From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
Taehee Yoo <ap420073@gmail.com>, Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.15 56/98] ipv6: fix lockdep splat in in6_dump_addrs()
Date: Tue, 5 Jul 2022 13:58:14 +0200 [thread overview]
Message-ID: <20220705115619.173684342@linuxfoundation.org> (raw)
In-Reply-To: <20220705115617.568350164@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit 4e43e64d0f1332fcc503babad4dc31aead7131ca upstream.
As reported by syzbot, we should not use rcu_dereference()
when rcu_read_lock() is not held.
WARNING: suspicious RCU usage
5.19.0-rc2-syzkaller #0 Not tainted
net/ipv6/addrconf.c:5175 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor326/3617:
#0: ffffffff8d5848e8 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xae/0xc20 net/netlink/af_netlink.c:2223
stack backtrace:
CPU: 0 PID: 3617 Comm: syz-executor326 Not tainted 5.19.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
in6_dump_addrs+0x12d1/0x1790 net/ipv6/addrconf.c:5175
inet6_dump_addr+0x9c1/0xb50 net/ipv6/addrconf.c:5300
netlink_dump+0x541/0xc20 net/netlink/af_netlink.c:2275
__netlink_dump_start+0x647/0x900 net/netlink/af_netlink.c:2380
netlink_dump_start include/linux/netlink.h:245 [inline]
rtnetlink_rcv_msg+0x73e/0xc90 net/core/rtnetlink.c:6046
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x6eb/0x810 net/socket.c:2492
___sys_sendmsg+0xf3/0x170 net/socket.c:2546
__sys_sendmsg net/socket.c:2575 [inline]
__do_sys_sendmsg net/socket.c:2584 [inline]
__se_sys_sendmsg net/socket.c:2582 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2582
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fixes: 88e2ca308094 ("mld: convert ifmcaddr6 to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Taehee Yoo <ap420073@gmail.com>
Link: https://lore.kernel.org/r/20220628121248.858695-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/addrconf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5166,9 +5166,9 @@ next:
fillargs->event = RTM_GETMULTICAST;
/* multicast address */
- for (ifmca = rcu_dereference(idev->mc_list);
+ for (ifmca = rtnl_dereference(idev->mc_list);
ifmca;
- ifmca = rcu_dereference(ifmca->next), ip_idx++) {
+ ifmca = rtnl_dereference(ifmca->next), ip_idx++) {
if (ip_idx < s_ip_idx)
continue;
err = inet6_fill_ifmcaddr(skb, ifmca, fillargs);
next prev parent reply other threads:[~2022-07-05 12:21 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-05 11:57 [PATCH 5.15 00/98] 5.15.53-rc1 review Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 01/98] Revert "drm/amdgpu/display: set vblank_disable_immediate for DC" Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 02/98] drm/amdgpu: To flush tlb for MMHUB of RAVEN series Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 03/98] ksmbd: set the range of bytes to zero without extending file size in FSCTL_ZERO_DATA Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 04/98] ksmbd: check invalid FileOffset and BeyondFinalZero " Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 05/98] ksmbd: use vfs_llseek instead of dereferencing NULL Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 06/98] ipv6: take care of disable_policy when restoring routes Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 07/98] net: phy: Dont trigger state machine while in suspend Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 08/98] nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G) Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 09/98] nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA IM2P33F8ABR1 Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 10/98] nvdimm: Fix badblocks clear off-by-one error Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 11/98] powerpc/prom_init: Fix kernel config grep Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 12/98] powerpc/book3e: Fix PUD allocation size in map_kernel_page() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 13/98] powerpc/bpf: Fix use of user_pt_regs in uapi Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 14/98] dm raid: fix accesses beyond end of raid member array Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 15/98] dm raid: fix KASAN warning in raid5_add_disks Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 16/98] s390/archrandom: simplify back to earlier design and initialize earlier Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 17/98] SUNRPC: Fix READ_PLUS crasher Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 18/98] net: rose: fix UAF bugs caused by timer handler Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 19/98] net: usb: ax88179_178a: Fix packet receiving Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 20/98] virtio-net: fix race between ndo_open() and virtio_device_ready() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 21/98] selftests/net: pass ipv6_args to udpgso_benchs IPv6 TCP test Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 22/98] net: dsa: bcm_sf2: force pause link settings Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 23/98] net: tun: unlink NAPI from device on destruction Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 24/98] net: tun: stop NAPI when detaching queues Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 25/98] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 26/98] net: dp83822: disable rx error interrupt Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 27/98] RDMA/qedr: Fix reporting QP timeout attribute Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 28/98] RDMA/cm: Fix memory leak in ib_cm_insert_listen Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 29/98] linux/dim: Fix divide by 0 in RDMA DIM Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 30/98] net: usb: asix: do not force pause frames support Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 31/98] usbnet: fix memory allocation in helpers Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 32/98] selftests: mptcp: more stable diag tests Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 33/98] net: ipv6: unexport __init-annotated seg6_hmac_net_init() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 34/98] NFSD: restore EINVAL error translation in nfsd_commit() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 35/98] vfs: fix copy_file_range() regression in cross-fs copies Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 36/98] caif_virtio: fix race between virtio_device_ready() and ndo_open() Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 37/98] PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 38/98] vdpa/mlx5: Update Control VQ callback information Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 39/98] s390: remove unneeded select BUILD_BIN2C Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 40/98] netfilter: nft_dynset: restore set element counter when failing to update Greg Kroah-Hartman
2022-07-05 11:57 ` [PATCH 5.15 41/98] net/dsa/hirschmann: Add missing of_node_get() in hellcreek_led_setup() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 42/98] net/sched: act_api: Notify user space if any actions were flushed before error Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 43/98] net: asix: fix "cant send until first packet is send" issue Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 44/98] net: bonding: fix possible NULL deref in rlb code Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 45/98] net: phy: ax88772a: fix lost pause advertisement configuration Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 46/98] net: bonding: fix use-after-free after 802.3ad slave unbind Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 47/98] powerpc/memhotplug: Add add_pages override for PPC Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 48/98] nfc: nfcmrvl: Fix irq_of_parse_and_map() return value Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 49/98] NFC: nxp-nci: Dont issue a zero length i2c_master_read() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 50/98] tipc: move bc link creation back to tipc_node_create Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 51/98] epic100: fix use after free on rmmod Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 52/98] io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 53/98] ACPI: video: Change how we determine if brightness key-presses are handled Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 54/98] tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 55/98] ipv6/sit: fix ipip6_tunnel_get_prl return value Greg Kroah-Hartman
2022-07-05 11:58 ` Greg Kroah-Hartman [this message]
2022-07-05 11:58 ` [PATCH 5.15 57/98] mlxsw: spectrum_router: Fix rollback in tunnel next hop init Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 58/98] net: tun: avoid disabling NAPI twice Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 59/98] MAINTAINERS: add Leah as xfs maintainer for 5.15.y Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 60/98] tcp: add a missing nf_reset_ct() in 3WHS handling Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 61/98] selftests/bpf: Add test_verifier support to fixup kfunc call insns Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 62/98] selftests/rseq: remove ARRAY_SIZE define from individual tests Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 63/98] selftests/rseq: introduce own copy of rseq uapi header Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 64/98] selftests/rseq: Remove useless assignment to cpu variable Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 65/98] selftests/rseq: Remove volatile from __rseq_abi Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 66/98] selftests/rseq: Introduce rseq_get_abi() helper Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 67/98] selftests/rseq: Introduce thread pointer getters Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 68/98] selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 69/98] selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 70/98] selftests/rseq: Fix ppc32 missing instruction selection "u" and "x" for load/store Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 71/98] selftests/rseq: Fix ppc32 offsets by using long rather than off_t Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 72/98] selftests/rseq: Fix warnings about #if checks of undefined tokens Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 73/98] selftests/rseq: Remove arm/mips asm goto compiler work-around Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 74/98] selftests/rseq: Fix: work-around asm goto compiler bugs Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 75/98] selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 76/98] selftests/rseq: x86-32: use %gs " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 77/98] selftests/rseq: Change type of rseq_offset to ptrdiff_t Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 78/98] xen/blkfront: fix leaking data in shared pages Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 79/98] xen/netfront: " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 80/98] xen/netfront: force data bouncing when backend is untrusted Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 81/98] xen/blkfront: " Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 82/98] xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 83/98] xen/arm: Fix race in RB-tree based P2M accounting Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 84/98] net: usb: qmi_wwan: add Telit 0x1070 composition Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 85/98] clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 86/98] net: fix IFF_TX_SKB_NO_LINEAR definition Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 87/98] drm/i915/gem: add missing else Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 88/98] drm/msm/gem: Fix error return on fence id alloc fail Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 89/98] drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 90/98] platform/x86: panasonic-laptop: de-obfuscate button codes Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 91/98] platform/x86: panasonic-laptop: sort includes alphabetically Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 92/98] platform/x86: panasonic-laptop: revert "Resolve hotkey double trigger bug" Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 93/98] platform/x86: panasonic-laptop: dont report duplicate brightness key-presses Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 94/98] platform/x86: panasonic-laptop: filter out duplicate volume up/down/mute keypresses Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 95/98] drm/fourcc: fix integer type usage in uapi header Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 96/98] hwmon: (occ) Remove sequence numbering and checksum calculation Greg Kroah-Hartman
2022-07-06 6:43 ` Joel Stanley
2022-07-06 7:02 ` Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 97/98] hwmon: (occ) Prevent power cap command overwriting poll response Greg Kroah-Hartman
2022-07-05 11:58 ` [PATCH 5.15 98/98] hwmon: (ibmaem) dont call platform_device_del() if platform_device_add() fails Greg Kroah-Hartman
2022-07-05 14:35 ` [PATCH 5.15 00/98] 5.15.53-rc1 review Jon Hunter
2022-07-05 18:35 ` Florian Fainelli
2022-07-06 6:44 ` Naresh Kamboju
2022-07-06 7:46 ` Bagas Sanjaya
2022-07-06 7:52 ` Ron Economos
2022-07-06 10:15 ` Sudip Mukherjee (Codethink)
2022-07-06 13:44 ` Guenter Roeck
2022-07-06 23:54 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220705115619.173684342@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox