From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 02/43] net: fix data-race in neigh_event_send()
Date: Mon, 11 Nov 2019 19:28:16 +0100 [thread overview]
Message-ID: <20191111181250.392472184@linuxfoundation.org> (raw)
In-Reply-To: <20191111181246.772983347@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1b53d64435d56902fc234ff2507142d971a09687 ]
KCSAN reported the following data-race [1]
The fix will also prevent the compiler from optimizing out
the condition.
[1]
BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output
write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1:
neigh_event_send include/net/neighbour.h:443 [inline]
neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474
neigh_output include/net/neighbour.h:511 [inline]
ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
__ip_finish_output net/ipv4/ip_output.c:308 [inline]
__ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
dst_output include/net/dst.h:436 [inline]
ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
__ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
ip_queue_xmit+0x45/0x60 include/net/ip.h:237
__tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
__tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618
read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0:
neigh_event_send include/net/neighbour.h:442 [inline]
neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474
neigh_output include/net/neighbour.h:511 [inline]
ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
__ip_finish_output net/ipv4/ip_output.c:308 [inline]
__ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
dst_output include/net/dst.h:436 [inline]
ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
__ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
ip_queue_xmit+0x45/0x60 include/net/ip.h:237
__tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
__tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/neighbour.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -425,8 +425,8 @@ static inline int neigh_event_send(struc
{
unsigned long now = jiffies;
- if (neigh->used != now)
- neigh->used = now;
+ if (READ_ONCE(neigh->used) != now)
+ WRITE_ONCE(neigh->used, now);
if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE)))
return __neigh_event_send(neigh, skb);
return 0;
next prev parent reply other threads:[~2019-11-11 19:11 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-11 18:28 [PATCH 4.4 00/43] 4.4.201-stable review Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 01/43] CDC-NCM: handle incomplete transfer of MTU Greg Kroah-Hartman
2019-11-11 18:28 ` Greg Kroah-Hartman [this message]
2019-11-11 18:28 ` [PATCH 4.4 03/43] NFC: fdp: fix incorrect free object Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 04/43] NFC: st21nfca: fix double free Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 05/43] qede: fix NULL pointer deref in __qede_remove() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 06/43] nfc: netlink: fix double device reference drop Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 07/43] ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 08/43] ALSA: hda/ca0132 - Fix possible workqueue stall Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 09/43] mm, meminit: recalculate pcpu batch and high limits after init completes Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 10/43] mm, vmstat: hide /proc/pagetypeinfo from normal users Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 11/43] dump_stack: avoid the livelock of the dump_lock Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 12/43] perf tools: Fix time sorting Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 13/43] drm/radeon: fix si_enable_smc_cac() failed issue Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 14/43] ceph: fix use-after-free in __ceph_remove_cap() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 15/43] iio: imu: adis16480: make sure provided frequency is positive Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 16/43] netfilter: nf_tables: Align nft_expr private data to 64-bit Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 17/43] netfilter: ipset: Fix an error code in ip_set_sockfn_get() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 18/43] can: usb_8dev: fix use-after-free on disconnect Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 19/43] can: c_can: c_can_poll(): only read status register after status IRQ Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 20/43] can: peak_usb: fix a potential out-of-sync while decoding packets Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 21/43] can: gs_usb: gs_can_open(): prevent memory leak Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 22/43] can: peak_usb: fix slab info leak Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 23/43] drivers: usb: usbip: Add missing break statement to switch Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 24/43] configfs: fix a deadlock in configfs_symlink() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 25/43] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 26/43] scsi: qla2xxx: fixup incorrect usage of host_byte Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 27/43] scsi: lpfc: Honor module parameter lpfc_use_adisc Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 28/43] ipvs: move old_secure_tcp into struct netns_ipvs Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 29/43] bonding: fix unexpected IFF_BONDING bit unset Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 30/43] usb: fsl: Check memory resource before releasing it Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 31/43] usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 32/43] usb: gadget: composite: Fix possible double free memory bug Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 33/43] usb: gadget: configfs: fix concurrent issue between composite APIs Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 34/43] perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 35/43] USB: Skip endpoints with 0 maxpacket length Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 36/43] scsi: qla2xxx: stop timer in shutdown path Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 37/43] net: hisilicon: Fix "Trying to free already-free IRQ" Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 38/43] NFSv4: Dont allow a cached open with a revoked delegation Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 39/43] igb: Fix constant media auto sense switching when no cable is connected Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 40/43] e1000: fix memory leaks Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 41/43] can: flexcan: disable completely the ECC mechanism Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 42/43] mm/filemap.c: dont initiate writeback if mapping has no dirty pages Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.4 43/43] cgroup,writeback: dont switch wbs immediately on dead wbs if the memcg is dead Greg Kroah-Hartman
2019-11-11 23:35 ` [PATCH 4.4 00/43] 4.4.201-stable review Guenter Roeck
2019-11-12 5:16 ` Greg Kroah-Hartman
2019-11-12 1:39 ` kernelci.org bot
2019-11-12 5:27 ` Greg Kroah-Hartman
2019-11-12 12:00 ` Jon Hunter
2019-11-12 13:27 ` Naresh Kamboju
2019-11-12 18:18 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191111181250.392472184@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).