From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 015/100] tipc: handle the err returned from cmd header function
Date: Tue, 30 Apr 2019 13:37:44 +0200 [thread overview]
Message-ID: <20190430113609.314779227@linuxfoundation.org> (raw)
In-Reply-To: <20190430113608.616903219@linuxfoundation.org>
[ Upstream commit 2ac695d1d602ce00b12170242f58c3d3a8e36d04 ]
Syzbot found a crash:
BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
Call Trace:
tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
__tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215
tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280
tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline]
tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265
genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg net/socket.c:632 [inline]
Uninit was created at:
__alloc_skb+0x309/0xa20 net/core/skbuff.c:208
alloc_skb include/linux/skbuff.h:1012 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg net/socket.c:632 [inline]
It was supposed to be fixed on commit 974cb0e3e7c9 ("tipc: fix uninit-value
in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req)
in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called
ahead of tipc_nl_compat_name_table_dump().
However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd
header function. It means even when the check added in that fix fails, it
won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be
triggered again.
So this patch is to add the process for the err returned from cmd header
function in tipc_nl_compat_dumpit().
Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/netlink_compat.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 0b21187d74df..e3de41eb0000 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
if (msg->rep_type)
tipc_tlv_init(msg->rep, msg->rep_type);
- if (cmd->header)
- (*cmd->header)(msg);
+ if (cmd->header) {
+ err = (*cmd->header)(msg);
+ if (err) {
+ kfree_skb(msg->rep);
+ msg->rep = NULL;
+ return err;
+ }
+ }
arg = nlmsg_new(0, GFP_KERNEL);
if (!arg) {
--
2.19.1
next prev parent reply other threads:[~2019-04-30 11:45 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-30 11:37 [PATCH 4.19 000/100] 4.19.38-stable review Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 001/100] netfilter: nft_compat: use refcnt_t type for nft_xt reference count Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 002/100] netfilter: nft_compat: make lists per netns Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 003/100] netfilter: nf_tables: split set destruction in deactivate and destroy phase Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 004/100] netfilter: nft_compat: destroy function must not have side effects Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 005/100] netfilter: nf_tables: warn when expr implements only one of activate/deactivate Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 006/100] netfilter: nf_tables: unbind set in rule from commit path Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 007/100] netfilter: nft_compat: dont use refcount_inc on newly allocated entry Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 008/100] netfilter: nft_compat: use .release_ops and remove list of extension Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 009/100] netfilter: nf_tables: fix set double-free in abort path Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 010/100] netfilter: nf_tables: bogus EBUSY when deleting set after flush Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 011/100] netfilter: nf_tables: bogus EBUSY in helper removal from transaction Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 012/100] net/ibmvnic: Fix RTNL deadlock during device reset Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 013/100] net: mvpp2: fix validate for PPv2.1 Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 014/100] ext4: fix some error pointer dereferences Greg Kroah-Hartman
2019-04-30 11:37 ` Greg Kroah-Hartman [this message]
2019-04-30 11:37 ` [PATCH 4.19 016/100] loop: do not print warn message if partition scan is successful Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 017/100] drm/rockchip: fix for mailbox read validation Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 018/100] vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 019/100] ipvs: fix warning on unused variable Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 020/100] powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 021/100] ALSA: hda/ca0132 - Fix build error without CONFIG_PCI Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 022/100] net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init to probe for new DSA framework Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 023/100] cifs: fix memory leak in SMB2_read Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 024/100] cifs: do not attempt cifs operation on smb2+ rename error Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 025/100] tracing: Fix a memory leak by early error exit in trace_pid_write() Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 026/100] tracing: Fix buffer_ref pipe ops Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 027/100] gpio: eic: sprd: Fix incorrect irq type setting for the sync EIC Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 028/100] zram: pass down the bvec we need to read into in the work struct Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 029/100] lib/Kconfig.debug: fix build error without CONFIG_BLOCK Greg Kroah-Hartman
2019-04-30 11:37 ` [PATCH 4.19 030/100] MIPS: scall64-o32: Fix indirect syscall number load Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 031/100] trace: Fix preempt_enable_no_resched() abuse Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 032/100] IB/rdmavt: Fix frwr memory registration Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 033/100] RDMA/mlx5: Do not allow the user to write to the clock page Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 034/100] sched/numa: Fix a possible divide-by-zero Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 035/100] ceph: only use d_name directly when parent is locked Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 036/100] ceph: ensure d_name stability in ceph_dentry_hash() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 037/100] ceph: fix ci->i_head_snapc leak Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 038/100] nfsd: Dont release the callback slot unless it was actually held Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 039/100] sunrpc: dont mark uninitialised items as VALID Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 040/100] perf/x86/intel: Update KBL Package C-state events to also include PC8/PC9/PC10 counters Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 041/100] Input: synaptics-rmi4 - write config register values to the right offset Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 042/100] vfio/type1: Limit DMA mappings per container Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 043/100] dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 044/100] dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 045/100] ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 046/100] powerpc/mm/radix: Make Radix require HUGETLB_PAGE Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 047/100] drm/vc4: Fix memory leak during gpu reset Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 048/100] Revert "drm/i915/fbdev: Actually configure untiled displays" Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 049/100] drm/vc4: Fix compilation error reported by kbuild test bot Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 050/100] USB: Add new USB LPM helpers Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 051/100] USB: Consolidate LPM checks to avoid enabling LPM twice Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 052/100] slip: make slhc_free() silently accept an error pointer Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 053/100] intel_th: gth: Fix an off-by-one in output unassigning Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 054/100] fs/proc/proc_sysctl.c: Fix a NULL pointer dereference Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 055/100] workqueue: Try to catch flush_work() without INIT_WORK() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 056/100] binder: fix handling of misaligned binder object Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 057/100] sched/deadline: Correctly handle active 0-lag timers Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 058/100] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 059/100] netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 060/100] fm10k: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 061/100] tipc: check bearer name with right length in tipc_nl_compat_bearer_enable Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 062/100] tipc: check link name with right length in tipc_nl_compat_link_set Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 063/100] net: netrom: Fix error cleanup path of nr_proto_init Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 064/100] net/rds: Check address length before reading address family Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 065/100] rxrpc: fix race condition in rxrpc_input_packet() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 066/100] aio: clear IOCB_HIPRI Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 067/100] aio: use assigned completion handler Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 068/100] aio: separate out ring reservation from req allocation Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 069/100] aio: dont zero entire aio_kiocb aio_get_req() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 070/100] aio: use iocb_put() instead of open coding it Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 071/100] aio: split out iocb copy from io_submit_one() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 072/100] aio: abstract out io_event filler helper Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 073/100] aio: initialize kiocb private in case any filesystems expect it Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 074/100] aio: simplify - and fix - fget/fput for io_submit() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 075/100] pin iocb through aio Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 076/100] aio: fold lookup_kiocb() into its sole caller Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 077/100] aio: keep io_event in aio_kiocb Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 078/100] aio: store event at final iocb_put() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 079/100] Fix aio_poll() races Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 080/100] x86, retpolines: Raise limit for generating indirect calls from switch-case Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 081/100] x86/retpolines: Disable switch jump tables when retpolines are enabled Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 082/100] mm: Fix warning in insert_pfn() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 083/100] x86/fpu: Dont export __kernel_fpu_{begin,end}() Greg Kroah-Hartman
2019-05-01 11:59 ` Lukas Wunner
2019-04-30 11:38 ` [PATCH 4.19 084/100] ipv4: add sanity checks in ipv4_link_failure() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 085/100] ipv4: set the tcp_min_rtt_wlen range from 0 to one day Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 086/100] mlxsw: spectrum: Fix autoneg status in ethtool Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 087/100] net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 088/100] net: rds: exchange of 8K and 1M pool Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 089/100] net/rose: fix unbound loop in rose_loopback_timer() Greg Kroah-Hartman
2019-04-30 11:38 ` [PATCH 4.19 090/100] net: stmmac: move stmmac_check_ether_addr() to driver probe Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 091/100] net/tls: fix refcount adjustment in fallback Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 092/100] stmmac: pci: Adjust IOT2000 matching Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 093/100] team: fix possible recursive locking when add slaves Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 094/100] net: hns: Fix WARNING when hns modules installed Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 095/100] mlxsw: pci: Reincrease PCI reset timeout Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 096/100] mlxsw: spectrum: Put MC TCs into DWRR mode Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 097/100] net/mlx5e: Fix the max MTU check in case of XDP Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 098/100] net/mlx5e: Fix use-after-free after xdp_return_frame Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 099/100] net/tls: avoid potential deadlock in tls_set_device_offload_rx() Greg Kroah-Hartman
2019-04-30 11:39 ` [PATCH 4.19 100/100] net/tls: dont leak IV and record seq when offload fails Greg Kroah-Hartman
2019-04-30 17:26 ` [PATCH 4.19 000/100] 4.19.38-stable review kernelci.org bot
2019-04-30 22:32 ` shuah
2019-05-01 6:27 ` Naresh Kamboju
2019-05-01 8:25 ` Jon Hunter
2019-05-01 16:44 ` Guenter Roeck
2019-05-02 5:30 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190430113609.314779227@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).