From patchwork Thu Feb 1 18:26:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 868366 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="CTcpXbcW"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zXT9x5wT4z9ryT for ; Fri, 2 Feb 2018 05:27:33 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752171AbeBAS1B (ORCPT ); Thu, 1 Feb 2018 13:27:01 -0500 Received: from mail-pl0-f68.google.com ([209.85.160.68]:46823 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751913AbeBAS07 (ORCPT ); Thu, 1 Feb 2018 13:26:59 -0500 Received: by mail-pl0-f68.google.com with SMTP id 36so4154409ple.13 for ; Thu, 01 Feb 2018 10:26:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=oz6fZHz0P5hYG7LMyeo6r0YGT1v8qWiwCwL+Q1iXrRo=; b=CTcpXbcW0bTDmoyJ7MyAFXmB+UWcJDd6VK0NNopXXJu/RWzrNtUov21KVJthRGHPqz ivfVTWdyYWQRWr/6tJd2z30/l+zxcI/54MbYWHNCWW9WLSWfjmWMlFhRtjgMii7vR6W7 KEQ+kYlfoZMncZ1kSHBn6qvDtct1u8tHrrNPsfyCqxTqvSg1fs897Pml3UfePg/889jo c9Bq5UYc1PnBxeuMcjwiDV1VZQIsd0XVkvYQCrYdWs9U/8B22lpY7/Wkzk4Ev1Q/1B4x isrGCjCzUTbeFomA4J7ZPGUax/L2us+e0bUqxagGzVj4PrxhSW5pwBllcDx3oonZLl41 FuOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=oz6fZHz0P5hYG7LMyeo6r0YGT1v8qWiwCwL+Q1iXrRo=; b=GPDPTyxnXyl9m910NpIoK4JvP+Q5VWm1IzRCtUrONpOWyapSAOq5pnH69eV/plZ2Ui h5+c36nEM626jrPi5w7y4oTdf90Ji+YUH7fgT+tjBiAXtsjsL/D5y0vu2B9g7GXw0cHr Ym6jP8bsMozjqPFfLWjAiUhbaS7ULf0dGMEvQgchhqAToZlZXKik5BWPufek2RewMWpp db4r1VOSqLYPGcjq0Fpr2sPcgepcg2ugmEzBz8ogOjMZrpy6ErJ/YKoc2pgQE1YLdNA1 EI6VzjkFmOGRpmyc9Xhla0Gl9Q9zE5OT59CnAmbjAYPeqeuO+HGNUXa5wVnrIvn02Q84 fNCQ== X-Gm-Message-State: AKwxyte4cyvpmPJr5l2aRVLoX2wZBsobemeZGCQIx83xvdRVLvnYFcnu VTWtkZB23mH0LFam2T22Odsh4A== X-Google-Smtp-Source: AH8x225LuYhuKOAIz8oYtC7OBV6m2mh7JlUTBUBg3rxla6x4txurjyvGvSG1SQC4iSNVMqqIv01MaQ== X-Received: by 2002:a17:902:6988:: with SMTP id l8-v6mr32327793plk.394.1517509619379; Thu, 01 Feb 2018 10:26:59 -0800 (PST) Received: from ?IPv6:2620:15c:2c1:200:e081:603e:7fdc:75e? ([2620:15c:2c1:200:e081:603e:7fdc:75e]) by smtp.googlemail.com with ESMTPSA id x8sm219559pfk.123.2018.02.01.10.26.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 01 Feb 2018 10:26:58 -0800 (PST) Message-ID: <1517509617.3715.120.camel@gmail.com> Subject: [PATCH net] net: igmp: add a missing rcu locking section From: Eric Dumazet To: David Miller Cc: netdev , Kevin Cernekee Date: Thu, 01 Feb 2018 10:26:57 -0800 X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet Newly added igmpv3_get_srcaddr() needs to be called under rcu lock. Timer callbacks do not ensure this locking. Signed-off-by: Stephen Hemminger ============================= WARNING: suspicious RCU usage 4.15.0+ #200 Not tainted ----------------------------- ./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by syzkaller616973/4074: #0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355 #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316 #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline] #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600 stack backtrace: CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 __in_dev_get_rcu include/linux/inetdevice.h:216 [inline] igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline] igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389 add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432 add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565 igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605 igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722 igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938 Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports") Signed-off-by: Eric Dumazet Reported-by: syzbot ---  net/ipv4/igmp.c |    4 ++++  1 file changed, 4 insertions(+) diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c index 10f7f74a0831ee3d4d6720552dfa91fddeb4c31a..f2402581fef1b559c0952e142a682d596d4be5b5 100644 --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -386,7 +386,11 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu) pip->frag_off = htons(IP_DF); pip->ttl = 1; pip->daddr = fl4.daddr; + + rcu_read_lock(); pip->saddr = igmpv3_get_srcaddr(dev, &fl4); + rcu_read_unlock(); + pip->protocol = IPPROTO_IGMP; pip->tot_len = 0; /* filled in later */ ip_select_ident(net, skb, NULL);