linux_dsm_epyc7002/net/ipv6
Subash Abhinov Kasiviswanathan cc00bcaa58 netfilter: x_tables: Switch synchronization to RCU
When running concurrent iptables rules replacement with data, the per CPU
sequence count is checked after the assignment of the new information.
The sequence count is used to synchronize with the packet path without the
use of any explicit locking. If there are any packets in the packet path using
the table information, the sequence count is incremented to an odd value and
is incremented to an even after the packet process completion.

The new table value assignment is followed by a write memory barrier so every
CPU should see the latest value. If the packet path has started with the old
table information, the sequence counter will be odd and the iptables
replacement will wait till the sequence count is even prior to freeing the
old table info.

However, this assumes that the new table information assignment and the memory
barrier is actually executed prior to the counter check in the replacement
thread. If CPU decides to execute the assignment later as there is no user of
the table information prior to the sequence check, the packet path in another
CPU may use the old table information. The replacement thread would then free
the table information under it leading to a use after free in the packet
processing context-

Unable to handle kernel NULL pointer dereference at virtual
address 000000000000008e
pc : ip6t_do_table+0x5d0/0x89c
lr : ip6t_do_table+0x5b8/0x89c
ip6t_do_table+0x5d0/0x89c
ip6table_filter_hook+0x24/0x30
nf_hook_slow+0x84/0x120
ip6_input+0x74/0xe0
ip6_rcv_finish+0x7c/0x128
ipv6_rcv+0xac/0xe4
__netif_receive_skb+0x84/0x17c
process_backlog+0x15c/0x1b8
napi_poll+0x88/0x284
net_rx_action+0xbc/0x23c
__do_softirq+0x20c/0x48c

This could be fixed by forcing instruction order after the new table
information assignment or by switching to RCU for the synchronization.

Fixes: 80055dab5d ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore")
Reported-by: Sean Tranchetti <stranche@codeaurora.org>
Reported-by: kernel test robot <lkp@intel.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-12-08 12:57:39 +01:00
..
ila net: Add MODULE_DESCRIPTION entries to network modules 2020-06-20 21:33:57 -07:00
netfilter netfilter: x_tables: Switch synchronization to RCU 2020-12-08 12:57:39 +01:00
addrconf_core.c ipv6: add ipv6_fragment hook in ipv6_stub 2020-08-31 12:26:39 -07:00
addrconf.c ipv6: Fix error path to cancel the meseage 2020-11-13 18:20:00 -08:00
addrlabel.c ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init 2020-11-25 11:20:16 -08:00
af_inet6.c ipv6: add ipv6_fragment hook in ipv6_stub 2020-08-31 12:26:39 -07:00
ah6.c ah6: fix error return code in ah6_input() 2020-11-18 10:53:16 -08:00
anycast.c ipv6: fix memory leaks on IPV6_ADDRFORM path 2020-07-30 16:30:55 -07:00
calipso.c net/ipv6: use semicolons rather than commas to separate statements 2020-10-13 17:11:52 -07:00
datagram.c icmp6: support rfc 4884 2020-07-24 17:12:41 -07:00
esp6_offload.c net: Add MODULE_DESCRIPTION entries to network modules 2020-06-20 21:33:57 -07:00
esp6.c xfrm: esp6: fix the location of the transport header with encapsulation 2020-07-28 07:57:23 +02:00
exthdrs_core.c ipv6: remove printk 2019-07-27 14:23:48 -07:00
exthdrs_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
exthdrs.c net: ipv6: kerneldoc fixes 2020-07-13 17:20:39 -07:00
fib6_notifier.c net: fib_notifier: propagate extack down to the notifier block callback 2019-10-04 11:10:56 -07:00
fib6_rules.c fib: use indirect call wrappers in the most common fib_rules_ops 2020-07-28 17:42:31 -07:00
fou6.c net: Add MODULE_DESCRIPTION entries to network modules 2020-06-20 21:33:57 -07:00
icmp.c IPv6: reply ICMP error if the first fragment don't include all headers 2020-10-31 13:16:02 -07:00
inet6_connection_sock.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2019-12-24 22:28:54 -08:00
inet6_hashtables.c net: ipv6: remove unused arg exact_dif in compute_score 2020-08-31 13:08:10 -07:00
ip6_checksum.c net: udp: fix handling of CHECKSUM_COMPLETE packets 2018-10-24 14:18:16 -07:00
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-15 12:43:21 -07:00
ip6_flowlabel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
ip6_gre.c net: ip6_gre: set dev->hard_header_len when using header_ops 2020-12-02 11:16:12 -08:00
ip6_icmp.c ipv6: icmp6: avoid indirect call for icmpv6_send() 2020-06-19 13:41:59 -07:00
ip6_input.c bpf: Add socket assign support 2020-03-30 13:45:04 -07:00
ip6_offload.c udp: move gro declarations to net/udp.h 2020-06-23 20:10:15 -07:00
ip6_offload.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6_output.c networking changes for the 5.10 merge window 2020-10-15 18:42:13 -07:00
ip6_tunnel.c ip6_tunnel: set inner ipproto before ip6_tnl_encap 2020-10-30 08:07:30 -07:00
ip6_udp_tunnel.c net: Make locking in sock_bindtoindex optional 2020-06-01 14:57:14 -07:00
ip6_vti.c ipv6: use dev_sw_netstats_rx_add() 2020-10-06 06:23:21 -07:00
ip6mr.c net/ipv6: switch ip6_mroute_setsockopt to sockptr_t 2020-07-24 15:41:54 -07:00
ipcomp6.c ipcomp: assign if_id to child tunnel from parent tunnel 2020-07-09 12:55:37 +02:00
ipv6_sockglue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
Kconfig net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC 2020-09-18 17:45:04 -07:00
Makefile net: ipv6: add rpl sr tunnel 2020-03-29 22:30:57 -07:00
mcast_snoop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 343 2019-06-05 17:37:07 +02:00
mcast.c mld: fix memory leak in ipv6_mc_destroy_dev() 2020-06-15 13:29:39 -07:00
mip6.c xfrm: remove type and offload_type map from xfrm_state_afinfo 2019-06-06 08:34:50 +02:00
ndisc.c net: Exempt multicast addresses from five-second neighbor lifetime 2020-11-13 14:24:39 -08:00
netfilter.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-10-30 12:57:39 +01:00
output_core.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
ping.c ipv6/ping: set skb->mark on icmpv6 sockets 2020-07-03 14:36:04 -07:00
proc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 11:00:14 -07:00
protocol.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
raw.c csum_partial_copy_nocheck(): drop the last argument 2020-08-20 15:45:14 -04:00
reassembly.c ipv6: Remove dependency of ipv6_frag_thdr_truncated on ipv6 module 2020-11-19 10:49:50 -08:00
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-15 12:43:21 -07:00
rpl_iptunnel.c net: ipv6: Use struct_size() helper and kcalloc() 2020-06-23 20:27:09 -07:00
rpl.c ipv6: rpl: fix full address compression 2020-04-18 15:04:27 -07:00
seg6_hmac.c crypto: lib/sha1 - remove unnecessary includes of linux/cryptohash.h 2020-05-08 15:32:17 +10:00
seg6_iptunnel.c seg6_iptunnel: Refactor seg6_lwt_headroom out of uapi header 2020-08-03 17:57:40 -07:00
seg6_local.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
seg6.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
sit.c IPv6: Set SIT tunnel hard_header_len to zero 2020-11-09 15:07:40 -08:00
syncookies.c net: Update window_clamp if SOCK_RCVBUF is set 2020-11-10 17:42:35 -08:00
sysctl_net_ipv6.c ipv6: Fix sysctl max for fib_multipath_hash_policy 2020-09-02 15:44:53 -07:00
tcp_ipv6.c tcp: Set ECT0 bit in tos/tclass for synack when BPF needs ECN 2020-11-24 14:12:55 -08:00
tcpv6_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
tunnel6.c tunnel6: add tunnel6_input_afinfo for ipip and ipv6 tunnels 2020-07-09 12:52:37 +02:00
udp_impl.h net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
udp_offload.c net: udp: fix IP header access and skb lookup on Fast/frag0 UDP GRO 2020-11-12 09:55:51 -08:00
udp.c udp, bpf: Ignore connections in reuseport group after BPF sk lookup 2020-07-31 02:00:48 +02:00
udplite.c net/ipv6: remove compat_ipv6_{get,set}sockopt 2020-07-19 18:16:41 -07:00
xfrm6_input.c xfrm: state: remove extract_input indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_output.c xfrm: remove output_finish indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_policy.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2019-12-24 22:28:54 -08:00
xfrm6_protocol.c xfrm: add support for UDPv6 encapsulation of ESP 2020-04-28 11:28:36 +02:00
xfrm6_state.c xfrm: remove output_finish indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_tunnel.c xfrm: interface: fix the priorities for ipip and ipv6 tunnels 2020-10-09 12:29:48 +02:00