovery in lockup case Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 060/105] cpufreq: ti-cpufreq: add missing of_node_put() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 061/105] ARM: dts: dra7: Disable USB metastability workaround for USB2 Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 062/105] sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 063/105] sched/fair: Fix -Wunused-but-set-variable warnings Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 064/105] lib/scatterlist: Introduce sgl_alloc() and sgl_free() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 065/105] usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 066/105] usbip: stub_rx: fix static checker warning on unnecessary checks Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 067/105] usbip: Implement SG support to vhci-hcd and stub driver Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 068/105] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 069/105] dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 070/105] HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 071/105] RDMA/qedr: Fix reported firmware version Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 072/105] net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 073/105] scsi: qla2xxx: fixup incorrect usage of host_byte Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 074/105] RDMA/uverbs: Prevent potential underflow Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 075/105] net: openvswitch: free vport unless register_netdevice() succeeds Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 076/105] scsi: lpfc: Honor module parameter lpfc_use_adisc Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 077/105] scsi: qla2xxx: Initialized mailbox to prevent driver load failure Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 078/105] ipvs: dont ignore errors in case refcounting ip_vs module fails Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 079/105] ipvs: move old_secure_tcp into struct netns_ipvs Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 080/105] bonding: fix unexpected IFF_BONDING bit unset Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 081/105] macsec: fix refcnt leak in module exit routine Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 082/105] usb: fsl: Check memory resource before releasing it Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 083/105] usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 084/105] usb: gadget: composite: Fix possible double free memory bug Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 085/105] usb: gadget: configfs: fix concurrent issue between composite APIs Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 086/105] usb: dwc3: remove the call trace of USBx_GFLADJ Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 087/105] perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 088/105] perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.14 089/105] USB: Skip endpoints with 0 maxpacket length Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 090/105] USB: ldusb: use unsigned size format specifiers Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 091/105] RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 092/105] scsi: qla2xxx: stop timer in shutdown path Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 093/105] fjes: Handle workqueue allocation failure Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 094/105] net: hisilicon: Fix "Trying to free already-free IRQ" Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 095/105] hv_netvsc: Fix error handling in netvsc_attach() Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 096/105] NFSv4: Dont allow a cached open with a revoked delegation Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 097/105] net: ethernet: arc: add the missed clk_disable_unprepare Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 098/105] igb: Fix constant media auto sense switching when no cable is connected Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 099/105] e1000: fix memory leaks Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 100/105] x86/apic: Move pending interrupt check code into its own function Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 101/105] x86/apic: Drop logical_smp_processor_id() inline Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 102/105] x86/apic/32: Avoid bogus LDR warnings Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 103/105] can: flexcan: disable completely the ECC mechanism Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 104/105] mm/filemap.c: dont initiate writeback if mapping has no dirty pages Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.14 105/105] cgroup,writeback: dont switch wbs immediately on dead wbs if the memcg is dead Greg Kroah-Hartman
2019-11-12  2:19 ` [PATCH 4.14 000/105] 4.14.154-stable review kernelci.org bot
2019-11-12  5:10   ` Greg Kroah-Hartman
2019-11-12  5:19     ` Greg Kroah-Hartman
2019-11-12  5:28 ` Greg Kroah-Hartman
2019-11-12 12:01   ` Jon Hunter
2019-11-12 12:01     ` Jon Hunter
2019-11-12 13:52     ` Greg Kroah-Hartman
2019-11-12 13:26   ` Naresh Kamboju
2019-11-12 18:19 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191111181424.282111152@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.