Re: net: GPF in __netlink_ns_capable

From: Herbert Xu
Date: Wed Jan 20 2016 - 10:01:12 EST

Next message: Borislav Petkov: "Re: [PATCH] x86: static_cpu_has_safe: discard dynamic check after init"
Previous message: One Thousand Gnomes: "Re: tty: deadlock between n_tracerouter_receivebuf and flush_to_ldisc"
In reply to: Wan, Kaike: "RE: net: GPF in __netlink_ns_capable"
Next in thread: Wan, Kaike: "RE: net: GPF in __netlink_ns_capable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 20, 2016 at 02:35:59PM +0000, Wan, Kaike wrote:
> >From the code (netlink_dump() in net/netlink/af_netlink.c), it shows that a skb is allocated without initializing the skb->cb[] field, which will cause oops if netlink_capable() is called with the duplicate skb. This will happen if the netlink_dump_start() path is followed (in ibnl_rcv_msg() in drivers/infiniband/core/netlink.c). However, for the IB netlink local service, we handle only request RDMA_NL_LS_OP_SET_TIMEOUT and response to RDMA_NL_LS_OP_RESOLVE, which directly call the registered dump function (ib_nl_handle_resolve_resp() and ib_nl_handle_resolve_resp()). See the following snippet:

You'll find a reproducer in the original email:

http://lkml.iu.edu/hypermail/linux/kernel/1601.1/06505.html

Cheers,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Next message: Borislav Petkov: "Re: [PATCH] x86: static_cpu_has_safe: discard dynamic check after init"
Previous message: One Thousand Gnomes: "Re: tty: deadlock between n_tracerouter_receivebuf and flush_to_ldisc"
In reply to: Wan, Kaike: "RE: net: GPF in __netlink_ns_capable"
Next in thread: Wan, Kaike: "RE: net: GPF in __netlink_ns_capable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]