korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-07 14:24:18 +08:00
Code Issues Packages Projects Releases Wiki Activity
6063f6f64f
linux/net
History
Jeremy Kerr 6c52b12159 mctp: perform route lookups under a RCU read-side lock 
[ Upstream commit 5093bbfc10 ]

Our current route lookups (mctp_route_lookup and mctp_route_lookup_null)
traverse the net's route list without the RCU read lock held. This means
the route lookup is subject to preemption, resulting in an potential
grace period expiry, and so an eventual kfree() while we still have the
route pointer.

Add the proper read-side critical section locks around the route
lookups, preventing premption and a possible parallel kfree.

The remaining net->mctp.routes accesses are already under a
rcu_read_lock, or protected by the RTNL for updates.

Based on an analysis from Sili Luo <rootlab@huawei.com>, where
introducing a delay in the route lookup could cause a UAF on
simultaneous sendmsg() and route deletion.

Reported-by: Sili Luo <rootlab@huawei.com>
Fixes: 889b7da23a ("mctp: Add initial routing framework")
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/29c4b0e67dc1bf3571df3982de87df90cae9b631.1696837310.git.jk@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-10-25 11:58:59 +02:00
..
6lowpan
9p 9p: virtio: make sure 'offs' is initialized in zc_request 2023-09-19 12:22:27 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:14:42 +01:00
8021q vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 2023-05-24 17:36:52 +01:00
appletalk
atm atm: hide unused procfs functions 2023-06-09 10:32:26 +02:00
ax25 net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg 2022-06-22 14:22:01 +02:00
batman-adv batman-adv: Hold rtnl lock during MTU update via netlink 2023-08-30 16:18:18 +02:00
bluetooth Bluetooth: avoid memcmp() out of bounds warning 2023-10-25 11:58:55 +02:00
bpf bpf: Move skb->len == 0 checks into __bpf_redirect 2022-12-31 13:14:11 +01:00
bpfilter
bridge net: bridge: use DEV_STATS_INC() 2023-10-06 13:18:07 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:48:54 +01:00
can can: raw: add missing refcount for memory leak fix 2023-08-30 16:18:20 +02:00
ceph libceph: use kernel_connect() 2023-10-19 23:05:36 +02:00
core net: pktgen: Fix interface flags printing 2023-10-25 11:58:58 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-11 15:13:53 +02:00
dccp dccp: fix dccp_v4_err()/dccp_v6_err() again 2023-10-06 13:18:06 +02:00
dns_resolver
dsa net: dsa: tag_sja1105: fix MAC DA patching from meta frames 2023-07-23 13:47:30 +02:00
ethernet
ethtool ethtool: Fix uninitialized number of lanes 2023-05-17 11:50:18 +02:00
hsr hsr: Fix uninit-value access in fill_frame_info() 2023-09-19 12:23:03 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-11-03 23:59:14 +09:00
ife
ipv4 ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr 2023-10-25 11:58:57 +02:00
ipv6 net: ipv6: fix return value check in esp_remove_trailer 2023-10-25 11:58:57 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:31:28 +01:00
kcm kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). 2023-09-19 12:23:04 +02:00
key net: af_key: fix sadb_x_filter validation 2023-08-26 14:23:32 +02:00
l2tp ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() 2023-10-10 21:59:07 +02:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-27 14:38:53 +02:00
lapb
llc llc: Don't drop packet from non-root netns. 2023-07-27 08:47:02 +02:00
mac80211 wifi: mac80211: check S1G action frame size 2023-09-23 11:09:56 +02:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-14 11:37:25 +01:00
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-25 11:58:59 +02:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:57:09 +01:00
mptcp mptcp: consolidate fallback and non fallback state machine 2023-07-05 18:25:04 +01:00
ncsi ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-10-06 13:18:18 +02:00
netfilter netfilter: nf_tables: revert do not remove elements if set backend implements .abort 2023-10-25 11:58:57 +02:00
netlabel netlabel: fix shift wrapping bug in netlbl_catmap_setlong() 2023-09-19 12:22:29 +02:00
netlink netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-23 13:46:56 +02:00
netrom netrom: Deny concurrent connect(). 2023-09-19 12:22:35 +02:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2023-10-25 11:58:55 +02:00
nsh net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-24 17:36:51 +01:00
openvswitch net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() 2023-02-22 12:57:09 +01:00
packet net/packet: annotate data-races around tp->status 2023-08-16 18:22:01 +02:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 15:35:16 +01:00
psample
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-20 12:13:53 +02:00
rds net: prevent address rewrite in kernel_bind() 2023-10-19 23:05:33 +02:00
rfkill net: rfkill: gpio: prevent value glitch during probe 2023-10-25 11:58:57 +02:00
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:57:02 +01:00
rxrpc rxrpc: Fix hard call timeout units 2023-05-17 11:50:17 +02:00
sched net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve 2023-10-25 11:58:57 +02:00
sctp sctp: update hb timer immediately after users change hb_interval 2023-10-10 21:59:08 +02:00
smc net/smc: Fix pos miscalculation in statistics 2023-10-19 23:05:34 +02:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-18 19:17:11 +01:00
sunrpc Revert "SUNRPC dont update timeout value on connection reset" 2023-10-06 13:18:22 +02:00
switchdev
tipc tipc: fix a potential deadlock on &tx->lock 2023-10-10 21:59:08 +02:00
tls net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() 2023-09-19 12:23:04 +02:00
unix af_unix: Fix data-race around unix_tot_inflight. 2023-09-19 12:22:59 +02:00
vmw_vsock vsock: avoid to close connected socket after the timeout 2023-05-24 17:36:49 +01:00
wireless wifi: nl80211/cfg80211: add forgotten nla_policy for BSS color attribute 2023-09-19 12:22:34 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-02-09 11:26:40 +01:00
xdp xsk: Fix xsk_diag use-after-free error during socket cleanup 2023-09-19 12:22:58 +02:00
xfrm xfrm: interface: use DEV_STATS_INC() 2023-10-25 11:58:56 +02:00
compat.c
devres.c
Kconfig Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
Makefile Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
socket.c net: prevent address rewrite in kernel_bind() 2023-10-19 23:05:33 +02:00
sysctl_net.c