Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
kernel-fxtec-pro1x/net/ipv6
History
Eric Dumazet 67f028acac tcp: annotate tp->rcv_nxt lockless reads 
[ Upstream commit dba7d9b8c739df27ff3a234c81d6c6b23e3986fa ]

There are few places where we fetch tp->rcv_nxt while
this field can change from IRQ or other cpu.

We need to add READ_ONCE() annotations, and also make
sure write sides use corresponding WRITE_ONCE() to avoid
store-tearing.

Note that tcp_inq_hint() was already using READ_ONCE(tp->rcv_nxt)

syzbot reported :

BUG: KCSAN: data-race in tcp_poll / tcp_queue_rcv

write to 0xffff888120425770 of 4 bytes by interrupt on cpu 0:
 tcp_rcv_nxt_update net/ipv4/tcp_input.c:3365 [inline]
 tcp_queue_rcv+0x180/0x380 net/ipv4/tcp_input.c:4638
 tcp_rcv_established+0xbf1/0xf50 net/ipv4/tcp_input.c:5616
 tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1542
 tcp_v4_rcv+0x1a03/0x1bf0 net/ipv4/tcp_ipv4.c:1923
 ip_protocol_deliver_rcu+0x51/0x470 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:442 [inline]
 ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5004
 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5118
 netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5208
 napi_skb_finish net/core/dev.c:5671 [inline]
 napi_gro_receive+0x28f/0x330 net/core/dev.c:5704
 receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061

read to 0xffff888120425770 of 4 bytes by task 7254 on cpu 1:
 tcp_stream_is_readable net/ipv4/tcp.c:480 [inline]
 tcp_poll+0x204/0x6b0 net/ipv4/tcp.c:554
 sock_poll+0xed/0x250 net/socket.c:1256
 vfs_poll include/linux/poll.h:90 [inline]
 ep_item_poll.isra.0+0x90/0x190 fs/eventpoll.c:892
 ep_send_events_proc+0x113/0x5c0 fs/eventpoll.c:1749
 ep_scan_ready_list.constprop.0+0x189/0x500 fs/eventpoll.c:704
 ep_send_events fs/eventpoll.c:1793 [inline]
 ep_poll+0xe3/0x900 fs/eventpoll.c:1930
 do_epoll_wait+0x162/0x180 fs/eventpoll.c:2294
 __do_sys_epoll_pwait fs/eventpoll.c:2325 [inline]
 __se_sys_epoll_pwait fs/eventpoll.c:2311 [inline]
 __x64_sys_epoll_pwait+0xcd/0x170 fs/eventpoll.c:2311
 do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 7254 Comm: syz-fuzzer Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-09 10:19:08 +01:00
..
ila ila: Fix rhashtable walker list corruption 2019-04-03 06:26:18 +02:00
netfilter netfilter: masquerade: don't flush all conntracks if only one address deleted on device 2019-11-20 18:47:52 +01:00
addrconf.c net/ipv6: re-do dad when interface has IFF_NOARP flag change 2019-12-13 08:51:41 +01:00
addrconf_core.c
addrlabel.c
af_inet6.c
ah6.c
anycast.c
calipso.c
datagram.c udp: correct reuseport selection with connected sockets 2019-09-21 07:16:43 +02:00
esp6.c
esp6_offload.c
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c
fou6.c
icmp.c
inet6_connection_sock.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
inet6_hashtables.c tcp/dccp: fix possible race __inet_lookup_established() 2020-01-04 19:13:41 +01:00
ip6_checksum.c
ip6_fib.c ipv6: Unlink sibling route in case of failure 2019-07-28 08:29:24 +02:00
ip6_flowlabel.c ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero 2019-06-22 08:15:13 +02:00
ip6_gre.c ip6_gre: do not confirm neighbor when do pmtu update 2020-01-04 19:13:37 +01:00
ip6_icmp.c
ip6_input.c net: ipv6: fix listify ip6_rcv_finish in case of forwarding 2019-10-29 09:19:42 +01:00
ip6_offload.c
ip6_offload.h
ip6_output.c ipv6: Fix dangling pointer when ipv6 fragment 2019-04-17 08:38:40 +02:00
ip6_tunnel.c tunnel: do not confirm neighbor when do pmtu update 2020-01-04 19:13:38 +01:00
ip6_udp_tunnel.c
ip6_vti.c vti: do not confirm neighbor when do pmtu update 2020-01-04 19:13:39 +01:00
ip6mr.c
ipcomp6.c
ipv6_sockglue.c
Kconfig
Makefile
mcast.c mld: fix memory leak in mld_del_delrec() 2019-09-10 10:33:38 +01:00
mcast_snoop.c
mip6.c
ndisc.c
netfilter.c
output_core.c inet: switch IP ID generator to siphash 2019-06-04 08:02:30 +02:00
ping.c ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' 2019-09-19 09:09:28 +02:00
proc.c
protocol.c
raw.c ipv6: fix EFAULT on sendto with icmpv6 and hdrincl 2019-06-11 12:20:50 +02:00
reassembly.c net: IP6 defrag: use rbtrees for IPv6 defrag 2019-04-27 09:36:33 +02:00
route.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
seg6.c
seg6_hmac.c
seg6_iptunnel.c
seg6_local.c
sit.c sit: do not confirm neighbor when do pmtu update 2020-01-04 19:13:39 +01:00
syncookies.c
sysctl_net_ipv6.c
tcp_ipv6.c tcp: annotate tp->rcv_nxt lockless reads 2020-01-09 10:19:08 +01:00
tcpv6_offload.c
tunnel6.c
udp.c net: annotate accesses to sk->sk_incoming_cpu 2019-11-10 11:27:38 +01:00
udp_impl.h
udp_offload.c
udplite.c
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm: clean up xfrm protocol checks 2019-05-25 18:23:41 +02:00