From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A49447D930 for ; Tue, 5 May 2026 13:32:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777987957; cv=none; b=oi56Ytmq4gyGGIA5PKwU4PuPIzN8+/UJ+9vZq1SDc24glG00zYRjjvYFzBeqVatj3WAT5syGtposV1zi/rMQe3AyxmKCuVjQA8f3lisjlAS66C/WnbPmGUWv+niEyUCEjfX9DiIgisJ+Q48N5QU6qP2THvUtgq7foZN5kiipQR4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777987957; c=relaxed/simple; bh=O2FHuiyQxSB6zDAdOL0TVbP80yOtms/h2T5kCsUoB24=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=imqR1dJ12VMi985lAwUKBTjZycmaCu+5GjgCmNJjQMe8MnwZW5V+4/gRpG2HUnKsktxt8LpAReNRnIv4l2We21odyt6/5B8KhyzDH97cnNdG8f2iA5U9nMPMEsPv0YB5jltKjO6TUc74sXzhVIq0AtZRQLUWJqYMfpuJDB6Srok= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--edumazet.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=VkGQS3/D; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--edumazet.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="VkGQS3/D" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-7bd8cb261c3so45123677b3.1 for ; Tue, 05 May 2026 06:32:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777987954; x=1778592754; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=Z4Q/osjFtRsil5bbkM0j8g06TmrSjcLd1kYJ1RIZHUI=; b=VkGQS3/DwMd4c2s9yHu0uBd5HVb8fjhpoVBz47ZTnNqgy5NU7u+Y+Fm54nvZ29fVyR ItttXNKbJZka4lMKVZA7SG9xv5DE8n7vPpDCl+stj2TxqvAHTeN4vqAxY7RanIwPCBqB laolI5RQxsag+HVyhlFa0BPz4Y0sny9AIQp+gv8tgtIz4GDHdRXknHnEhSpeEstihe9j mlHlWTXy4X9QdIJbOUxmYlXuvGuqFRdzI9XcECwL5RMKzQiWPD11PVhuq+1fol7E9xqL 3DsUvPIPeLtR9vYl5YNKYPzgL+SU/DFMC/3qhvqpIaslEa2klRyr0cu/E9TcRmBPLxD3 HA5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777987954; x=1778592754; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Z4Q/osjFtRsil5bbkM0j8g06TmrSjcLd1kYJ1RIZHUI=; b=O2pKFU/z85IYt/HY3nbPuJeYjkqqBjePHbLV+5ryFNFzwuF4fhlW6WoSBKPl/M3BLL hSsPA2w8K02nweqjURQndrh0ujcAXMLK49ujMF3dHgNvKhfmmyBVyveC/uDfGMaG0Dda VcxIEGAAJWogBjrEH5EHmZnhpTMqjIY6BDBfH4mrkkvWhj/etWghuPvMm4bIJ+rWl8pR 8RFVx/aeP9iTQOGBQGp33/QKqUOmULlDdUqfS0oqgu7WbM8ecTS2NvwBThaDPZcueLQr lxfQBD4JH5M1Yyx73S/J2AOz4/XGTRf4MZDFGKp8rKVPYRivkWoZ+4Teyt8Yz99SCYPr K/mw== X-Forwarded-Encrypted: i=1; AFNElJ+lbZpTTDYUhIJebJ5iSdr9F7PWa4DCDhPuQfzxXY5FLObyUQAOdky5mHh62vZXwXSbfjxu0uo=@vger.kernel.org X-Gm-Message-State: AOJu0Yz3Srf0FtgFc0/TIxzuKvrjWCLL1rJi398s1Zm7G7znBlLBJmA+ GUk25u7H3JJSEDIWlyaIFKYTs0VGdBawwt4nzM6HssalrDhJEPV4UZWzVK/UpodbU9lOKFLrH87 MtdAGhW7eCmRCQg== X-Received: from yxf25.prod.google.com ([2002:a53:b119:0:b0:650:1bff:6046]) (user=edumazet job=prod-delivery.src-stubby-dispatcher) by 2002:a05:690e:4185:b0:65c:47ad:26c3 with SMTP id 956f58d0204a3-65c47ad2d7amr10597372d50.25.1777987954093; Tue, 05 May 2026 06:32:34 -0700 (PDT) Date: Tue, 5 May 2026 13:32:33 +0000 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260505133233.3039575-1-edumazet@google.com> Subject: [PATCH net] inetpeer: add a missing read_seqretry() in inet_getpeer() From: Eric Dumazet To: "David S . Miller" , Jakub Kicinski , Paolo Abeni Cc: Simon Horman , netdev@vger.kernel.org, eric.dumazet@gmail.com, Eric Dumazet , Damiano Melotti Content-Type: text/plain; charset="UTF-8" When performing a lockless lookup over the inet_peer rbtree, if a matching node is found, inet_getpeer() returns it immediately without validating the seqlock sequence. This missing check introduces a race condition: Trigger Path: When a host receives an incoming fragmented IPv4 packet, ip4_frag_init() (in net/ipv4/ip_fragment.c) calls inet_getpeer_v4() to track the peer. The Race: If the packet is from a new source IP, CPU A acquires the write_seqlock, allocates a new inet_peer node (p), sets its IP address (daddr), and links it to the rbtree (rb_link_node). Uninitialized Access: Due to the lack of memory barriers between rb_link_node and the initialization of the rest of the struct (like refcount_set(&p->refcnt, 1)), CPU A can make the node visible to readers before its refcnt is initialized. This is especially true on weakly-ordered architectures like ARM64 where the CPU can reorder the memory stores. Lockless Reader: Concurrently, CPU B processes a second fragmented packet from the same source IP. CPU B does a lockless lookup, finds the newly inserted node, and returns it immediately. Use-After-Free (UAF): CPU B reads p->refcnt as uninitialized garbage (left over from previous kmalloc-128/192 allocations). If the garbage is > 0, refcount_inc_not_zero(&p->refcnt) succeeds. CPU A then executes refcount_set(&p->refcnt, 1), overwriting CPU B's increment. When CPU B finishes with the fragment queue, it calls inet_putpeer(), which drops the refcount to 0 and frees the node via RCU. The node is now freed but remains linked in the rbtree, resulting in a Use-After-Free in the rbtree. Fixes: b145425f269a ("inetpeer: remove AVL implementation in favor of RB tree") Reported-by: Damiano Melotti Signed-off-by: Eric Dumazet --- net/ipv4/inetpeer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c index d8083b9033c2722bc03876da91b4f0b83da003b8..5b957a831e7c39f2e9b224469f0eba4703833475 100644 --- a/net/ipv4/inetpeer.c +++ b/net/ipv4/inetpeer.c @@ -179,7 +179,8 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base, seq = read_seqbegin(&base->lock); p = lookup(daddr, base, seq, NULL, &gc_cnt, &parent, &pp); - if (p) + /* Make sure tree was not modified during our lookup. */ + if (p && !read_seqretry(&base->lock, seq)) return p; /* retry an exact lookup, taking the lock before. -- 2.54.0.545.g6539524ca2-goog