linux

mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00

History

Weiming Shi 375e4e33c1 bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the storage hlist. A concurrent RCU reader in bpf_sk_storage_clone() can observe the selem still on the list with smap already NULL, causing a NULL pointer dereference. general protection fault, probably for non-canonical address 0xdffffc000000000a: KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] RIP: 0010:bpf_sk_storage_clone+0x1cd/0xaa0 net/core/bpf_sk_storage.c:174 Call Trace: <IRQ> sk_clone+0xfed/0x1980 net/core/sock.c:2591 inet_csk_clone_lock+0x30/0x760 net/ipv4/inet_connection_sock.c:1222 tcp_create_openreq_child+0x35/0x2680 net/ipv4/tcp_minisocks.c:571 tcp_v4_syn_recv_sock+0x123/0xf90 net/ipv4/tcp_ipv4.c:1729 tcp_check_req+0x8e1/0x2580 include/net/tcp.h:855 tcp_v4_rcv+0x1845/0x3b80 net/ipv4/tcp_ipv4.c:2347 Add a NULL check for smap in bpf_sk_storage_clone(). bpf_sk_storage_diag_put_all() has the same issue. Add a NULL check and pass the validated smap directly to diag_get(), which is refactored to take smap as a parameter instead of reading it internally. bpf_sk_storage_diag_put() uses diag->maps[i] which is always valid under its refcount, so diag->maps[i] is passed directly to diag_get(). Fixes: `5d800f87d0` ("bpf: Support lockless unlink when freeing map or local storage") Reported-by: Xiang Mei <xmei5@asu.edu> Acked-by: Amery Hung <ameryhung@gmail.com> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Link: https://patch.msgid.link/20260422065411.1007737-2-bestswngs@gmail.com		2026-04-23 17:27:12 -07:00
..
bpf_sk_storage.c	bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths	2026-04-23 17:27:12 -07:00
datagram.c	net: datagram: introduce datagram_poll_queue for custom receive queues	2025-10-23 15:46:04 +02:00
dev_addr_lists_test.c
dev_addr_lists.c	net: s/dev_pre_changeaddr_notify/netif_pre_changeaddr_notify/	2025-07-18 17:27:47 -07:00
dev_api.c	net: define an enum for the napi threaded state	2025-07-24 18:34:55 -07:00
dev_ioctl.c	net: remove legacy way to get/set HW timestamp config	2026-01-20 18:21:27 -08:00
dev.c	net: fix reference tracker mismanagement in netdev_put_lock()	2026-04-12 09:08:43 -07:00
dev.h	net: fix reference tracker mismanagement in netdev_put_lock()	2026-04-12 09:08:43 -07:00
devmem.c	net: Slightly simplify net_mp_{open,close}_rxq	2026-04-09 18:21:46 -07:00
devmem.h	net: inline net_is_devmem_iov()	2026-01-25 13:18:53 -08:00
drop_monitor.c	Convert more 'alloc_obj' cases to default GFP_KERNEL arguments	2026-02-21 20:03:00 -08:00
dst_cache.c	net: dst: annotate data-races around dst->obsolete	2025-07-02 14:32:29 -07:00
dst.c	treewide: Replace kmalloc with kmalloc_obj for non-scalar types	2026-02-21 01:02:28 -08:00
failover.c	net: core: failover: enforce mandatory ops and clean up redundant checks	2026-03-03 17:44:11 -08:00
fib_notifier.c	net: Add SPDX ids to some source files	2026-03-09 18:32:45 -07:00
fib_rules.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2025-04-17 12:26:50 -07:00
filter.c	bpf: Reject TCP_NODELAY in bpf-tcp-cc	2026-04-22 12:58:57 -07:00
flow_dissector.c	net: remove '__' from __skb_flow_get_ports()	2025-02-24 14:27:53 -08:00
flow_offload.c	Convert more 'alloc_obj' cases to default GFP_KERNEL arguments	2026-02-21 20:03:00 -08:00
gen_estimator.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
gen_stats.c
gro_cells.c	treewide: Replace kmalloc with kmalloc_obj for non-scalar types	2026-02-21 01:02:28 -08:00
gro.c	net/ipv6: Drop HBH for BIG TCP on RX side	2026-02-06 20:50:12 -08:00
gso.c
hotdata.c	net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros	2026-03-29 11:21:22 -07:00
hwbm.c
ieee8021q_helpers.c	net: ieee8021q: fix insufficient table-size assertion	2025-07-01 12:55:49 +02:00
link_watch.c	net/sched: do not reset queues in graft operations	2026-03-09 18:55:55 -07:00
lock_debug.c	netdev: fix the locking for netdev notifications	2025-04-17 18:55:14 -07:00
lwt_bpf.c	bpf: remove ipv6_bpf_stub completely and use direct function calls	2026-03-29 11:21:24 -07:00
lwtunnel.c	inet: Remove rtnl_is_held arg of lwtunnel_valid_encap_type(_attr)?().	2025-05-20 19:18:24 -07:00
Makefile	net: get rid of net/core/request_sock.c	2026-02-05 09:23:05 -08:00
mp_dmabuf_devmem.h	memory-provider: dmabuf devmem memory provider	2024-09-11 20:44:31 -07:00
neighbour.c	net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros	2026-03-29 11:21:22 -07:00
net_namespace.c	Networking changes for 7.1.	2026-04-14 18:36:10 -07:00
net_test.c
net-procfs.c	net: add proper RCU protection to /proc/net/ptype	2026-02-03 19:20:30 -08:00
net-sysfs.c	Networking changes for 7.1.	2026-04-14 18:36:10 -07:00
net-sysfs.h	net: add skb_defer_disable_key static key	2026-03-12 19:25:33 -07:00
net-traces.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
netclassid_cgroup.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
netdev_config.c	net: add queue config validation callback	2026-01-23 11:49:02 -08:00
netdev_queues.c	net: remove the netif_get_rx_queue_lease_locked() helpers	2026-04-09 18:26:28 -07:00
netdev_rx_queue.c	net: Rename ifq_idx to rxq_idx in netif_mp_* helpers	2026-04-12 09:12:07 -07:00
netdev-genl-gen.c	net: Add queue-create operation	2026-04-09 18:21:45 -07:00
netdev-genl-gen.h	net: Add queue-create operation	2026-04-09 18:21:45 -07:00
netdev-genl.c	net: remove the netif_get_rx_queue_lease_locked() helpers	2026-04-09 18:26:28 -07:00
netevent.c
netmem_priv.h	mm: introduce a new page type for page pool in page type	2026-04-05 13:53:19 -07:00
netpoll.c	net: Provide a PREEMPT_RT specific check for netdev_queue::_xmit_lock	2026-03-05 12:14:21 +01:00
netprio_cgroup.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
of_net.c
page_pool_priv.h	net: page_pool: don't try to stash the napi id	2025-01-27 14:37:41 -08:00
page_pool_user.c	page_pool: store detach_time as ktime_t to avoid false-negatives	2026-03-10 19:03:34 -07:00
page_pool.c	mm: introduce a new page type for page pool in page type	2026-04-05 13:53:19 -07:00
pktgen.c	kernel.h: drop hex.h and update all hex.h users	2026-01-20 19:44:19 -08:00
ptp_classifier.c
rtnetlink.c	rtnetlink: add missing netlink_ns_capable() check for peer netns	2026-04-03 15:07:18 -07:00
scm.c	net: use ktime_t in struct scm_timestamping_internal	2026-03-04 17:53:34 -08:00
secure_seq.c	tcp: secure_seq: add back ports to TS offset	2026-03-04 17:44:35 -08:00
selftests.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00
skb_fault_injection.c	net: Implement fault injection forcing skb reallocation	2024-11-12 12:05:33 +01:00
skbuff.c	net: add noinline __init __no_profile to skb_extensions_init() for GCOV compatibility	2026-04-12 15:29:02 -07:00
skmsg.c	bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().	2026-04-01 18:54:04 -07:00
sock_destructor.h
sock_diag.c	net: Add SPDX ids to some source files	2026-03-09 18:32:45 -07:00
sock_map.c	bpf, sockmap: Annotate af_unix sock:: Sk_state data-races	2026-04-15 17:22:42 -07:00
sock_reuseport.c	treewide: Replace kmalloc with kmalloc_obj for non-scalar types	2026-02-21 01:02:28 -08:00
sock.c	tcp: update window_clamp when SO_RCVBUF is set	2026-04-13 15:32:35 +02:00
stream.c	net: stream: add description for sk_stream_write_space()	2025-07-18 16:57:21 -07:00
sysctl_net_core.c	net: add skb_defer_disable_key static key	2026-03-12 19:25:33 -07:00
timestamping.c	net: Add the possibility to support a selected hwtstamp in netdevice	2024-12-16 12:51:40 +00:00
tso.c	net: tso: Introduce tso_dma_map and helpers	2026-04-12 10:54:31 -07:00
utils.c	kernel.h: drop hex.h and update all hex.h users	2026-01-20 19:44:19 -08:00
xdp.c	Convert 'alloc_obj' family to use the new default GFP_KERNEL argument	2026-02-21 17:09:51 -08:00