From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 05/22] net: igmp: add a missing rcu locking section
Date: Fri, 9 Feb 2018 14:39:54 +0100 [thread overview]
Message-ID: <20180209133934.423549422@linuxfoundation.org> (raw)
In-Reply-To: <20180209133934.024795822@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e7aadb27a5415e8125834b84a74477bfbee4eff5 ]
Newly added igmpv3_get_srcaddr() needs to be called under rcu lock.
Timer callbacks do not ensure this locking.
=============================
WARNING: suspicious RCU usage
4.15.0+ #200 Not tainted
-----------------------------
./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syzkaller616973/4074:
#0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355
#1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
#1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316
#2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
#2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600
stack backtrace:
CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
__in_dev_get_rcu include/linux/inetdevice.h:216 [inline]
igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389
add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432
add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565
igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605
igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722
igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831
call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/igmp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -386,7 +386,11 @@ static struct sk_buff *igmpv3_newpack(st
pip->frag_off = htons(IP_DF);
pip->ttl = 1;
pip->daddr = fl4.daddr;
+
+ rcu_read_lock();
pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
+ rcu_read_unlock();
+
pip->protocol = IPPROTO_IGMP;
pip->tot_len = 0; /* filled in later */
ip_select_ident(net, skb, NULL);
next prev parent reply other threads:[~2018-02-09 13:54 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-09 13:39 [PATCH 4.14 00/22] 4.14.19-stable review Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 01/22] .gitignore: sort normal pattern rules alphabetically Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 02/22] .gitignore: move *.dtb and *.dtb.S patterns to the top-level .gitignore Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 03/22] kbuild: rpm-pkg: keep spec file until make mrproper Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 04/22] ip6mr: fix stale iterator Greg Kroah-Hartman
2018-02-09 13:39 ` Greg Kroah-Hartman [this message]
2018-02-09 13:39 ` [PATCH 4.14 06/22] qlcnic: fix deadlock bug Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 07/22] qmi_wwan: Add support for Quectel EP06 Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 08/22] r8169: fix RTL8168EP take too long to complete driver initialization Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 09/22] tcp: release sk_frag.page in tcp_disconnect Greg Kroah-Hartman
2018-02-09 13:39 ` [PATCH 4.14 10/22] vhost_net: stop device during reset owner Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 11/22] Revert "defer call to mem_cgroup_sk_alloc()" Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 12/22] net: ipv6: send unsolicited NA after DAD Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 13/22] rocker: fix possible null pointer dereference in rocker_router_fib_event_work Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 14/22] tcp_bbr: fix pacing_gain to always be unity when using lt_bw Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 15/22] ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 16/22] soreuseport: fix mem leak in reuseport_add_sock() Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 17/22] media: mtk-vcodec: add missing MODULE_LICENSE/DESCRIPTION Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 18/22] media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 19/22] crypto: tcrypt - fix S/G table for test_aead_speed() Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 20/22] arch: define weak abort() Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 21/22] kernel/exit.c: export abort() to modules Greg Kroah-Hartman
2018-02-09 13:40 ` [PATCH 4.14 22/22] scsi: storvsc: missing error code in storvsc_probe() Greg Kroah-Hartman
2018-02-09 18:01 ` [PATCH 4.14 00/22] 4.14.19-stable review Timur Tabi
2018-02-09 18:18 ` Greg Kroah-Hartman
2018-02-09 18:20 ` Timur Tabi
2018-02-09 19:36 ` kernelci.org bot
2018-02-09 20:23 ` Kevin Hilman
2018-02-09 20:19 ` Shuah Khan
2018-02-09 21:30 ` Dan Rue
2018-02-10 15:47 ` Guenter Roeck
2018-02-13 9:19 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180209133934.423549422@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).