mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 01:04:41 +01:00
6e84fc395e
syzbot reported that struct fib_alias.fa_state can be modified locklessly by RCU readers. [0] Let's use READ_ONCE()/WRITE_ONCE() properly. [0]: BUG: KCSAN: data-race in fib_table_lookup / fib_table_lookup write to 0xffff88811b06a7fa of 1 bytes by task 4167 on cpu 0: fib_alias_accessed net/ipv4/fib_lookup.h:32 [inline] fib_table_lookup+0x361/0xd60 net/ipv4/fib_trie.c:1565 fib_lookup include/net/ip_fib.h:390 [inline] ip_route_output_key_hash_rcu+0x378/0x1380 net/ipv4/route.c:2814 ip_route_output_key_hash net/ipv4/route.c:2705 [inline] __ip_route_output_key include/net/route.h:169 [inline] ip_route_output_flow+0x65/0x110 net/ipv4/route.c:2932 udp_sendmsg+0x13c3/0x15d0 net/ipv4/udp.c:1450 inet_sendmsg+0xac/0xd0 net/ipv4/af_inet.c:859 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0x53a/0x600 net/socket.c:2592 ___sys_sendmsg+0x195/0x1e0 net/socket.c:2646 __sys_sendmmsg+0x185/0x320 net/socket.c:2735 __do_sys_sendmmsg net/socket.c:2762 [inline] __se_sys_sendmmsg net/socket.c:2759 [inline] __x64_sys_sendmmsg+0x57/0x70 net/socket.c:2759 x64_sys_call+0x1e28/0x3000 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffff88811b06a7fa of 1 bytes by task 4168 on cpu 1: fib_alias_accessed net/ipv4/fib_lookup.h:31 [inline] fib_table_lookup+0x338/0xd60 net/ipv4/fib_trie.c:1565 fib_lookup include/net/ip_fib.h:390 [inline] ip_route_output_key_hash_rcu+0x378/0x1380 net/ipv4/route.c:2814 ip_route_output_key_hash net/ipv4/route.c:2705 [inline] __ip_route_output_key include/net/route.h:169 [inline] ip_route_output_flow+0x65/0x110 net/ipv4/route.c:2932 udp_sendmsg+0x13c3/0x15d0 net/ipv4/udp.c:1450 inet_sendmsg+0xac/0xd0 net/ipv4/af_inet.c:859 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0x53a/0x600 net/socket.c:2592 ___sys_sendmsg+0x195/0x1e0 net/socket.c:2646 __sys_sendmmsg+0x185/0x320 net/socket.c:2735 __do_sys_sendmmsg net/socket.c:2762 [inline] __se_sys_sendmmsg net/socket.c:2759 [inline] __x64_sys_sendmmsg+0x57/0x70 net/socket.c:2759 x64_sys_call+0x1e28/0x3000 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x00 -> 0x01 Reported by Kernel Concurrency Sanitizer on: CPU: 1 UID: 0 PID: 4168 Comm: syz.4.206 Not tainted syzkaller #0 PREEMPT(voluntary) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Reported-by: syzbot+d24f940f770afda885cf@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/69783ead.050a0220.c9109.0013.GAE@google.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20260127043528.514160-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
65 lines
1.7 KiB
C
65 lines
1.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _FIB_LOOKUP_H
|
|
#define _FIB_LOOKUP_H
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/list.h>
|
|
#include <net/inet_dscp.h>
|
|
#include <net/ip_fib.h>
|
|
#include <net/nexthop.h>
|
|
|
|
struct fib_alias {
|
|
struct hlist_node fa_list;
|
|
struct fib_info *fa_info;
|
|
dscp_t fa_dscp;
|
|
u8 fa_type;
|
|
u8 fa_state;
|
|
u8 fa_slen;
|
|
u32 tb_id;
|
|
s16 fa_default;
|
|
u8 offload;
|
|
u8 trap;
|
|
u8 offload_failed;
|
|
struct rcu_head rcu;
|
|
};
|
|
|
|
#define FA_S_ACCESSED 0x01
|
|
|
|
/* Don't write on fa_state unless needed, to keep it shared on all cpus */
|
|
static inline void fib_alias_accessed(struct fib_alias *fa)
|
|
{
|
|
u8 fa_state = READ_ONCE(fa->fa_state);
|
|
|
|
if (!(fa_state & FA_S_ACCESSED))
|
|
WRITE_ONCE(fa->fa_state, fa_state | FA_S_ACCESSED);
|
|
}
|
|
|
|
/* Exported by fib_semantics.c */
|
|
void fib_release_info(struct fib_info *);
|
|
struct fib_info *fib_create_info(struct fib_config *cfg,
|
|
struct netlink_ext_ack *extack);
|
|
int fib_nh_match(struct net *net, struct fib_config *cfg, struct fib_info *fi,
|
|
struct netlink_ext_ack *extack);
|
|
bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi);
|
|
int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
|
|
const struct fib_rt_info *fri, unsigned int flags);
|
|
void rtmsg_fib(int event, __be32 key, struct fib_alias *fa, int dst_len,
|
|
u32 tb_id, const struct nl_info *info, unsigned int nlm_flags);
|
|
size_t fib_nlmsg_size(struct fib_info *fi);
|
|
|
|
static inline void fib_result_assign(struct fib_result *res,
|
|
struct fib_info *fi)
|
|
{
|
|
/* we used to play games with refcounts, but we now use RCU */
|
|
res->fi = fi;
|
|
res->nhc = fib_info_nhc(fi, 0);
|
|
}
|
|
|
|
struct fib_prop {
|
|
int error;
|
|
u8 scope;
|
|
};
|
|
|
|
extern const struct fib_prop fib_props[RTN_MAX + 1];
|
|
|
|
#endif /* _FIB_LOOKUP_H */
|