From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 04/25] netlink: do not reset transport header in netlink_recvmsg()
Date: Mon, 16 May 2022 21:36:18 +0200 [thread overview]
Message-ID: <20220516193614.817183626@linuxfoundation.org> (raw)
In-Reply-To: <20220516193614.678319286@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d5076fe4049cadef1f040eda4aaa001bb5424225 ]
netlink_recvmsg() does not need to change transport header.
If transport header was needed, it should have been reset
by the producer (netlink_dump()), not the consumer(s).
The following trace probably happened when multiple threads
were using MSG_PEEK.
BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
write to 0xffff88811e9f15b2 of 2 bytes by task 32012 on cpu 1:
skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
__sys_recvfrom+0x204/0x2c0 net/socket.c:2097
__do_sys_recvfrom net/socket.c:2115 [inline]
__se_sys_recvfrom net/socket.c:2111 [inline]
__x64_sys_recvfrom+0x74/0x90 net/socket.c:2111
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
write to 0xffff88811e9f15b2 of 2 bytes by task 32005 on cpu 0:
skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
____sys_recvmsg+0x162/0x2f0
___sys_recvmsg net/socket.c:2674 [inline]
__sys_recvmsg+0x209/0x3f0 net/socket.c:2704
__do_sys_recvmsg net/socket.c:2714 [inline]
__se_sys_recvmsg net/socket.c:2711 [inline]
__x64_sys_recvmsg+0x42/0x50 net/socket.c:2711
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0xffff -> 0x0000
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 32005 Comm: syz-executor.4 Not tainted 5.18.0-rc1-syzkaller-00328-ge1f700ebd6be-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20220505161946.2867638-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 979cd7dff40a..1b2e99ce54e5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1947,7 +1947,6 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
copied = len;
}
- skb_reset_transport_header(data_skb);
err = skb_copy_datagram_msg(data_skb, 0, msg, copied);
if (msg->msg_name) {
--
2.35.1
next prev parent reply other threads:[~2022-05-16 19:42 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 19:36 [PATCH 4.14 00/25] 4.14.280-rc1 review Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 01/25] batman-adv: Dont skb_split skbuffs with frag_list Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 02/25] net: Fix features skip in for_each_netdev_feature() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 03/25] ipv4: drop dst in multicast routing path Greg Kroah-Hartman
2022-05-16 19:36 ` Greg Kroah-Hartman [this message]
2022-05-16 19:36 ` [PATCH 4.14 05/25] mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 06/25] hwmon: (ltq-cputemp) restrict it to SOC_XWAY Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 07/25] s390/ctcm: fix variable dereferenced before check Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 08/25] s390/ctcm: fix potential memory leak Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 09/25] s390/lcs: fix variable dereferenced before check Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 10/25] net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 11/25] net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 12/25] hwmon: (f71882fg) Fix negative temperature Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 13/25] ASoC: max98090: Reject invalid values in custom control put() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 14/25] ASoC: max98090: Generate notifications on changes for custom control Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 15/25] ASoC: ops: Validate input values in snd_soc_put_volsw_range() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 16/25] tcp: resalt the secret every 10 seconds Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 17/25] usb: cdc-wdm: fix reading stuck on device close Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 18/25] USB: serial: pl2303: add device id for HP LM930 Display Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 19/25] USB: serial: qcserial: add support for Sierra Wireless EM7590 Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 20/25] USB: serial: option: add Fibocom L610 modem Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 21/25] USB: serial: option: add Fibocom MA510 modem Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 22/25] cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 23/25] drm/vmwgfx: Initialize drm_mode_fb_cmd2 Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 24/25] ping: fix address binding wrt vrf Greg Kroah-Hartman
2022-05-16 19:36 ` [PATCH 4.14 25/25] tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() Greg Kroah-Hartman
2022-05-17 7:37 ` [PATCH 4.14 00/25] 4.14.280-rc1 review Jon Hunter
2022-05-17 19:29 ` Guenter Roeck
2022-05-18 8:33 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220516193614.817183626@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.