github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-12 16:57:59 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
5ce5ebfa00
linux/drivers/net
History
Eric Dumazet 8f50a05dd6 tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() 
[ Upstream commit 1efba987c4 ]

If both IFF_NAPI_FRAGS mode and XDP are enabled, and the XDP program
consumes the skb, we need to clear the napi.skb (or risk
a use-after-free) and release the mutex (or risk a deadlock)

WARNING: lock held when returning to user space!
5.5.0-rc6-syzkaller #0 Not tainted
------------------------------------------------
syz-executor.0/455 is leaving the kernel with locks still held!
1 lock held by syz-executor.0/455:
 #0: ffff888098f6e748 (&tfile->napi_mutex){+.+.}, at: tun_get_user+0x1604/0x3fc0 drivers/net/tun.c:1835

Fixes: 90e33d4594 ("tun: enable napi_gro_frags() for TUN/TAP driver")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Petar Penkov <ppenkov@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-01-29 16:43:17 +01:00
..
appletalk net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT 2018-09-13 10:35:57 -07:00
arcnet arcnet: provide a buffer big enough to actually receive packets 2019-10-05 13:09:26 +02:00
bonding bonding: fix active-backup transition after link failure 2020-01-04 19:13:23 +01:00
caif caif-hsi: fix possible deadlock in cfhsi_exit_module() 2019-07-28 08:29:23 +02:00
can can, slip: Protect tty->disc_data in write_wakeup and close with RCU 2020-01-29 16:43:14 +01:00
dsa net: dsa: qca8k: Enable delay for RGMII_ID mode 2020-01-27 14:50:25 +01:00
ethernet net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM 2020-01-29 16:43:15 +01:00
fddi
fjes fjes: fix missed check in fjes_acpi_add 2019-12-31 16:34:36 +01:00
hamradio 6pack,mkiss: fix possible deadlock 2020-01-04 19:13:27 +01:00
hippi
hyperv hv_netvsc: flag software created hash value 2020-01-27 14:51:21 +01:00
ieee802154 ieee802154: ca8210: prevent memory leak 2019-10-29 09:19:31 +01:00
ipvlan net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set 2019-06-25 11:35:58 +08:00
netdevsim Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-08-02 10:55:32 -07:00
phy net: phy: don't clear BMCR in genphy_soft_reset 2020-01-27 14:50:34 +01:00
plip
ppp ppp: Fix memory leak in ppp_write 2019-10-05 13:09:29 +02:00
slip can, slip: Protect tty->disc_data in write_wakeup and close with RCU 2020-01-29 16:43:14 +01:00
team team: Add vlan tx offload to hw_enc_features 2019-08-25 10:48:04 +02:00
usb net: usb: lan78xx: Add .ndo_features_check 2020-01-29 16:43:17 +01:00
vmxnet3
wan net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info 2020-01-23 08:21:35 +01:00
wimax wimax/i2400m: fix a memory leak bug 2019-09-10 10:33:48 +01:00
wireless ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet 2020-01-27 14:51:13 +01:00
xen-netback net: xen-netback: fix return type of ndo_start_xmit function 2019-11-24 08:19:18 +01:00
dummy.c
eql.c
geneve.c geneve: correctly handle ipv6.disable module parameter 2019-03-10 07:17:17 +01:00
gtp.c gtp: make sure only SOCK_DGRAM UDP sockets are accepted 2020-01-29 16:43:14 +01:00
ifb.c
Kconfig geneve: change NET_UDP_TUNNEL dependency to select 2019-12-05 09:21:10 +01:00
LICENSE.SRC
loopback.c net: loopback: clear skb->tstamp before netif_rx() 2018-11-13 11:08:20 -08:00
macsec.c macsec: let the administrator set UP state even if lowerdev is down 2019-12-01 09:17:03 +01:00
macvlan.c macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() 2020-01-23 08:21:34 +01:00
macvtap.c
Makefile net: Always descend into dsa/ 2019-05-25 18:23:19 +02:00
mdio.c
mii.c
net_failover.c failover: Fix error return code in net_failover_create 2019-11-20 18:46:12 +01:00
netconsole.c
nlmon.c
ntb_netdev.c ntb_netdev: fix sleep time mismatch 2019-12-01 09:17:13 +01:00
rionet.c rapidio/rionet: do not free skb before reading its length 2018-12-05 19:31:59 +01:00
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c net: thunderbolt: Unregister ThunderboltIP protocol handler when suspending 2019-06-15 11:54:07 +02:00
tun.c tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() 2020-01-29 16:43:17 +01:00
veth.c veth: Orphan skb before GRO 2018-09-16 15:33:50 -07:00
virtio_net.c virtio_net: Account for tx bytes and packets on sending xdp_frames 2019-02-12 19:47:23 +01:00
vrf.c vrf: mark skb for multicast or link-local as enslaved to VRF 2019-12-01 09:17:28 +01:00
vsockmon.c
vxlan.c vxlan: changelink: Fix handling of default remotes 2020-01-27 14:50:07 +01:00
xen-netfront.c xen-netfront: do not use ~0U as error return value for xennet_fill_frags() 2019-10-07 18:57:25 +02:00