All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Hyunwoo Kim <v4bel@theori.io>,
	Paolo Abeni <pabeni@redhat.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 027/106] net/rose: Fix Use-After-Free in rose_ioctl
Date: Mon, 18 Dec 2023 14:50:41 +0100	[thread overview]
Message-ID: <20231218135056.096490912@linuxfoundation.org> (raw)
In-Reply-To: <20231218135055.005497074@linuxfoundation.org>

6.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hyunwoo Kim <v4bel@theori.io>

[ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ]

Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Link: https://lore.kernel.org/r/20231209100538.GA407321@v4bel-B760M-AORUS-ELITE-AX
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rose/af_rose.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index ca2b17f32670d..674937284b8d2 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1315,9 +1315,11 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 	case TIOCINQ: {
 		struct sk_buff *skb;
 		long amount = 0L;
-		/* These two are safe on a single CPU system as only user tasks fiddle here */
+
+		spin_lock_irq(&sk->sk_receive_queue.lock);
 		if ((skb = skb_peek(&sk->sk_receive_queue)) != NULL)
 			amount = skb->len;
+		spin_unlock_irq(&sk->sk_receive_queue.lock);
 		return put_user(amount, (unsigned int __user *) argp);
 	}
 
-- 
2.43.0

next prev parent reply	other threads:[~2023-12-18 13:55 UTC|newest]

Thread overview: 117+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-18 13:50 [PATCH 6.1 000/106] 6.1.69-rc1 review Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 001/106] perf/x86/uncore: Dont WARN_ON_ONCE() for a broken discovery table Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 002/106] r8152: add USB device driver for config selection Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 003/106] r8152: add vendor/device ID pair for D-Link DUB-E250 Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 004/106] r8152: add vendor/device ID pair for ASUS USB-C2500 Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 005/106] powerpc/ftrace: Fix stack teardown in ftrace_no_trace Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 006/106] ext4: fix warning in ext4_dio_write_end_io() Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 007/106] ksmbd: fix memory leak in smb2_lock() Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 008/106] afs: Fix refcount underflow from error handling race Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 009/106] HID: lenovo: Restrict detection of patched firmware only to USB cptkbd Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 010/106] net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 011/106] net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 012/106] qca_debug: Prevent crash on TX ring changes Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 013/106] qca_debug: Fix ethtool -G iface tx behavior Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 014/106] qca_spi: Fix reset behavior Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 015/106] bnxt_en: Clear resource reservation during resume Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 016/106] bnxt_en: Save ring error counters across reset Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 017/106] bnxt_en: Fix wrong return value check in bnxt_close_nic() Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 018/106] bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 019/106] atm: solos-pci: Fix potential deadlock on &cli_queue_lock Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 020/106] atm: solos-pci: Fix potential deadlock on &tx_queue_lock Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 021/106] net: vlan: introduce skb_vlan_eth_hdr() Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 022/106] net: fec: correct queue selection Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 023/106] octeontx2-af: fix a use-after-free in rvu_nix_register_reporters Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 024/106] octeontx2-pf: Fix promisc mcam entry action Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 025/106] octeontx2-af: Update RSS algorithm index Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 026/106] atm: Fix Use-After-Free in do_vcc_ioctl Greg Kroah-Hartman
2023-12-18 13:50 ` Greg Kroah-Hartman [this message]
2023-12-18 13:50 ` [PATCH 6.1 028/106] iavf: Introduce new state machines for flow director Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 029/106] iavf: Handle ntuple on/off based on " Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 030/106] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 031/106] net: Remove acked SYN flag from packet in the transmit queue correctly Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 032/106] net: ena: Destroy correct number of xdp queues upon failure Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 033/106] net: ena: Fix xdp drops handling due to multibuf packets Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 034/106] net: ena: Fix XDP redirection error Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 035/106] stmmac: dwmac-loongson: Make sure MDIO is initialized before use Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 036/106] sign-file: Fix incorrect return values check Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 037/106] vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 038/106] dpaa2-switch: fix size of the dma_unmap Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 039/106] dpaa2-switch: do not ask for MDB, VLAN and FDB replay Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 040/106] net: stmmac: Handle disabled MDIO busses from devicetree Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 041/106] appletalk: Fix Use-After-Free in atalk_ioctl Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 042/106] net: atlantic: fix double free in ring reinit logic Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 043/106] cred: switch to using atomic_long_t Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 044/106] fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() Greg Kroah-Hartman
2023-12-18 13:50 ` [PATCH 6.1 045/106] ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 046/106] ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 047/106] ALSA: hda/realtek: Apply mute LED quirk for HP15-db Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 048/106] Revert "PCI: acpiphp: Reassign resources on bridge if necessary" Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 049/106] PCI: loongson: Limit MRRS to 256 Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 050/106] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 051/106] drm/mediatek: Add spinlock for setting vblank event in atomic_begin Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 052/106] x86/hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 053/106] usb: aqc111: check packet for fixup for true limit Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 054/106] stmmac: dwmac-loongson: Add architecture dependency Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 055/106] blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 056/106] blk-cgroup: bypass blkcg_deactivate_policy after destroying Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 057/106] bcache: avoid oversize memory allocation by small stripe_size Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 058/106] bcache: remove redundant assignment to variable cur_idx Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 059/106] bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 060/106] bcache: avoid NULL checking to c->root in run_cache_set() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 061/106] nbd: fold nbd config initialization into nbd_alloc_config() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 062/106] nvme-auth: set explanation code for failure2 msgs Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 063/106] nvme: catch errors from nvme_configure_metadata() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 064/106] selftests/bpf: fix bpf_loop_bench for new callback verification scheme Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 065/106] LoongArch: Add dependency between vmlinuz.efi and vmlinux.efi Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 066/106] LoongArch: Implement constant timer shutdown interface Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 067/106] platform/x86: intel_telemetry: Fix kernel doc descriptions Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 068/106] HID: glorious: fix Glorious Model I HID report Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 069/106] HID: add ALWAYS_POLL quirk for Apple kb Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 070/106] nbd: pass nbd_sock to nbd_read_reply() instead of index Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 071/106] HID: hid-asus: reset the backlight brightness level on resume Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 072/106] HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 073/106] asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 074/106] net: usb: qmi_wwan: claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 075/106] arm64: add dependency between vmlinuz.efi and Image Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 076/106] HID: hid-asus: add const to read-only outgoing usb buffer Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 077/106] perf: Fix perf_event_validate_size() lockdep splat Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 078/106] btrfs: do not allow non subvolume root targets for snapshot Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 079/106] soundwire: stream: fix NULL pointer dereference for multi_link Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 080/106] ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 081/106] arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 082/106] team: Fix use-after-free when an option instance allocation fails Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 083/106] drm/amdgpu/sdma5.2: add begin/end_use ring callbacks Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 084/106] dmaengine: stm32-dma: avoid bitfield overflow assertion Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 085/106] mm/mglru: fix underprotected page cache Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 086/106] mm/shmem: fix race in shmem_undo_range w/THP Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 087/106] btrfs: free qgroup reserve when ORDERED_IOERR is set Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 088/106] btrfs: dont clear qgroup reserved bit in release_folio Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 089/106] drm/amdgpu: fix tear down order in amdgpu_vm_pt_free Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 090/106] drm/amd/display: Disable PSR-SU on Parade 0803 TCON again Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 091/106] drm/i915: Fix remapped stride with CCS on ADL+ Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 092/106] smb: client: fix OOB in receive_encrypted_standard() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 093/106] smb: client: fix NULL deref in asn1_ber_decoder() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 094/106] smb: client: fix OOB in smb2_query_reparse_point() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 095/106] ring-buffer: Fix memory leak of free page Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 096/106] tracing: Update snapshot buffer on resize if it is allocated Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 097/106] ring-buffer: Do not update before stamp when switching sub-buffers Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 098/106] ring-buffer: Have saved event hold the entire event Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 099/106] ring-buffer: Fix writing to the buffer with max_data_size Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 100/106] ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 101/106] ring-buffer: Do not try to put back write_stamp Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 102/106] ring-buffer: Have rb_time_cmpxchg() set the msb counter too Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 103/106] net: tls, update curr on splice as well Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 104/106] r8152: avoid to change cfg for all devices Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 6.1 105/106] r8152: remove rtl_vendor_mode function Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 6.1 106/106] r8152: fix the autosuspend doesnt work Greg Kroah-Hartman
2023-12-18 17:29 ` [PATCH 6.1 000/106] 6.1.69-rc1 review Conor Dooley
2023-12-18 17:54 ` Pavel Machek
2023-12-18 18:49 ` SeongJae Park
2023-12-18 23:56 ` Shuah Khan
2023-12-19  1:06 ` Kelsey Steele
2023-12-19  7:42 ` Naresh Kamboju
2023-12-19 11:32 ` Jon Hunter
2023-12-19 21:57 ` Florian Fainelli
2023-12-19 22:19 ` Ron Economos
2023-12-20 13:02 ` Yann Sionneau

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:ca2b17f32670 dfblob:674937284b8d
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231218135056.096490912@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=pabeni@redhat.com \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=v4bel@theori.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.