From 13e8d43287a894a477f92affe7e182c3d520a67d Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Fri, 8 Mar 2024 19:57:01 +0800 Subject: [PATCH] net: fix possible store tearing in neigh_periodic_work() mainline inclusion from mainline-v6.6-rc5 commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK CVE: CVE-2023-52522 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=25563b581ba3a1f263a00e8c9a97f5e7363be6fd -------------------------------- While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev(). Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Zhengchao Shao --- net/core/neighbour.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 778be5866d0a..3f1520755282 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -855,7 +855,9 @@ static void neigh_periodic_work(struct work_struct *work) if (refcount_read(&n->refcnt) == 1 && (state == NUD_FAILED || time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { - *np = n->next; + rcu_assign_pointer(*np, + rcu_dereference_protected(n->next, + lockdep_is_held(&tbl->lock))); n->dead = 1; write_unlock(&n->lock); neigh_cleanup_and_release(n); -- Gitee