Eric Lee / smarc-fsl-linux-kernel

30 Aug, 2018

1 commit

  • 9a07efa9a   tipc: switch to rhashtable iterator ... Browse Code »

    syzbot reported a use-after-free in tipc_group_fill_sock_diag(),
    where tipc_group_fill_sock_diag() still reads tsk->group meanwhile
    tipc_group_delete() just deletes it in tipc_release().

    tipc_nl_sk_walk() aims to lock this sock when walking each sock
    in the hash table to close race conditions with sock changes like
    this one, by acquiring tsk->sk.sk_lock.slock spinlock, unfortunately
    this doesn't work at all. All non-BH call path should take
    lock_sock() instead to make it work.

    tipc_nl_sk_walk() brutally iterates with raw rht_for_each_entry_rcu()
    where RCU read lock is required, this is the reason why lock_sock()
    can't be taken on this path. This could be resolved by switching to
    rhashtable iterator API's, where taking a sleepable lock is possible.
    Also, the iterator API's are friendly for restartable calls like
    diag dump, the last position is remembered behind the scence,
    all we need to do here is saving the iterator into cb->args[].

    I tested this with parallel tipc diag dump and thousands of tipc
    socket creation and release, no crash or memory leak.

    Reported-by: syzbot+b9c8f3ab2994b7cd1625@syzkaller.appspotmail.com
    Cc: Jon Maloy
    Cc: Ying Xue
    Signed-off-by: Cong Wang
    Signed-off-by: David S. Miller

    Cong Wang
     

09 Apr, 2018

1 commit

  • e41f05484   tipc: use the right skb in tipc_sk_fill_sock_diag() ... Browse Code »

    Commit 4b2e6877b879 ("tipc: Fix namespace violation in tipc_sk_fill_sock_diag")
    tried to fix the crash but failed, the crash is still 100% reproducible
    with it.

    In tipc_sk_fill_sock_diag(), skb is the diag dump we are filling, it is not
    correct to retrieve its NETLINK_CB(), instead, like other protocol diag,
    we should use NETLINK_CB(cb->skb).sk here.

    Reported-by:
    Fixes: 4b2e6877b879 ("tipc: Fix namespace violation in tipc_sk_fill_sock_diag")
    Fixes: c30b70deb5f4 (tipc: implement socket diagnostics for AF_TIPC)
    Cc: GhantaKrishnamurthy MohanKrishna
    Cc: Jon Maloy
    Cc: Ying Xue
    Signed-off-by: Cong Wang
    Signed-off-by: David S. Miller

    Cong Wang
     

23 Mar, 2018

1 commit

  • c30b70deb   tipc: implement socket diagnostics for AF_TIPC ... Browse Code »

    This commit adds socket diagnostics capability for AF_TIPC in netlink
    family NETLINK_SOCK_DIAG in a new kernel module (diag.ko).

    The following are key design considerations:
    - config TIPC_DIAG has default y, like INET_DIAG.
    - only requests with flag NLM_F_DUMP is supported (dump all).
    - tipc_sock_diag_req message is introduced to send filter parameters.
    - the response attributes are of TLV, some nested.

    To avoid exposing data structures between diag and tipc modules and
    avoid code duplication, the following additions are required:
    - export tipc_nl_sk_walk function to reuse socket iterator.
    - export tipc_sk_fill_sock_diag to fill the tipc diag attributes.
    - create a sock_diag response message in __tipc_add_sock_diag defined
    in diag.c and use the above exported tipc_sk_fill_sock_diag
    to fill response.

    Acked-by: Jon Maloy
    Acked-by: Ying Xue
    Signed-off-by: GhantaKrishnamurthy MohanKrishna
    Signed-off-by: Parthasarathy Bhuvaragan
    Signed-off-by: David S. Miller

    GhantaKrishnamurthy MohanKrishna