drholy/linux-bredos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
v6.13
linux-bredos/net/ipv6
History
Eric Dumazet 260466b576 ila: serialize calls to nf_register_net_hooks() 
syzbot found a race in ila_add_mapping() [1]

commit 031ae72825 ("ila: call nf_unregister_net_hooks() sooner")
attempted to fix a similar issue.

Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.

Add a mutex to make sure at most one thread is calling nf_register_net_hooks().

[1]
 BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501

CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <IRQ>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:378 [inline]
  print_report+0xc3/0x620 mm/kasan/report.c:489
  kasan_report+0xd9/0x110 mm/kasan/report.c:602
  rht_key_hashfn include/linux/rhashtable.h:159 [inline]
  __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
  rhashtable_lookup include/linux/rhashtable.h:646 [inline]
  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
  ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
  nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
  NF_HOOK include/linux/netfilter.h:312 [inline]
  ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
  __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672
  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
  process_backlog+0x443/0x15f0 net/core/dev.c:6117
  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883
  napi_poll net/core/dev.c:6952 [inline]
  net_rx_action+0xa94/0x1010 net/core/dev.c:7074
  handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
  __do_softirq kernel/softirq.c:595 [inline]
  invoke_softirq kernel/softirq.c:435 [inline]
  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662
  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049

Fixes: 7f00feaf10 ("ila: Add generic ILA translation facility")
Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Tom Herbert <tom@herbertland.com>
Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-01-02 18:42:32 -08:00
..
ila
ila: serialize calls to nf_register_net_hooks()
2025-01-02 18:42:32 -08:00
netfilter
Merge tag 'nf-next-24-11-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
2024-11-07 12:46:04 +01:00
addrconf_core.c
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
2024-01-30 12:43:18 +01:00
addrconf.c
ipv6: avoid possible NULL deref in modify_prefix_route()
2024-12-01 20:45:23 +00:00
addrlabel.c
ipv6: Use rtnl_register_many().
2024-10-15 18:52:26 -07:00
af_inet6.c
net: inet6: do not leave a dangling sk pointer in inet6_create()
2024-10-15 18:43:08 -07:00
ah6.c
net: fill in MODULE_DESCRIPTION()s for ipv6 modules
2024-02-09 14:12:01 -08:00
anycast.c
ipv6: switch inet6_acaddr_hash() to less predictable hash
2024-10-09 19:33:57 -07:00
calipso.c
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
datagram.c
ipv6: annotate data-races around np->ucast_oif
2023-12-11 10:59:17 +00:00
esp6_offload.c
xfrm: Add an inbound percpu state cache.
2024-10-29 11:56:18 +01:00
esp6.c
net: support non paged skb frags
2024-09-11 20:44:31 -07:00
exthdrs_core.c
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
2023-05-24 08:43:39 +01:00
exthdrs_offload.c
net: gso: add HBH extension header offload support
2024-01-05 08:11:49 -08:00
exthdrs.c
net: ipv6: exthdrs: get rid of ipv6_skb_net()
2024-03-11 15:15:08 -07:00
fib6_notifier.c
net: do not acquire rtnl in fib_seq_sum()
2024-10-11 15:35:05 -07:00
fib6_rules.c
ipv6: use READ_ONCE()/WRITE_ONCE() on fib6_table->fib_seq
2024-10-11 15:35:05 -07:00
fou6.c
net: Add MODULE_DESCRIPTION entries to network modules
2020-06-20 21:33:57 -07:00
icmp.c
icmp: move icmp_global.credit and icmp_global.stamp to per netns storage
2024-08-30 11:14:06 -07:00
inet6_connection_sock.c
net: implement lockless SO_PRIORITY
2023-10-01 19:09:54 +01:00
inet6_hashtables.c
inet6: constify 'struct net' parameter of various lookup helpers
2024-08-05 16:27:26 -07:00
ioam6_iptunnel.c
net: convert to nla_get_*_default()
2024-11-11 10:32:06 -08:00
ioam6.c
net: convert to nla_get_*_default()
2024-11-11 10:32:06 -08:00
ip6_checksum.c
ip6_fib.c
ipv6: Fix soft lockups in fib6_select_path under high next hop churn
2024-11-11 15:26:10 -08:00
ip6_flowlabel.c
ipv6: move np->repflow to atomic flags
2023-09-15 10:33:48 +01:00
ip6_gre.c
netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local
2024-09-03 11:36:43 +02:00
ip6_icmp.c
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
2021-02-23 11:29:52 -08:00
ip6_input.c
net/ipv6: make use of the helper macro LIST_HEAD()
2024-09-06 18:10:21 -07:00
ip6_offload.c
net: gro: initialize network_offset in network layer
2024-05-27 16:46:59 -07:00
ip6_offload.h
ip6_output.c
ipv6: Remove redundant unlikely()
2024-10-09 19:40:46 -07:00
ip6_tunnel.c
ipv4: Convert ip_route_input() to dscp_t.
2024-10-03 16:21:21 -07:00
ip6_udp_tunnel.c
net: fill in MODULE_DESCRIPTION()s for ipv6 modules
2024-02-09 14:12:01 -08:00
ip6_vti.c
net: annotate writes on dev->mtu from ndo_change_mtu()
2024-05-07 16:19:14 -07:00
ip6mr.c
ipmr: tune the ipmr_can_free_table() checks.
2024-12-04 18:49:16 -08:00
ipcomp6.c
xfrm: ipcomp: add extack to ipcomp{4,6}_init_state
2022-09-29 07:18:00 +02:00
ipv6_sockglue.c
ipv6: avoid indirect calls for SOL_IP socket options
2024-08-26 14:53:50 -07:00
Kconfig
net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL
2024-09-22 19:52:07 +01:00
Makefile
net/tcp: Introduce TCP_AO setsockopt()s
2023-10-27 10:35:44 +01:00
mcast_snoop.c
net: bridge: mcast: fix broken length + header check for MRDv6 Adv.
2021-04-27 14:02:06 -07:00
mcast.c
ipv6: mcast: use min() to simplify the code
2024-08-26 09:48:53 -07:00
mip6.c
net: fill in MODULE_DESCRIPTION()s for ipv6 modules
2024-02-09 14:12:01 -08:00
ndisc.c
net/ipv6: replace deprecated strcpy with strscpy
2024-08-29 12:33:07 -07:00
netfilter.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-06-13 13:13:46 -07:00
output_core.c
ipv6: annotate data-races around cnf.hop_limit
2024-03-01 08:42:31 +00:00
ping.c
ipv6: introduce dst_rt6_info() helper
2024-04-29 13:32:01 +01:00
proc.c
minmax: add a few more MIN_T/MAX_T users
2024-07-28 13:41:14 -07:00
protocol.c
raw.c
net_tstamp: add SCM_TS_OPT_ID for RAW sockets
2024-10-04 11:52:19 -07:00
reassembly.c
net: Rename mono_delivery_time to tstamp_type for scalabilty
2024-05-23 14:14:23 -07:00
route.c
net/ipv6: release expired exception dst cached in socket
2024-12-02 19:24:54 -08:00
rpl_iptunnel.c
net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input
2024-09-13 19:55:49 -07:00
rpl.c
ipv6: rpl: Remove pskb(_may)?_pull() in ipv6_rpl_srh_rcv().
2023-06-19 11:32:58 -07:00
seg6_hmac.c
ipv6: sr: fix memleak in seg6_hmac_init_algo
2024-05-21 13:16:25 +02:00
seg6_iptunnel.c
ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
2024-06-03 18:50:08 -07:00
seg6_local.c
net: ip: make ip_route_input() return drop reasons
2024-11-12 11:24:51 +01:00
seg6.c
ipv6: sr: restruct ifdefines
2024-05-30 18:29:38 -07:00
sit.c
ipv6: sit: Unmask upper DSCP bits in ipip6_tunnel_bind_dev()
2024-09-04 16:57:11 -07:00
syncookies.c
tcp: use sk_skb_reason_drop to free rx packets
2024-06-19 12:44:22 +01:00
sysctl_net_ipv6.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
tcp_ao.c
net/tcp: Wire up l3index to TCP-AO
2023-10-27 10:35:46 +01:00
tcp_ipv6.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-11-14 11:29:15 -08:00
tcpv6_offload.c
net: gso: fix tcp fraglist segmentation after pull from frag_list
2024-10-02 17:21:47 -07:00
tunnel6.c
net: fill in MODULE_DESCRIPTION()s for ipv6 modules
2024-02-09 14:12:01 -08:00
udp_impl.h
tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
2022-10-12 17:50:37 -07:00
udp_offload.c
net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb
2024-05-02 11:02:48 +02:00
udp.c
ipv6/udp: Add 4-tuple hash for connected socket
2024-11-18 11:56:21 +00:00
udplite.c
udplite: remove UDPLITE_BIT
2023-09-14 16:16:36 +02:00
xfrm6_input.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2024-05-09 10:01:01 -07:00
xfrm6_output.c
ipv6: drop feature RTAX_FEATURE_ALLFRAG
2023-10-25 18:04:29 -07:00
xfrm6_policy.c
xfrm: respect ip protocols rules criteria when performing dst lookups
2024-09-23 07:02:07 +02:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c
Merge tag 'ipsec-next-2024-03-06' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
2024-03-08 10:56:05 +00:00