Skip to main content

Browse the archive

https://github.com/torvalds/linux
05 April 2024, 19:05:47 UTC
Revision 25dd169aea6553aea548197a5d4580bbdeda1c85 authored by Florian Westphal on 02 November 2017, 15:02:20 UTC, committed by David S. Miller on 03 November 2017, 05:27:46 UTC 
fib: fib_dump_info can no longer use __in_dev_get_rtnl
 
syzbot reported yet another regression added with DOIT_UNLOCKED.
When nexthop is marked as dead, fib_dump_info uses __in_dev_get_rtnl():

./include/linux/inetdevice.h:230 suspicious rcu_dereference_protected() usage!
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor2/23859:
 #0:  (rcu_read_lock){....}, at: [<ffffffff840283f0>]
inet_rtm_getroute+0xaa0/0x2d70 net/ipv4/route.c:2738
[..]
  lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4665
  __in_dev_get_rtnl include/linux/inetdevice.h:230 [inline]
  fib_dump_info+0x1136/0x13d0 net/ipv4/fib_semantics.c:1377
  inet_rtm_getroute+0xf97/0x2d70 net/ipv4/route.c:2785
..

This isn't safe anymore, callers either hold RTNL mutex or rcu read lock,
so these spots must use rcu_dereference_rtnl() or plain rcu_derefence()
(plus unconditional rcu read lock).

This does the latter.

Fixes: 394f51abb3d04f ("ipv4: route: set ipv4 RTM_GETROUTE to not use rtnl")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent e73b49e
History
Tip revision: 25dd169aea6553aea548197a5d4580bbdeda1c85 authored by Florian Westphal on 02 November 2017, 15:02:20 UTC
fib: fib_dump_info can no longer use __in_dev_get_rtnl
Tip revision: 25dd169
File Mode Size
Makefile -rw-r--r-- 326 bytes
compat.c -rw-r--r-- 2.2 KB
ipc_sysctl.c -rw-r--r-- 5.4 KB
mq_sysctl.c -rw-r--r-- 2.9 KB
mqueue.c -rw-r--r-- 40.1 KB
msg.c -rw-r--r-- 27.4 KB
msgutil.c -rw-r--r-- 3.6 KB
namespace.c -rw-r--r-- 4.8 KB
sem.c -rw-r--r-- 58.0 KB
shm.c -rw-r--r-- 38.5 KB
syscall.c -rw-r--r-- 4.3 KB
util.c -rw-r--r-- 21.8 KB
util.h -rw-r--r-- 7.0 KB
back to top