iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 92b4c5c3fa net: do not sense pfmemalloc status in skb_append_pagefrags() 
[ Upstream commit 228ebc41dfab5b5d34cd76835ddb0ca8ee12f513 ]

skb_append_pagefrags() is used by af_unix and udp sendpage()
implementation so far.

In commit 326140063946 ("tcp: TX zerocopy should not sense
pfmemalloc status") we explained why we should not sense
pfmemalloc status for pages owned by user space.

We should also use skb_fill_page_desc_noacc()
in skb_append_pagefrags() to avoid following KCSAN report:

BUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags

write to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0:
__list_add include/linux/list.h:73 [inline]
list_add include/linux/list.h:88 [inline]
lruvec_add_folio include/linux/mm_inline.h:323 [inline]
lru_add_fn+0x327/0x410 mm/swap.c:228
folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246
lru_add_drain_cpu+0x73/0x250 mm/swap.c:669
lru_add_drain+0x21/0x60 mm/swap.c:773
free_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311
tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:256 [inline]
tlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263
tlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363
exit_mmap+0x190/0x4d0 mm/mmap.c:3098
__mmput+0x27/0x1b0 kernel/fork.c:1185
mmput+0x3d/0x50 kernel/fork.c:1207
copy_process+0x19fc/0x2100 kernel/fork.c:2518
kernel_clone+0x166/0x550 kernel/fork.c:2671
__do_sys_clone kernel/fork.c:2812 [inline]
__se_sys_clone kernel/fork.c:2796 [inline]
__x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1:
page_is_pfmemalloc include/linux/mm.h:1817 [inline]
__skb_fill_page_desc include/linux/skbuff.h:2432 [inline]
skb_fill_page_desc include/linux/skbuff.h:2453 [inline]
skb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974
unix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338
kernel_sendpage+0x184/0x300 net/socket.c:3561
sock_sendpage+0x5a/0x70 net/socket.c:1054
pipe_to_sendpage+0x128/0x160 fs/splice.c:361
splice_from_pipe_feed fs/splice.c:415 [inline]
__splice_from_pipe+0x222/0x4d0 fs/splice.c:559
splice_from_pipe fs/splice.c:594 [inline]
generic_splice_sendpage+0x89/0xc0 fs/splice.c:743
do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0x80/0xa0 fs/splice.c:931
splice_direct_to_actor+0x305/0x620 fs/splice.c:886
do_splice_direct+0xfb/0x180 fs/splice.c:974
do_sendfile+0x3bf/0x910 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0x0000000000000000 -> 0xffffea00058fc188

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022

Fixes: 326140063946 ("tcp: TX zerocopy should not sense pfmemalloc status")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20221027040346.1104204-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-11-03 23:59:19 +09:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-07-22 16:19:03 +02:00
9p
net/9p: Initialize the iounit field during fid creation
2022-08-17 14:24:23 +02:00
802
net: 802: remove dead leftover after ipx driver removal
2021-08-13 16:30:35 -07:00
8021q
net: use eth_hw_addr_set() instead of ether_addr_copy()
2022-08-31 17:16:37 +02:00
appletalk
net: socket: rework compat_ifreq_ioctl()
2021-07-23 14:20:25 +01:00
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-29 10:12:55 +02:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:22:01 +02:00
batman-adv
batman-adv: Use netif_rx_any_context() any.
2022-07-29 17:25:07 +02:00
bluetooth
Bluetooth: L2CAP: Fix user-after-free
2022-10-26 12:35:37 +02:00
bpf
bpf: Don't redirect packets with invalid pkt_len
2022-09-05 10:30:07 +02:00
bpfilter
bridge
netfilter: ebtables: fix memory leak when blob is malformed
2022-09-28 11:11:52 +02:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-14 12:51:15 +01:00
can
can: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb()
2022-11-03 23:59:10 +09:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:57:28 +02:00
core
net: do not sense pfmemalloc status in skb_append_pagefrags()
2022-11-03 23:59:19 +09:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:12:52 +01:00
dccp
dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock
2022-08-17 14:23:37 +02:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-03 12:03:51 +02:00
dns_resolver
dsa
net: dsa: hellcreek: Print warning only once
2022-09-20 12:39:45 +02:00
ethernet
move netdev_boot_setup into Space.c
2021-08-03 13:05:26 +01:00
ethtool
ethtool: eeprom: fix null-deref on genl_info in dump
2022-11-03 23:59:14 +09:00
hsr
net: hsr: avoid possible NULL deref in skb_clone()
2022-10-29 10:12:56 +02:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:59:14 +09:00
ife
ipv4
nh: fix scope used to find saddr when adding non gw nh
2022-11-03 23:59:19 +09:00
ipv6
ipv6: ensure sane device mtu in tunnels
2022-11-03 23:59:18 +09:00
iucv
net/iucv: Replace deprecated CPU-hotplug functions.
2021-08-09 10:13:32 +01:00
kcm
kcm: annotate data-races around kcm->rx_wait
2022-11-03 23:59:16 +09:00
key
af_key: Do not call xfrm_probe_algs in parallel
2022-08-31 17:16:36 +02:00
l2tp
ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
2022-06-22 14:21:58 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 14:38:53 +02:00
lapb
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:58:46 +02:00
mac80211
wifi: mac80211: allow bw change during channel switch in mesh
2022-10-26 12:34:39 +02:00
mac802154
mac802154: Fix LQI recording
2022-11-03 23:59:12 +09:00
mctp
mctp: Fix check for dev_hard_header() result
2022-04-13 20:59:16 +02:00
mpls
net: Use u64_stats_fetch_begin_irq() for stats fetch.
2022-09-08 12:28:07 +02:00
mptcp
mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb
2022-08-31 17:16:50 +02:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:42:37 +01:00
netfilter
netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements
2022-10-29 10:12:56 +02:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 20:59:10 +02:00
netlink
net: genl: fix error path memory leak in policy dumping
2022-08-25 11:40:25 +02:00
netrom
netrom: fix api breakage in nr_setsockopt()
2022-01-27 11:04:00 +01:00
nfc
NFC: NULL out the dev->rfkill to prevent UAF
2022-06-09 10:22:46 +02:00
nsh
openvswitch
openvswitch: switch from WARN to pr_warn
2022-11-03 23:59:18 +09:00
packet
net/af_packet: check len when min_header_len equals to 0
2022-09-05 10:30:12 +02:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:35:16 +01:00
psample
qrtr
net: qrtr: start MHI channel after endpoit creation
2022-08-25 11:40:29 +02:00
rds
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
2022-10-26 12:34:49 +02:00
rfkill
rfkill: make new event layout opt-in
2022-04-08 14:23:00 +02:00
rose
rose: check NULL rose_loopback_neigh->loopback
2022-08-31 17:16:38 +02:00
rxrpc
rxrpc: Fix calc of resend age
2022-09-23 14:15:50 +02:00
sched
net: sched: fix race condition in qdisc_graft()
2022-10-29 10:12:57 +02:00
sctp
sctp: handle the error returned from sctp_auth_asoc_init_active_key
2022-10-26 12:34:48 +02:00
smc
net/smc: Stop the CLC flow if no link to map buffers on
2022-09-28 11:11:53 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 19:17:11 +01:00
sunrpc
SUNRPC: RPC level errors should set task->tk_rpc_status
2022-08-31 17:16:37 +02:00
switchdev
net: make switchdev_bridge_port_{,unoffload} loosely coupled with the bridge
2021-08-04 12:35:07 +01:00
tipc
tipc: fix a null-ptr-deref in tipc_topsrv_accept
2022-11-03 23:59:15 +09:00
tls
net/tls: Remove the context from the list in tls_device_down
2022-08-03 12:03:47 +02:00
unix
io_uring/af_unix: defer registered files gc to io_uring release
2022-10-26 12:35:52 +02:00
vmw_vsock
vhost/vsock: Use kvmalloc/kvfree for larger packets.
2022-10-26 12:34:47 +02:00
wireless
wifi: cfg80211: update hidden BSSes to avoid WARN_ON
2022-10-15 07:59:03 +02:00
x25
net/x25: Fix null-ptr-deref caused by x25_disconnect
2022-04-08 14:23:53 +02:00
xdp
xsk: Fix backpressure mechanism on Tx
2022-10-26 12:34:40 +02:00
xfrm
xfrm: Update ipcomp_scratches with NULL when freed
2022-10-26 12:35:34 +02:00
compat.c
devres.c
Kconfig
mctp: Add MCTP base
2021-07-29 15:06:49 +01:00
Makefile
mctp: Add MCTP base
2021-07-29 15:06:49 +01:00
socket.c
net: Fix a data-race around sysctl_somaxconn.
2022-08-31 17:16:45 +02:00
sysctl_net.c