superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net/ipv4
History
Yung Chih Su 4ee7fa6cf7 net: ipv4: fix ARM64 alignment fault in multipath hash seed 
`struct sysctl_fib_multipath_hash_seed` contains two u32 fields
(user_seed and mp_seed), making it an 8-byte structure with a 4-byte
alignment requirement.

In `fib_multipath_hash_from_keys()`, the code evaluates the entire
struct atomically via `READ_ONCE()`:

    mp_seed = READ_ONCE(net->ipv4.sysctl_fib_multipath_hash_seed).mp_seed;

While this silently works on GCC by falling back to unaligned regular
loads which the ARM64 kernel tolerates, it causes a fatal kernel panic
when compiled with Clang and LTO enabled.

Commit e35123d83e ("arm64: lto: Strengthen READ_ONCE() to acquire
when CONFIG_LTO=y") strengthens `READ_ONCE()` to use Load-Acquire
instructions (`ldar` / `ldapr`) to prevent compiler reordering bugs
under Clang LTO. Since the macro evaluates the full 8-byte struct,
Clang emits a 64-bit `ldar` instruction. ARM64 architecture strictly
requires `ldar` to be naturally aligned, thus executing it on a 4-byte
aligned address triggers a strict Alignment Fault (FSC = 0x21).

Fix the read side by moving the `READ_ONCE()` directly to the `u32`
member, which emits a safe 32-bit `ldar Wn`.

Furthermore, Eric Dumazet pointed out that `WRITE_ONCE()` on the entire
struct in `proc_fib_multipath_hash_set_seed()` is also flawed. Analysis
shows that Clang splits this 8-byte write into two separate 32-bit
`str` instructions. While this avoids an alignment fault, it destroys
atomicity and exposes a tear-write vulnerability. Fix this by
explicitly splitting the write into two 32-bit `WRITE_ONCE()`
operations.

Finally, add the missing `READ_ONCE()` when reading `user_seed` in
`proc_fib_multipath_hash_seed()` to ensure proper pairing and
concurrency safety.

Fixes: 4ee2a8cace ("net: ipv4: Add a sysctl to set multipath hash seed")
Signed-off-by: Yung Chih Su <yuuchihsu@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260302060247.7066-1-yuuchihsu@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-03-03 17:20:37 -08:00
..
netfilter ipv4: use dst4_mtu() instead of dst_mtu() 2026-02-02 17:49:29 -08:00
Kconfig net/tcp-ao: Fix MAC comparison to be constant-time 2026-03-03 17:16:54 -08:00
Makefile tcp: move tcp_rate_check_app_limited() to tcp.c 2026-01-22 18:28:48 -08:00
af_inet.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
ah4.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
arp.c kernel.h: drop hex.h and update all hex.h users 2026-01-20 19:44:19 -08:00
bpf_tcp_ca.c tcp: Pass flags to __tcp_send_ack 2025-03-17 13:56:38 +00:00
cipso_ipv4.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
datagram.c net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
devinet.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
esp4.c tcp: Don't pass hashinfo to socket lookup helpers. 2025-08-25 17:53:35 -07:00
esp4_offload.c xfrm: Fix inner mode lookup in tunnel mode GSO segmentation 2025-12-04 09:54:53 +01:00
fib_frontend.c ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
fib_lookup.h ipv4: fib: Annotate access to struct fib_alias.fa_state. 2026-01-28 19:33:07 -08:00
fib_notifier.c
fib_rules.c ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
fib_semantics.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
fib_trie.c ipv4: fib: Annotate access to struct fib_alias.fa_state. 2026-01-28 19:33:07 -08:00
fou_bpf.c
fou_core.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
fou_nl.c fou: Don't allow 0 for FOU_ATTR_IPPROTO. 2026-01-17 16:00:24 -08:00
fou_nl.h tools: ynl-gen: add regeneration comment 2025-11-25 19:20:42 -08:00
gre_demux.c net: ip_gre: Fix spelling mistake "demultiplexor" -> "demultiplexer" 2025-04-24 18:20:40 -07:00
gre_offload.c
icmp.c ipv4: icmp: icmpv4_xrlim_allow() optimization if net.ipv4.icmp_ratelimit is zero 2026-02-18 16:46:36 -08:00
igmp.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
igmp_internal.h
inet_connection_sock.c tcp: move __reqsk_free() out of line 2026-02-05 09:23:06 -08:00
inet_diag.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
inet_fragment.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
inet_hashtables.c inet: annotate data-races around isk->inet_num 2026-02-27 17:16:59 -08:00
inet_timewait_sock.c inet: Avoid ehash lookup race in inet_twsk_hashdance_schedule() 2025-10-17 16:08:43 -07:00
inetpeer.c inetpeer: use EXPORT_IPV6_MOD[_GPL]() 2025-02-14 13:09:39 -08:00
ip_forward.c
ip_fragment.c inet: frags: flush pending skbs in fqdir_pre_exit() 2025-12-10 01:15:27 -08:00
ip_gre.c ipv4: ip_gre: make ipgre_header() robust 2026-01-10 12:06:22 -08:00
ip_input.c net: ipv4: Remove extern udp_v4_early_demux()/tcp_v4_early_demux() in .c files 2025-10-29 17:05:30 -07:00
ip_options.c net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers 2025-08-19 17:54:35 -07:00
ip_output.c ipv4: use dst4_mtu() instead of dst_mtu() 2026-02-02 17:49:29 -08:00
ip_sockglue.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ip_tunnel.c ipv4: ip_tunnel: spread netdev_lockdep_set_classes() 2026-01-08 18:02:35 -08:00
ip_tunnel_core.c tunnels: reset the GSO metadata before reusing the skb 2025-09-09 13:03:33 +02:00
ip_vti.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
ipcomp.c xfrm: delete x->tunnel as we delete x 2025-07-08 13:28:27 +02:00
ipconfig.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ipip.c netfilter: flowtable: Add IPIP rx sw acceleration 2025-11-28 00:00:38 +00:00
ipmr.c ipv4: use dst4_mtu() instead of dst_mtu() 2026-02-02 17:49:29 -08:00
ipmr_base.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
metrics.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
netfilter.c ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
netlink.c
nexthop.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
ping.c ping: annotate data-races in ping_lookup() 2026-02-17 17:11:08 -08:00
proc.c ipv4: snmp: do not use SNMP_MIB_SENTINEL anymore 2025-09-08 18:06:20 -07:00
protocol.c
raw.c ipv4/inet_sock.h: Avoid thousands of -Wflex-array-member-not-at-end warnings 2026-01-06 17:02:52 -08:00
raw_diag.c inet_diag: change inet_diag_bc_sk() first argument 2025-08-29 19:29:24 -07:00
route.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
syncookies.c tcp: fix potential race in tcp_v6_syn_recv_sock() 2026-02-19 14:02:19 -08:00
sysctl_net_ipv4.c net: ipv4: fix ARM64 alignment fault in multipath hash seed 2026-03-03 17:20:37 -08:00
tcp.c net: annotate data-races around sk->sk_{data_ready,write_space} 2026-02-26 19:23:03 -08:00
tcp_ao.c net/tcp-ao: Fix MAC comparison to be constant-time 2026-03-03 17:16:54 -08:00
tcp_bbr.c
tcp_bic.c
tcp_bpf.c net: annotate data-races around sk->sk_{data_ready,write_space} 2026-02-26 19:23:03 -08:00
tcp_cdg.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
tcp_cong.c tcp: ECT_1_NEGOTIATION and NEEDS_ACCECN identifiers 2026-02-03 15:13:24 +01:00
tcp_cubic.c
tcp_dctcp.c tcp: helpers for ECN mode handling 2025-03-17 13:54:11 +00:00
tcp_dctcp.h tcp: Pass flags to __tcp_send_ack 2025-03-17 13:56:38 +00:00
tcp_diag.c inet: annotate data-races around isk->inet_num 2026-02-27 17:16:59 -08:00
tcp_fastopen.c Including fixes from IPsec, Bluetooth and netfilter 2026-02-26 08:00:13 -08:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: give up on stronger sk_rcvbuf checks (for now) 2026-02-28 07:55:39 -08:00
tcp_ipv4.c Including fixes from IPsec, Bluetooth and netfilter 2026-02-26 08:00:13 -08:00
tcp_lp.c net: tcp_lp: fix kernel-doc warnings and update outdated reference links 2025-10-28 17:52:44 -07:00
tcp_metrics.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
tcp_minisocks.c net: annotate data-races around sk->sk_{data_ready,write_space} 2026-02-26 19:23:03 -08:00
tcp_nv.c
tcp_offload.c gro: flushing when CWR is set negatively affects AccECN 2026-02-03 15:13:24 +01:00
tcp_output.c tcp: move tcp_rbtree_insert() to tcp_output.c 2026-02-04 20:36:50 -08:00
tcp_plb.c
tcp_recovery.c tcp: move tcp_rack_advance() to tcp_input.c 2026-01-28 19:31:51 -08:00
tcp_scalable.c
tcp_sigpool.c compiler-context-analysis: Change __cond_acquires to take return value 2026-01-05 16:43:29 +01:00
tcp_timer.c tcp: accecn: unset ECT if receive or send ACE=0 in AccECN negotiaion 2026-02-03 15:13:24 +01:00
tcp_ulp.c
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected. 2026-02-28 07:46:24 -08:00
udp_bpf.c net: annotate data-races around sk->sk_{data_ready,write_space} 2026-02-26 19:23:03 -08:00
udp_diag.c inet_diag: change inet_diag_bc_sk() first argument 2025-08-29 19:29:24 -07:00
udp_impl.h udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
udp_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-01-29 17:28:54 -08:00
udp_tunnel_core.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
udp_tunnel_nic.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
udp_tunnel_stub.c
udplite.c udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb(). 2026-02-20 16:14:10 -08:00
xfrm4_input.c xfrm: Set transport header to fix UDP GRO handling 2025-07-02 09:19:56 +02:00
xfrm4_output.c ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] 2025-07-02 14:32:30 -07:00
xfrm4_policy.c ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c