releases/5.4.195/netlink-do-not-reset-transport-header-in-netlink_rec.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6666f3fbb5ee1e7c35e8c4548fdf1d1ac35dee83 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Thu, 5 May 2022 09:19:46 -0700
 Subject: netlink: do not reset transport header in netlink_recvmsg()

 From: Eric Dumazet <edumazet@google.com>

 [ Upstream commit d5076fe4049cadef1f040eda4aaa001bb5424225 ]

 netlink_recvmsg() does not need to change transport header.

 If transport header was needed, it should have been reset
 by the producer (netlink_dump()), not the consumer(s).

 The following trace probably happened when multiple threads
 were using MSG_PEEK.

 BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg

 write to 0xffff88811e9f15b2 of 2 bytes by task 32012 on cpu 1:
  skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
  netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
  sock_recvmsg_nosec net/socket.c:948 [inline]
  sock_recvmsg net/socket.c:966 [inline]
  __sys_recvfrom+0x204/0x2c0 net/socket.c:2097
  __do_sys_recvfrom net/socket.c:2115 [inline]
  __se_sys_recvfrom net/socket.c:2111 [inline]
  __x64_sys_recvfrom+0x74/0x90 net/socket.c:2111
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 write to 0xffff88811e9f15b2 of 2 bytes by task 32005 on cpu 0:
  skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
  netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
  ____sys_recvmsg+0x162/0x2f0
  ___sys_recvmsg net/socket.c:2674 [inline]
  __sys_recvmsg+0x209/0x3f0 net/socket.c:2704
  __do_sys_recvmsg net/socket.c:2714 [inline]
  __se_sys_recvmsg net/socket.c:2711 [inline]
  __x64_sys_recvmsg+0x42/0x50 net/socket.c:2711
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 value changed: 0xffff -> 0x0000

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 0 PID: 32005 Comm: syz-executor.4 Not tainted 5.18.0-rc1-syzkaller-00328-ge1f700ebd6be-dirty #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Reported-by: syzbot <syzkaller@googlegroups.com>
 Link: https://lore.kernel.org/r/20220505161946.2867638-1-eric.dumazet@gmail.com
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  net/netlink/af_netlink.c | 1 -
  1 file changed, 1 deletion(-)

 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
 index 8aefc52542a0..86b70385dce3 100644
 --- a/net/netlink/af_netlink.c
 +++ b/net/netlink/af_netlink.c
 @@ -1987,7 +1987,6 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
  		copied = len;
  	}

 -	skb_reset_transport_header(data_skb);
  	err = skb_copy_datagram_msg(data_skb, 0, msg, copied);

  	if (msg->msg_name) {
 --
 2.35.1
	From 6666f3fbb5ee1e7c35e8c4548fdf1d1ac35dee83 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Thu, 5 May 2022 09:19:46 -0700
	Subject: netlink: do not reset transport header in netlink_recvmsg()

	From: Eric Dumazet <edumazet@google.com>

	[ Upstream commit d5076fe4049cadef1f040eda4aaa001bb5424225 ]

	netlink_recvmsg() does not need to change transport header.

	If transport header was needed, it should have been reset
	by the producer (netlink_dump()), not the consumer(s).

	The following trace probably happened when multiple threads
	were using MSG_PEEK.

	BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg

	write to 0xffff88811e9f15b2 of 2 bytes by task 32012 on cpu 1:
	skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
	netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
	sock_recvmsg_nosec net/socket.c:948 [inline]
	sock_recvmsg net/socket.c:966 [inline]
	__sys_recvfrom+0x204/0x2c0 net/socket.c:2097
	__do_sys_recvfrom net/socket.c:2115 [inline]
	__se_sys_recvfrom net/socket.c:2111 [inline]
	__x64_sys_recvfrom+0x74/0x90 net/socket.c:2111
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	write to 0xffff88811e9f15b2 of 2 bytes by task 32005 on cpu 0:
	skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
	netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
	____sys_recvmsg+0x162/0x2f0
	___sys_recvmsg net/socket.c:2674 [inline]
	__sys_recvmsg+0x209/0x3f0 net/socket.c:2704
	__do_sys_recvmsg net/socket.c:2714 [inline]
	__se_sys_recvmsg net/socket.c:2711 [inline]
	__x64_sys_recvmsg+0x42/0x50 net/socket.c:2711
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	value changed: 0xffff -> 0x0000

	Reported by Kernel Concurrency Sanitizer on:
	CPU: 0 PID: 32005 Comm: syz-executor.4 Not tainted 5.18.0-rc1-syzkaller-00328-ge1f700ebd6be-dirty #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

	Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Reported-by: syzbot <syzkaller@googlegroups.com>
	Link: https://lore.kernel.org/r/20220505161946.2867638-1-eric.dumazet@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	net/netlink/af_netlink.c \| 1 -
	1 file changed, 1 deletion(-)

	diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
	index 8aefc52542a0..86b70385dce3 100644
	--- a/net/netlink/af_netlink.c
	+++ b/net/netlink/af_netlink.c
	@@ -1987,7 +1987,6 @@ static int netlink_recvmsg(struct socket sock, struct msghdr msg, size_t len,
	copied = len;
	}

	- skb_reset_transport_header(data_skb);
	err = skb_copy_datagram_msg(data_skb, 0, msg, copied);

	if (msg->msg_name) {
	--
	2.35.1