* Patch "af_unix: don't append consumed skbs to sk_receive_queue" has been added to the 4.2-stable tree
@ 2015-12-11 16:49 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2015-12-11 16:49 UTC (permalink / raw)
To: hannes, davem, dvyukov, edumazet, eric.dumazet, gregkh
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
af_unix: don't append consumed skbs to sk_receive_queue
to the 4.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
af_unix-don-t-append-consumed-skbs-to-sk_receive_queue.patch
and it can be found in the queue-4.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Fri Dec 11 11:38:35 EST 2015
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Mon, 16 Nov 2015 16:25:56 +0100
Subject: af_unix: don't append consumed skbs to sk_receive_queue
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit 8844f97238ca6c1ca92a5d6c69f53efd361a266f ]
In case multiple writes to a unix stream socket race we could end up in a
situation where we pre-allocate a new skb for use in unix_stream_sendpage
but have to free it again in the locked section because another skb
has been appended meanwhile, which we must use. Accidentally we didn't
clear the pointer after consuming it and so we touched freed memory
while appending it to the sk_receive_queue. So, clear the pointer after
consuming the skb.
This bug has been found with syzkaller
(http://github.com/google/syzkaller) by Dmitry Vyukov.
Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/unix/af_unix.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1799,6 +1799,7 @@ alloc_skb:
* this - does no harm
*/
consume_skb(newskb);
+ newskb = NULL;
}
if (skb_append_pagefrags(skb, page, offset, size)) {
Patches currently in stable-queue which might be from hannes@stressinduktion.org are
queue-4.2/ipv6-add-complete-rcu-protection-around-np-opt.patch
queue-4.2/ipv6-check-rt-dst.from-for-the-dst_nocache-route.patch
queue-4.2/af-unix-passcred-support-for-sendpage.patch
queue-4.2/af_unix-don-t-append-consumed-skbs-to-sk_receive_queue.patch
queue-4.2/ipv6-avoid-creating-rtf_cache-from-a-rt-that-is-not-managed-by-fib6-tree.patch
queue-4.2/net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch
queue-4.2/ipv6-check-expire-on-dst_nocache-route.patch
queue-4.2/af-unix-fix-use-after-free-with-concurrent-readers-while-splicing.patch
queue-4.2/ip_tunnel-disable-preemption-when-updating-per-cpu-tstats.patch
queue-4.2/af_unix-take-receive-queue-lock-while-appending-new-skb.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-12-11 20:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-11 16:49 Patch "af_unix: don't append consumed skbs to sk_receive_queue" has been added to the 4.2-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).