github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-04 20:46:48 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
a747e02430
linux/net
History
Eric Dumazet a747e02430 ipv6: avoid possible NULL deref in modify_prefix_route() 
syzbot found a NULL deref [1] in modify_prefix_route(), caused by one
fib6_info without a fib6_table pointer set.

This can happen for net->ipv6.fib6_null_entry

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
 RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089
Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84
RSP: 0018:ffffc900035d7268 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030
R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000
FS:  0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
  lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
  __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
  _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
  spin_lock_bh include/linux/spinlock.h:356 [inline]
  modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831
  inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]
  inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055
  rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920
  netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541
  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
  netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347
  netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891
  sock_sendmsg_nosec net/socket.c:711 [inline]
  __sock_sendmsg net/socket.c:726 [inline]
  ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583
  ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637
  __sys_sendmsg+0x16e/0x220 net/socket.c:2669
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd1dcef8b79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79
RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>

Fixes: 5eb902b8e7 ("net/ipv6: Remove expired routes with a separated list of routes.")
Reported-by: syzbot+1de74b0794c40c8eb300@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/67461f7f.050a0220.1286eb.0021.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
CC: Kui-Feng Lee <thinker.li@gmail.com>
Cc: David Ahern <dsahern@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2024-12-01 20:45:23 +00:00
..
6lowpan ipv6: eliminate ndisc_ops_is_useropt() 2024-08-12 17:23:57 -07:00
9p 9p: fix slab cache name creation for real 2024-10-21 15:41:29 -07:00
802 move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
8021q net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
appletalk appletalk: Remove deadcode 2024-10-04 12:42:32 +01:00
atm
ax25
batman-adv This cleanup patchset includes the following patches: 2024-10-15 15:28:17 +02:00
bluetooth Bluetooth: SCO: remove the redundant sco_conn_put 2024-11-26 11:07:28 -05:00
bpf bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled 2024-10-31 16:15:21 +01:00
bridge ndo_fdb_del: Add a parameter to report whether notification was sent 2024-11-15 16:39:18 -08:00
caif caif: Remove unused cfsrvl_getphyid 2024-10-08 15:33:49 -07:00
can can: gw: Use rtnl_register_many(). 2024-10-15 18:52:26 -07:00
ceph libceph: use min() to simplify code in ceph_dns_resolve_name() 2024-08-27 09:30:16 +02:00
core rtnetlink: fix rtnl_dump_ifinfo() error path 2024-11-24 16:43:13 -08:00
dcb dcb: Use rtnl_register_many(). 2024-10-15 18:52:26 -07:00
dccp net: fix data-races around sk->sk_forward_alloc 2024-11-11 15:29:33 -08:00
devlink net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
dns_resolver
dsa net: dsa: use ethtool string helpers 2024-11-03 10:36:34 -08:00
ethernet
ethtool Revert "net: ethtool: Avoid thousands of -Wflex-array-member-not-at-end warnings" 2024-11-18 18:52:11 -08:00
handshake remove pointless includes of <linux/fdtable.h> 2024-10-07 13:34:41 -04:00
hsr net: hsr: avoid potential out-of-bound access in fill_frame_info() 2024-11-30 13:58:18 -08:00
ieee802154 net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
ife
ipv4 net: Fix icmp host relookup triggering ip_rt_bug 2024-11-30 14:17:10 -08:00
ipv6 ipv6: avoid possible NULL deref in modify_prefix_route() 2024-12-01 20:45:23 +00:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-11-26 10:02:53 +01:00
kcm kcm: replace call_rcu by kfree_rcu for simple kmem_cache_free callback 2024-10-15 10:50:21 -07:00
key xfrm: Add support for per cpu xfrm state handling. 2024-10-29 11:56:00 +01:00
l2tp net/l2tp: fix warning in l2tp_exit_net found by syzbot 2024-11-26 09:27:07 +01:00
l3mdev
lapb
llc llc: Improve setsockopt() handling of malformed user input 2024-11-28 08:57:42 +01:00
mac80211 wireless-next patches for v6.13 2024-11-13 18:35:19 -08:00
mac802154 Including fixes from ieee802154, bluetooth and netfilter. 2024-10-03 09:44:00 -07:00
mctp net: mctp: Expose transport binding identifier via IFLA attribute 2024-11-09 09:04:54 -08:00
mpls rtnetlink: Return int from rtnl_af_register(). 2024-10-22 11:02:05 +02:00
mptcp mptcp: pm: avoid code duplication to lookup endp 2024-11-18 18:50:13 -08:00
ncsi net/ncsi: Disable the ncsi work before freeing the associated structure 2024-10-03 10:14:14 +02:00
netfilter Networking changes for 6.13. 2024-11-21 08:28:08 -08:00
netlabel Networking changes for 6.13. 2024-11-21 08:28:08 -08:00
netlink netlink: fix false positive warning in extack during dumps 2024-11-24 16:58:07 -08:00
netrom net/netrom: prefer strscpy over strcpy 2024-08-29 12:33:07 -07:00
nfc net: nfc: Propagate ISO14443 type A target ATS to userspace via netlink 2024-11-07 10:21:58 +01:00
nsh
openvswitch net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
packet af_packet: avoid erroring out after sock_init_data() in packet_create() 2024-10-15 18:43:07 -07:00
phonet phonet: do not call synchronize_rcu() from phonet_route_del() 2024-11-07 20:34:16 -08:00
psample
qrtr net: qrtr: Update packets cloning when broadcasting 2024-09-24 10:48:16 +02:00
rds net/rds: remove unused struct 'rds_ib_dereg_odp_mr' 2024-10-03 16:42:52 -07:00
rfkill net: rfkill: gpio: Add check for clk_enable() 2024-11-12 13:30:31 +01:00
rose
rxrpc rxrpc: Improve setsockopt() handling of malformed user input 2024-11-28 08:57:42 +01:00
sched net/sched: tbf: correct backlog statistic for GSO packets 2024-11-30 13:02:43 -08:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-11-14 11:29:15 -08:00
shaper net-shapers: implement cap validation in the core 2024-10-10 08:30:23 -07:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-11-07 13:44:16 -08:00
strparser
sunrpc NFSD 6.13 Release Notes 2024-11-26 12:59:30 -08:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-15 09:13:19 -07:00
tls move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
unix af_unix: Don't return OOB skb in manage_oob(). 2024-09-09 17:14:27 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-11-14 11:29:15 -08:00
wireless wireless-next patches for v6.13 2024-11-13 18:35:19 -08:00
x25
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-11-19 13:56:02 +01:00
xfrm ipsec-next-2024-11-15 2024-11-18 11:52:49 +00:00
compat.c
devres.c
Kconfig netlink: spec: add shaper YAML spec 2024-10-10 08:30:21 -07:00
Kconfig.debug rtnetlink: Add per-netns RTNL. 2024-10-08 15:16:59 +02:00
Makefile netlink: spec: add shaper YAML spec 2024-10-10 08:30:21 -07:00
socket.c Networking changes for 6.13. 2024-11-21 08:28:08 -08:00
sysctl_net.c