Message ID | 20250121181241.841212-1-edumazet@google.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 15a901361ec3fb1c393f91880e1cbf24ec0a88bd |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net] ipmr: do not call mr_mfc_uses_dev() for unres entries | expand |
On 1/21/25 11:12 AM, Eric Dumazet wrote: > syzbot found that calling mr_mfc_uses_dev() for unres entries > would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif > alias to "struct sk_buff_head unresolved", which contain two pointers. > > This code never worked, lets remove it. > ... > Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps") > Reported-by: syzbot+5cfae50c0e5f2c500013@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/netdev/678fe2d1.050a0220.15cac.00b3.GAE@google.com/T/#u > Signed-off-by: Eric Dumazet <edumazet@google.com> > --- > net/ipv4/ipmr_base.c | 3 --- > 1 file changed, 3 deletions(-) > Reviewed-by: David Ahern <dsahern@kernel.org>
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Tue, 21 Jan 2025 18:12:41 +0000 you wrote: > syzbot found that calling mr_mfc_uses_dev() for unres entries > would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif > alias to "struct sk_buff_head unresolved", which contain two pointers. > > This code never worked, lets remove it. > > [1] > Unable to handle kernel paging request at virtual address ffff5fff2d536613 > KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] > Modules linked in: > CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] > pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 > lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] > lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 > Call trace: > mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) > mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) > mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 > ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 > rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 > rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 > netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 > netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 > sock_recvmsg_nosec net/socket.c:1033 [inline] > sock_recvmsg net/socket.c:1055 [inline] > sock_read_iter+0x2d8/0x40c net/socket.c:1125 > new_sync_read fs/read_write.c:484 [inline] > vfs_read+0x740/0x970 fs/read_write.c:565 > ksys_read+0x15c/0x26c fs/read_write.c:708 > > [...] Here is the summary with links: - [net] ipmr: do not call mr_mfc_uses_dev() for unres entries https://git.kernel.org/netdev/net/c/15a901361ec3 You are awesome, thank you!
diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c index f0af12a2f70bcdf5ba54321bf7ebebe798318ab..de98ce66d38f39fd77650f5143aab8f91ced2fc 100644 --- a/net/ipv4/ipmr_base.c +++ b/net/ipv4/ipmr_base.c @@ -330,9 +330,6 @@ int mr_table_dump(struct mr_table *mrt, struct sk_buff *skb, list_for_each_entry(mfc, &mrt->mfc_unres_queue, list) { if (e < s_e) goto next_entry2; - if (filter->dev && - !mr_mfc_uses_dev(mrt, mfc, filter->dev)) - goto next_entry2; err = fill(mrt, skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, mfc, RTM_NEWROUTE, flags);
syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708 Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps") Reported-by: syzbot+5cfae50c0e5f2c500013@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/678fe2d1.050a0220.15cac.00b3.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> --- net/ipv4/ipmr_base.c | 3 --- 1 file changed, 3 deletions(-)