Re: net: GPF in __netlink_ns_capable

From: Richard Weinberger
Date: Fri Jan 15 2016 - 19:08:39 EST

Next message: Kamal Mostafa: "[PATCH 4.2.y-ckt 305/305] net: possible use after free in dst_release"
Previous message: Kamal Mostafa: "[PATCH 4.2.y-ckt 285/305] x86/mce: Ensure offline CPUs don't participate in rendezvous process"
In reply to: Dmitry Vyukov: "net: GPF in __netlink_ns_capable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 15, 2016 at 11:31 PM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote:
> Call Trace:
> [< inline >] netlink_ns_capable net/netlink/af_netlink.c:1417
> [<ffffffff8529c0a5>] netlink_capable+0x25/0x30 net/netlink/af_netlink.c:1432

Hmm, we're crashing because NETLINK_CB(skb).sk is NULL.
netlink_dump() creates a new skb without a netlink control block,
but infiniband's dump functions use netlink_capable() which needs a valid
NETLINK_CB(skb).sk.

What about something like that?

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 81dc1bb..bb40ec5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -919,6 +919,7 @@ static void netlink_skb_set_owner_r(struct sk_buff
*skb, struct sock *sk)
{
WARN_ON(skb->sk != NULL);
skb->sk = sk;
+ NETLINK_CB(skb).sk = sk;
skb->destructor = netlink_skb_destructor;
atomic_add(skb->truesize, &sk->sk_rmem_alloc);
sk_mem_charge(sk, skb->truesize);
--
Thanks,
//richard

Next message: Kamal Mostafa: "[PATCH 4.2.y-ckt 305/305] net: possible use after free in dst_release"
Previous message: Kamal Mostafa: "[PATCH 4.2.y-ckt 285/305] x86/mce: Ensure offline CPUs don't participate in rendezvous process"
In reply to: Dmitry Vyukov: "net: GPF in __netlink_ns_capable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]