mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-06 19:07:52 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Eric Dumazet fc4ba13013 netlink: annotate lockless accesses to nlk->max_recvmsg_len 
[ Upstream commit a1865f2e7d ]

syzbot reported a data-race in data-race in netlink_recvmsg() [1]

Indeed, netlink_recvmsg() can be run concurrently,
and netlink_dump() also needs protection.

[1]
BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg

read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0:
netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
__sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194
__do_sys_recvfrom net/socket.c:2212 [inline]
__se_sys_recvfrom net/socket.c:2208 [inline]
__x64_sys_recvfrom+0x78/0x90 net/socket.c:2208
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1:
netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989
sock_recvmsg_nosec net/socket.c:1017 [inline]
sock_recvmsg net/socket.c:1038 [inline]
____sys_recvmsg+0x156/0x310 net/socket.c:2720
___sys_recvmsg net/socket.c:2762 [inline]
do_recvmmsg+0x2e5/0x710 net/socket.c:2856
__sys_recvmmsg net/socket.c:2935 [inline]
__do_sys_recvmmsg net/socket.c:2958 [inline]
__se_sys_recvmmsg net/socket.c:2951 [inline]
__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x0000000000000000 -> 0x0000000000001000

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Fixes: 9063e21fb0 ("netlink: autosize skb lengthes")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230403214643.768555-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-04-13 17:02:41 +02:00
..
6lowpan
9p net/9p: fix bug in client create for .L 2023-03-22 13:37:56 +01:00
802 treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
8021q
appletalk
atm driver core: make struct class.dev_uevent() take a const * 2022-11-24 17:12:15 +01:00
ax25 ax25: af_ax25: Remove unnecessary (void*) conversions 2022-11-16 13:31:03 +00:00
batman-adv Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
bluetooth Bluetooth: Fix race condition in hci_cmd_sync_clear 2023-03-30 12:51:34 +02:00
bpf Revert "bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES" 2023-03-17 08:58:03 +01:00
bpfilter
bridge netfilter: ebtables: fix table blob use-after-free 2023-03-11 13:50:30 +01:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:57:54 +01:00
can can: j1939: prevent deadlock by moving j1939_sk_errqueue() 2023-04-06 12:12:42 +02:00
ceph Treewide: Stop corrupting socket's task_frag 2022-12-19 17:28:49 -08:00
core net: don't let netpoll invoke NAPI if in xmit context 2023-04-13 17:02:38 +02:00
dcb net: dcb: move getapptrust to separate function 2022-11-15 15:27:43 +01:00
dccp dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. 2023-02-10 19:53:42 -08:00
dns_resolver cred: Do not default to init_cred in prepare_kernel_cred() 2022-11-01 10:04:52 -07:00
dsa net: dsa: sync unicast and multicast addresses for VLAN filters too 2023-04-06 12:12:39 +02:00
ethernet net: ethernet: use sysfs_emit() to instead of scnprintf() 2022-12-07 20:02:44 -08:00
ethtool ethtool: reset #lanes when lanes is omitted 2023-04-13 17:02:41 +02:00
hsr hsr: ratelimit only when errors are printed 2023-04-06 12:12:48 +02:00
ieee802154 Merge tag 'ieee802154-for-net-next-2022-12-05' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next 2022-12-07 17:33:26 -08:00
ife
ipv4 ping: Fix potentail NULL deref for /proc/net/icmp. 2023-04-13 17:02:41 +02:00
ipv6 raw: Fix NULL deref in raw_get_next(). 2023-04-13 17:02:41 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:37:53 +01:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-15 12:42:26 +01:00
key af_key: Fix heap information leak 2023-02-13 09:30:14 +00:00
l2tp l2tp: generate correct module alias strings 2023-04-13 17:02:37 +02:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta 2023-04-13 17:02:36 +02:00
mac802154 mac802154: Fix possible double free upon parsing error 2022-12-19 11:38:12 +01:00
mctp net: mctp: purge receive queues on sk destruction 2023-01-28 00:26:09 -08:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-15 10:26:37 +00:00
mptcp mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket() 2023-03-22 13:38:06 +01:00
ncsi net/ncsi: Silence runtime memcpy() false positive warning 2022-12-06 17:29:14 -08:00
netfilter netfilter: nft_redir: correct value of inet type .maxattrs 2023-03-22 13:37:44 +01:00
netlabel
netlink netlink: annotate lockless accesses to nlk->max_recvmsg_len 2023-04-13 17:02:41 +02:00
netrom netrom: Fix use-after-free caused by accept on already connected socket 2023-01-30 07:30:47 +00:00
nfc nfc: change order inside nfc_se_io error path 2023-03-17 08:57:48 +01:00
nsh
openvswitch net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() 2023-02-13 09:38:25 +00:00
packet Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
phonet
psample
qrtr net: qrtr: Do not do DEL_SERVER broadcast after DEL_CLIENT 2023-04-13 17:02:39 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-10 09:28:18 +01:00
rfkill driver core: make struct class.dev_uevent() take a const * 2022-11-24 17:12:15 +01:00
rose net/rose: Fix to not accept on connected socket 2023-01-28 00:19:57 -08:00
rxrpc rxrpc: Fix overwaking on call poking 2023-03-10 09:28:17 +01:00
sched act_mirred: use the backlog for nested calls to mirred ingress 2023-03-30 12:51:31 +02:00
sctp sctp: check send stream number after wait_for_sndbuf 2023-04-13 17:02:38 +02:00
smc net/smc: fix deadlock triggered by cancel_delayed_work_syn() 2023-03-22 13:37:49 +01:00
strparser
sunrpc sunrpc: only free unix grouplist after RCU settles 2023-04-13 17:02:40 +02:00
switchdev
tipc tipc: fix kernel warning when sending SYN message 2023-02-14 20:46:24 -08:00
tls net: tls: fix device-offloaded sendpage straddling records 2023-03-17 08:57:57 +01:00
unix af_unix: fix struct pid leaks in OOB support 2023-03-17 08:57:59 +01:00
vmw_vsock Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
wireless wifi: cfg80211: fix MLO connection ownership 2023-03-22 13:37:45 +01:00
x25 net/x25: Fix to not accept on connected socket 2023-01-25 09:51:04 +00:00
xdp xsk: Add missing overflow check in xdp_umem_reg 2023-03-30 12:50:52 +02:00
xfrm xfrm: Zero padding when dumping algos and encap 2023-04-06 12:12:24 +02:00
compat.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c net: avoid double iput when sock_alloc_file fails 2023-03-10 09:29:57 +01:00
sysctl_net.c