Re: [PATCH net] ipv4: ensure rcu_read_lock() in ipv4_link_failure()

From: Stephen Suryaputra <ssuryaextr@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	netdev <netdev@vger.kernel.org>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	syzbot <syzkaller@googlegroups.com>,
	s-nazarov@yandex.ru
Subject: Re: [PATCH net] ipv4: ensure rcu_read_lock() in ipv4_link_failure()
Date: Sat, 13 Apr 2019 17:56:01 -0400	[thread overview]
Message-ID: <20190413215601.GA9719@ubuntu> (raw)
In-Reply-To: <20190414003221.1802-1-edumazet@google.com>

Thank you. The one in cipso_v4_error needs the same fix (?) Add Nazarov
Sergey.

On Sat, Apr 13, 2019 at 05:32:21PM -0700, Eric Dumazet wrote:
> fib_compute_spec_dst() needs to be called under rcu protection.
> 
> syzbot reported :
> 
> WARNING: suspicious RCU usage
> 5.1.0-rc4+ #165 Not tainted
> include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!
> 
> other info that might help us debug this:
> 
> rcu_scheduler_active = 2, debug_locks = 1
> 1 lock held by swapper/0/0:
>  #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
>  #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315
> 
> stack backtrace:
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x172/0x1f0 lib/dump_stack.c:113
>  lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
>  __in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
>  fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
>  spec_dst_fill net/ipv4/ip_options.c:245 [inline]
>  __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
>  ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
>  dst_link_failure include/net/dst.h:427 [inline]
>  arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
>  neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
>  neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
>  call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
>  expire_timers kernel/time/timer.c:1362 [inline]
>  __run_timers kernel/time/timer.c:1681 [inline]
>  __run_timers kernel/time/timer.c:1649 [inline]
>  run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
>  __do_softirq+0x266/0x95a kernel/softirq.c:293
>  invoke_softirq kernel/softirq.c:374 [inline]
>  irq_exit+0x180/0x1d0 kernel/softirq.c:414
>  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
>  smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
>  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
> 
> Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
> ---
>  net/ipv4/route.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index 0206789bc2b73b70f3a543385052efbe4cd6c3b6..88ce038dd495dec1d34867eb40091c61141e9acb 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -1185,14 +1185,20 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie)
>  
>  static void ipv4_link_failure(struct sk_buff *skb)
>  {
> -	struct rtable *rt;
>  	struct ip_options opt;
> +	struct rtable *rt;
> +	int res;
>  
>  	/* Recompile ip options since IPCB may not be valid anymore.
>  	 */
>  	memset(&opt, 0, sizeof(opt));
>  	opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
> -	if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
> +
> +	rcu_read_lock();
> +	res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
> +	rcu_read_unlock();
> +
> +	if (res)
>  		return;
>  
>  	__icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
> -- 
> 2.21.0.392.gf8f6787159e-goog
> 