Received: by 10.223.176.5 with SMTP id f5csp695306wra; Fri, 9 Feb 2018 05:50:44 -0800 (PST) X-Google-Smtp-Source: AH8x2244dD+TzJtwRXy/PHYgvqJuouRlW4NE6TWvddWGMMqQqlqpXuIyKl3WQRVRLVerYnYQiuD7 X-Received: by 10.99.141.200 with SMTP id z191mr2415254pgd.418.1518184244171; Fri, 09 Feb 2018 05:50:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518184244; cv=none; d=google.com; s=arc-20160816; b=MpfA+k/0XIT6vexLF7ckOE8oMw1OzOhfw9t7hNRc8iaU835DM7eRlNOJjhjpUpXIAL gU13zBB8MG8FHeawuqs6TFso7qK7oaaBS5eSbfJx5ulvvJwnc3eE1LjT/ydwq5zSkpsc wQNtGo+rEznZyksqUIposmDfqJHs7edS3zyjIp2gS4paBrBWE3wLeIkrexinlWP6Wvwc +ieWvVF0RAWxWiI2Q4h+820bZUSHZ/kDqEXTzNHuUBdsjoLiYdMdEyJBCBnrNia1cxMK qeycdyx7RpjB8/NT7sEeW62hHuar/kkgHJm0PcR6XkGc4qyOylLMZ+zfICE5bDINGJGV q26w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=fxDOoaI4CuQ76Kq68YHyf1OCpPIE59W3sRY8b/0Ybko=; b=QRuW8JQdtSZM9n4I3CHN1P83jLTMKhyc15HUOB+HkbsV+3ud2G+iqKDXZLPscQ82zZ 7Ox5Psw/7L4COKvFDC1JLJvXA35ZPQGHlQrRtACL/8qOwNrwODkGv0ce1VeCtuYCk9vU XD7OZ0briiNW2X+u+0JmCgQDLYmYtnzNsBgP/8s6lv6m3c9kASDL3Ov02s8cSHAhz4HI 93EqO6Mm0S2c6eelY8c2tGQG1kj9xL9fvwTCShLAwiCy7FRWalSwQCaaiBbO/Naph9f2 s89xdjyaihdSxn8RvDbG3TNF33LrbTIvNtjVprnFgyqA+tNPKpkg8vAO/u7f6kq4SjcL nP7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 187si477539pgh.536.2018.02.09.05.50.30; Fri, 09 Feb 2018 05:50:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753860AbeBINqo (ORCPT + 99 others); Fri, 9 Feb 2018 08:46:44 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:53384 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932190AbeBINql (ORCPT ); Fri, 9 Feb 2018 08:46:41 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 9097492B; Fri, 9 Feb 2018 13:46:40 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.15 02/23] net: igmp: add a missing rcu locking section Date: Fri, 9 Feb 2018 14:40:00 +0100 Message-Id: <20180209133938.499936166@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180209133938.366024920@linuxfoundation.org> References: <20180209133938.366024920@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet [ Upstream commit e7aadb27a5415e8125834b84a74477bfbee4eff5 ] Newly added igmpv3_get_srcaddr() needs to be called under rcu lock. Timer callbacks do not ensure this locking. ============================= WARNING: suspicious RCU usage 4.15.0+ #200 Not tainted ----------------------------- ./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by syzkaller616973/4074: #0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355 #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316 #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline] #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600 stack backtrace: CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 __in_dev_get_rcu include/linux/inetdevice.h:216 [inline] igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline] igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389 add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432 add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565 igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605 igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722 igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938 Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/igmp.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -386,7 +386,11 @@ static struct sk_buff *igmpv3_newpack(st pip->frag_off = htons(IP_DF); pip->ttl = 1; pip->daddr = fl4.daddr; + + rcu_read_lock(); pip->saddr = igmpv3_get_srcaddr(dev, &fl4); + rcu_read_unlock(); + pip->protocol = IPPROTO_IGMP; pip->tot_len = 0; /* filled in later */ ip_select_ident(net, skb, NULL);