diff mbox series

[net] ipmr: do not call mr_mfc_uses_dev() for unres entries

Message ID 20250121181241.841212-1-edumazet@google.com (mailing list archive)
State Accepted
Commit 15a901361ec3fb1c393f91880e1cbf24ec0a88bd
Delegated to: Netdev Maintainers
Headers show
Series [net] ipmr: do not call mr_mfc_uses_dev() for unres entries | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 2 this patch: 2
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch warning WARNING: Possible repeated word: 'Google'
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2025-01-22--06-00 (tests: 885)

Commit Message

Eric Dumazet Jan. 21, 2025, 6:12 p.m. UTC 
syzbot found that calling mr_mfc_uses_dev() for unres entries
would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif
alias to "struct sk_buff_head unresolved", which contain two pointers.

This code never worked, lets remove it.

[1]
Unable to handle kernel paging request at virtual address ffff5fff2d536613
KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]
Modules linked in:
CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]
 pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334
 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]
 lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334
Call trace:
  mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)
  mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)
  mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382
  ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648
  rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327
  rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791
  netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317
  netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973
  sock_recvmsg_nosec net/socket.c:1033 [inline]
  sock_recvmsg net/socket.c:1055 [inline]
  sock_read_iter+0x2d8/0x40c net/socket.c:1125
  new_sync_read fs/read_write.c:484 [inline]
  vfs_read+0x740/0x970 fs/read_write.c:565
  ksys_read+0x15c/0x26c fs/read_write.c:708

Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps")
Reported-by: syzbot+5cfae50c0e5f2c500013@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/678fe2d1.050a0220.15cac.00b3.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv4/ipmr_base.c | 3 ---
 1 file changed, 3 deletions(-)

Comments

David Ahern Jan. 22, 2025, 1:58 a.m. UTC | #1 
On 1/21/25 11:12 AM, Eric Dumazet wrote:
> syzbot found that calling mr_mfc_uses_dev() for unres entries
> would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif
> alias to "struct sk_buff_head unresolved", which contain two pointers.
> 
> This code never worked, lets remove it.
> 
...

> Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps")
> Reported-by: syzbot+5cfae50c0e5f2c500013@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/678fe2d1.050a0220.15cac.00b3.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
>  net/ipv4/ipmr_base.c | 3 ---
>  1 file changed, 3 deletions(-)
> 


Reviewed-by: David Ahern <dsahern@kernel.org>
patchwork-bot+netdevbpf@kernel.org Jan. 23, 2025, 3:20 p.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 21 Jan 2025 18:12:41 +0000 you wrote:
> syzbot found that calling mr_mfc_uses_dev() for unres entries
> would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif
> alias to "struct sk_buff_head unresolved", which contain two pointers.
> 
> This code never worked, lets remove it.
> 
> [1]
> Unable to handle kernel paging request at virtual address ffff5fff2d536613
> KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]
> Modules linked in:
> CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>  pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]
>  pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334
>  lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]
>  lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334
> Call trace:
>   mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)
>   mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)
>   mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382
>   ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648
>   rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327
>   rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791
>   netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317
>   netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973
>   sock_recvmsg_nosec net/socket.c:1033 [inline]
>   sock_recvmsg net/socket.c:1055 [inline]
>   sock_read_iter+0x2d8/0x40c net/socket.c:1125
>   new_sync_read fs/read_write.c:484 [inline]
>   vfs_read+0x740/0x970 fs/read_write.c:565
>   ksys_read+0x15c/0x26c fs/read_write.c:708
> 
> [...]

Here is the summary with links:
  - [net] ipmr: do not call mr_mfc_uses_dev() for unres entries
    https://git.kernel.org/netdev/net/c/15a901361ec3

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
index f0af12a2f70bcdf5ba54321bf7ebebe798318ab..de98ce66d38f39fd77650f5143aab8f91ced2fc 100644
--- a/net/ipv4/ipmr_base.c
+++ b/net/ipv4/ipmr_base.c
@@ -330,9 +330,6 @@  int mr_table_dump(struct mr_table *mrt, struct sk_buff *skb,
 	list_for_each_entry(mfc, &mrt->mfc_unres_queue, list) {
 		if (e < s_e)
 			goto next_entry2;
-		if (filter->dev &&
-		    !mr_mfc_uses_dev(mrt, mfc, filter->dev))
-			goto next_entry2;
 
 		err = fill(mrt, skb, NETLINK_CB(cb->skb).portid,
 			   cb->nlh->nlmsg_seq, mfc, RTM_NEWROUTE, flags);