ipv4: igmp: annotate data-races in igmp_heard_query()

Multiple cpus can run igmp_heard_query() concurrently.

Add missing READ_ONCE()/WRITE_ONCE() over following in_dev fields.

- mr_qrv
- mr_qi
- mr_qri
- mr_v1_seen
- mr_v2_seen

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+ae9a171f239b14485310@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69f38675.050a0220.3cbe47.0002.GAE@google.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430164836.872079-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index a674fb44ec25baf963dbaf9e72ccc45980b858b6..a9ad39064f3bb7fcfaace52448473f0425b2fa07 100644 (file)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -122,16 +122,29 @@
  * contradict to specs provided this delay is small enough.
  */
 
-#define IGMP_V1_SEEN(in_dev) \
-       (IPV4_DEVCONF_ALL_RO(dev_net(in_dev->dev), FORCE_IGMP_VERSION) == 1 || \
-        IN_DEV_CONF_GET((in_dev), FORCE_IGMP_VERSION) == 1 || \
-        ((in_dev)->mr_v1_seen && \
-         time_before(jiffies, (in_dev)->mr_v1_seen)))
-#define IGMP_V2_SEEN(in_dev) \
-       (IPV4_DEVCONF_ALL_RO(dev_net(in_dev->dev), FORCE_IGMP_VERSION) == 2 || \
-        IN_DEV_CONF_GET((in_dev), FORCE_IGMP_VERSION) == 2 || \
-        ((in_dev)->mr_v2_seen && \
-         time_before(jiffies, (in_dev)->mr_v2_seen)))
+static bool IGMP_V1_SEEN(const struct in_device *in_dev)
+{
+       unsigned long seen;
+
+       if (IPV4_DEVCONF_ALL_RO(dev_net(in_dev->dev), FORCE_IGMP_VERSION) == 1)
+               return true;
+       if (IN_DEV_CONF_GET((in_dev), FORCE_IGMP_VERSION) == 1)
+               return true;
+       seen = READ_ONCE(in_dev->mr_v1_seen);
+       return seen && time_before(jiffies, seen);
+}
+
+static bool IGMP_V2_SEEN(const struct in_device *in_dev)
+{
+       unsigned long seen;
+
+       if (IPV4_DEVCONF_ALL_RO(dev_net(in_dev->dev), FORCE_IGMP_VERSION) == 2)
+               return true;
+       if (IN_DEV_CONF_GET((in_dev), FORCE_IGMP_VERSION) == 2)
+               return true;
+       seen = READ_ONCE(in_dev->mr_v2_seen);
+       return seen && time_before(jiffies, seen);
+}
 
 static int unsolicited_report_interval(struct in_device *in_dev)
 {
@@ -954,23 +967,21 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
        int                     max_delay;
        int                     mark = 0;
        struct net              *net = dev_net(in_dev->dev);
-
+       unsigned long seen;
 
        if (len == 8) {
+               seen = jiffies + READ_ONCE(in_dev->mr_qrv) * READ_ONCE(in_dev->mr_qi) +
+                      READ_ONCE(in_dev->mr_qri);
                if (ih->code == 0) {
                        /* Alas, old v1 router presents here. */
 
                        max_delay = IGMP_QUERY_RESPONSE_INTERVAL;
-                       in_dev->mr_v1_seen = jiffies +
-                               (in_dev->mr_qrv * in_dev->mr_qi) +
-                               in_dev->mr_qri;
+                       WRITE_ONCE(in_dev->mr_v1_seen, seen);
                        group = 0;
                } else {
                        /* v2 router present */
                        max_delay = ih->code*(HZ/IGMP_TIMER_SCALE);
-                       in_dev->mr_v2_seen = jiffies +
-                               (in_dev->mr_qrv * in_dev->mr_qi) +
-                               in_dev->mr_qri;
+                       WRITE_ONCE(in_dev->mr_v2_seen, seen);
                }
                /* cancel the interface change timer */
                WRITE_ONCE(in_dev->mr_ifc_count, 0);
@@ -995,6 +1006,8 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
                if (!max_delay)
                        max_delay = 1;  /* can't mod w/ 0 */
        } else { /* v3 */
+               unsigned long mr_qi;
+
                if (!pskb_may_pull(skb, sizeof(struct igmpv3_query)))
                        return true;
 
@@ -1015,15 +1028,16 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
                 * received value was zero, use the default or statically
                 * configured value.
                 */
-               in_dev->mr_qrv = ih3->qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv);
-               in_dev->mr_qi = IGMPV3_QQIC(ih3->qqic)*HZ ?: IGMP_QUERY_INTERVAL;
-
+               WRITE_ONCE(in_dev->mr_qrv,
+                          ih3->qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv));
+               mr_qi = IGMPV3_QQIC(ih3->qqic)*HZ ?: IGMP_QUERY_INTERVAL;
+               WRITE_ONCE(in_dev->mr_qi, mr_qi);
                /* RFC3376, 8.3. Query Response Interval:
                 * The number of seconds represented by the [Query Response
                 * Interval] must be less than the [Query Interval].
                 */
-               if (in_dev->mr_qri >= in_dev->mr_qi)
-                       in_dev->mr_qri = (in_dev->mr_qi/HZ - 1)*HZ;
+               if (READ_ONCE(in_dev->mr_qri) >= mr_qi)
+                       WRITE_ONCE(in_dev->mr_qri, (mr_qi/HZ - 1) * HZ);
 
                if (!group) { /* general query */
                        if (ih3->nsrcs)