Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net/ipv6
History
Eric Dumazet 993cfbfc0b ila: serialize calls to nf_register_net_hooks() 
[ Upstream commit 260466b576bca0081a7d4acecc8e93687aa22d0e ]

syzbot found a race in ila_add_mapping() [1]

commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner")
attempted to fix a similar issue.

Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.

Add a mutex to make sure at most one thread is calling nf_register_net_hooks().

[1]
 BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501

CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <IRQ>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:378 [inline]
  print_report+0xc3/0x620 mm/kasan/report.c:489
  kasan_report+0xd9/0x110 mm/kasan/report.c:602
  rht_key_hashfn include/linux/rhashtable.h:159 [inline]
  __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
  rhashtable_lookup include/linux/rhashtable.h:646 [inline]
  rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
  ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
  nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
  NF_HOOK include/linux/netfilter.h:312 [inline]
  ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
  __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672
  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
  process_backlog+0x443/0x15f0 net/core/dev.c:6117
  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883
  napi_poll net/core/dev.c:6952 [inline]
  net_rx_action+0xa94/0x1010 net/core/dev.c:7074
  handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
  __do_softirq kernel/softirq.c:595 [inline]
  invoke_softirq kernel/softirq.c:435 [inline]
  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662
  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049

Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility")
Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Tom Herbert <tom@herbertland.com>
Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-01-15 16:29:54 +01:00
..
ila ila: serialize calls to nf_register_net_hooks() 2025-01-15 16:29:54 +01:00
netfilter Revert "inet: inet_defrag: prevent sk release while still in use" 2024-11-24 00:23:32 +01:00
addrconf.c ipv6: take care of scope when choosing the src addr 2024-11-23 23:20:12 +01:00
addrconf_core.c ipv6: Ensure natural alignment of const ipv6 loopback and router addresses 2024-11-18 12:13:22 +01:00
addrlabel.c
af_inet6.c net: inet6: do not leave a dangling sk pointer in inet6_create() 2024-12-17 13:24:30 +01:00
ah6.c
anycast.c
calipso.c
datagram.c
esp6.c Revert "net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP" 2024-11-24 00:23:57 +01:00
esp6_offload.c
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() 2024-11-19 11:32:46 +01:00
fou6.c
icmp.c
inet6_connection_sock.c
inet6_hashtables.c net: remove duplicate reuseport_lookup functions 2024-11-19 12:26:55 +01:00
ip6_checksum.c
ip6_fib.c ipv6: fix possible race in __fib6_drop_pcpu_from() 2024-11-19 14:19:01 +01:00
ip6_flowlabel.c
ip6_gre.c erspan: make sure erspan_base_hdr is present in skb->head 2024-11-19 09:22:47 +01:00
ip6_icmp.c
ip6_input.c
ip6_offload.c Revert "gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers" 2024-11-24 00:23:41 +01:00
ip6_offload.h
ip6_output.c ipv6: fix possible UAF in ip6_finish_output2() 2025-01-15 16:29:51 +01:00
ip6_tunnel.c Revert "ip6_tunnel: Fix broken GRO" 2024-11-24 00:23:51 +01:00
ip6_udp_tunnel.c
ip6_vti.c
ip6mr.c ipmr: convert /proc handlers to rcu_read_lock() 2024-12-17 13:24:16 +01:00
ipcomp6.c
ipv6_sockglue.c tcp: Fix data races around icsk->icsk_af_ops. 2024-11-19 14:19:35 +01:00
Kconfig Revert "net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL" 2024-11-24 00:23:18 +01:00
Makefile
mcast.c
mcast_snoop.c
mip6.c
ndisc.c Revert "ipv6: fix ndisc_is_useropt() handling for PIO" 2024-11-24 00:23:55 +01:00
netfilter.c
output_core.c
ping.c
proc.c
protocol.c
raw.c
reassembly.c net: ipv6: fix wrong start position when receive hop-by-hop fragment 2024-11-19 12:26:56 +01:00
route.c net/ipv6: release expired exception dst cached in socket 2024-12-17 13:24:26 +01:00
rpl.c
rpl_iptunnel.c Revert "net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input" 2024-11-24 00:23:29 +01:00
seg6.c ipv6: sr: fix invalid unregister error path 2024-11-19 12:26:57 +01:00
seg6_hmac.c ipv6: sr: fix memleak in seg6_hmac_init_algo 2024-11-19 12:27:09 +01:00
seg6_iptunnel.c ipv6: sr: block BH in seg6_output_core() and seg6_input_core() 2024-11-19 14:19:00 +01:00
seg6_local.c Revert "net: seg6: fix seg6_lookup_any_nexthop() to handle VRFs using flowi_l3mdev" 2024-11-24 00:22:54 +01:00
sit.c
syncookies.c
sysctl_net_ipv6.c Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
tcp_ipv6.c Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
tcpv6_offload.c
tunnel6.c
udp.c udp: Avoid call to compute_score on multiple sites 2024-11-19 12:26:55 +01:00
udp_impl.h
udp_offload.c Revert "gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers" 2024-11-24 00:23:41 +01:00
udplite.c
xfrm6_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-11-19 11:32:45 +01:00
xfrm6_output.c
xfrm6_policy.c xfrm: respect ip protocols rules criteria when performing dst lookups 2024-11-23 23:22:00 +01:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c