From: Eric Dumazet edumazet@google.com
mainline inclusion from mainline-v6.6-rc5 commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK CVE: CVE-2023-52522
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list.
Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing.
I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev().
Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet edumazet@google.com Reviewed-by: David Ahern dsahern@kernel.org Reviewed-by: Simon Horman horms@kernel.org Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com --- net/core/neighbour.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 778be5866d0a..3f1520755282 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -855,7 +855,9 @@ static void neigh_periodic_work(struct work_struct *work) if (refcount_read(&n->refcnt) == 1 && (state == NUD_FAILED || time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { - *np = n->next; + rcu_assign_pointer(*np, + rcu_dereference_protected(n->next, + lockdep_is_held(&tbl->lock))); n->dead = 1; write_unlock(&n->lock); neigh_cleanup_and_release(n);