superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net/ipv6
History
Eric Dumazet 9a063f96d8 ipv6: annotate data-race in ndisc_router_discovery() 
syzbot found that ndisc_router_discovery() could read and write
in6_dev->ra_mtu without holding a lock [1]

This looks fine, IFLA_INET6_RA_MTU is best effort.

Add READ_ONCE()/WRITE_ONCE() to document the race.

Note that we might also reject illegal MTU values
(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch.

[1]
BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery

read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1:
  ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558
  ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
  icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
  ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
  ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
  NF_HOOK include/linux/netfilter.h:318 [inline]
  ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
  ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
  dst_input include/net/dst.h:474 [inline]
  ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...

write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0:
  ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559
  ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841
  icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989
  ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438
  ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489
  NF_HOOK include/linux/netfilter.h:318 [inline]
  ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500
  ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590
  dst_input include/net/dst.h:474 [inline]
  ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79
...

value changed: 0x00000000 -> 0xe5400659

Fixes: 49b99da2c9 ("ipv6: add IFLA_INET6_RA_MTU to expose mtu value")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Rocco Yue <rocco.yue@mediatek.com>
Link: https://patch.msgid.link/20260118152941.2563857-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-01-20 18:37:45 -08:00
..
ila ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
netfilter netfilter: nf_reject: don't reply to icmp error messages 2025-09-11 15:40:55 +02:00
Kconfig ipv6: sr: Use HMAC-SHA1 and HMAC-SHA256 library functions 2025-08-26 18:11:29 -07:00
Makefile
addrconf.c ipv6: Fix use-after-free in inet6_addr_del(). 2026-01-13 19:09:11 -08:00
addrconf_core.c
addrlabel.c net: replace ADDRLABEL with dynamic debug 2025-07-08 15:04:05 +02:00
af_inet6.c net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
ah6.c net: ipv6: fix field-spanning memcpy warning in AH output 2025-08-15 08:30:16 +02:00
anycast.c ipv6: start using dst_dev_rcu() 2025-08-29 19:36:32 -07:00
calipso.c ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() 2025-12-29 19:36:45 +01:00
datagram.c net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
esp6.c tcp: Don't pass hashinfo to socket lookup helpers. 2025-08-25 17:53:35 -07:00
esp6_offload.c xfrm: Fix inner mode lookup in tunnel mode GSO segmentation 2025-12-04 09:54:53 +01:00
exthdrs.c ipv6: annotate data-races around devconf->rpl_seg_enabled 2025-09-02 17:01:06 -07:00
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c net: do not acquire rtnl in fib_seq_sum() 2024-10-11 15:35:05 -07:00
fib6_rules.c ipv6: fib_rules: Add DSCP mask matching 2025-02-21 16:08:48 -08:00
fou6.c
icmp.c ipv6: icmp: Add RFC 5837 support 2025-10-29 18:28:30 -07:00
inet6_connection_sock.c ipv6: make ipv6_pinfo.daddr_cache a boolean 2025-09-18 10:17:09 +02:00
inet6_hashtables.c tcp: Remove inet6_hash(). 2025-09-22 11:38:43 -07:00
ioam6.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
ioam6_iptunnel.c ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
ip6_checksum.c
ip6_fib.c ipv6: clear RA flags when adding a static route 2025-11-18 19:28:08 -08:00
ip6_flowlabel.c ipv6: Move ipv6_fl_list from ipv6_pinfo to inet_sock. 2025-10-17 16:06:52 -07:00
ip6_gre.c erspan: Initialize options_len before referencing options. 2025-12-23 09:21:00 +01:00
ip6_icmp.c icmp: fix icmp_ndo_send address translation for reply direction 2025-09-01 12:54:41 -07:00
ip6_input.c net: preserve MSG_ZEROCOPY with forwarding 2025-07-02 15:07:16 -07:00
ip6_offload.c ipv6: reject malicious packets in ipv6_gso_segment() 2025-08-01 14:40:53 -07:00
ip6_offload.h
ip6_output.c ipv6: make ipv6_pinfo.daddr_cache a boolean 2025-09-18 10:17:09 +02:00
ip6_tunnel.c ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() 2026-01-09 18:14:08 -08:00
ip6_udp_tunnel.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
ip6_vti.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
ip6mr.c ipv6: ip6_mc_input() and ip6_mr_input() cleanups 2025-07-02 14:32:30 -07:00
ipcomp6.c xfrm: delete x->tunnel as we delete x 2025-07-08 13:28:27 +02:00
ipv6_sockglue.c net: psp: update the TCP MSS to reflect PSP packet overhead 2025-09-18 12:32:06 +02:00
mcast.c ipv6: start using dst_dev_rcu() 2025-08-29 19:36:32 -07:00
mcast_snoop.c
mip6.c
ndisc.c ipv6: annotate data-race in ndisc_router_discovery() 2026-01-20 18:37:45 -08:00
netfilter.c netfilter: Switch to skb_dstref_steal to clear dst_entry 2025-08-19 17:54:19 -07:00
output_core.c ipv6: start using dst_dev_rcu() 2025-08-29 19:36:32 -07:00
ping.c net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
proc.c ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST 2025-09-08 18:06:20 -07:00
protocol.c
raw.c net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
reassembly.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
route.c dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() 2026-01-13 19:08:18 -08:00
rpl.c
rpl_iptunnel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-17 11:00:33 -07:00
seg6.c ipv6: sr: Use HMAC-SHA1 and HMAC-SHA256 library functions 2025-08-26 18:11:29 -07:00
seg6_hmac.c ipv6: sr: Prepare HMAC key ahead of time 2025-08-26 18:11:29 -07:00
seg6_iptunnel.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
seg6_local.c ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
sit.c ipv6: sit: Add ipip6_tunnel_dst_find() for cleanup 2025-09-04 10:03:59 +02:00
syncookies.c tcp: accecn: AccECN negotiation 2025-09-18 08:47:51 +02:00
sysctl_net_ipv6.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
tcp_ao.c
tcp_ipv6.c tcp: introduce icsk->icsk_keepalive_timer 2025-11-25 19:28:29 -08:00
tcpv6_offload.c tcp: Don't pass hashinfo to socket lookup helpers. 2025-08-25 17:53:35 -07:00
tunnel6.c
udp.c net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
udp_impl.h udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
udp_offload.c net: gro: remove is_ipv6 from napi_gro_cb 2025-09-25 12:42:49 +02:00
udplite.c udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
xfrm6_input.c xfrm: Set transport header to fix UDP GRO handling 2025-07-02 09:19:56 +02:00
xfrm6_output.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
xfrm6_policy.c xfrm: respect ip protocols rules criteria when performing dst lookups 2024-09-23 07:02:07 +02:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm: flush all states in xfrm_state_fini 2025-08-06 09:23:38 +02:00