android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_kernel_xiaomi_sm8450/net
History
Pablo Neira Ayuso 910891a2a4 netfilter: nf_tables: clean up hook list when offload flags check fails 
[ Upstream commit 77972a36ecc4db7fc7c68f0e80714263c5f03f65 ]

splice back the hook list so nft_chain_release_hook() has a chance to
release the hooks.

BUG: memory leak
unreferenced object 0xffff88810180b100 (size 96):
  comm "syz-executor133", pid 3619, jiffies 4294945714 (age 12.690s)
  hex dump (first 32 bytes):
    28 64 23 02 81 88 ff ff 28 64 23 02 81 88 ff ff  (d#.....(d#.....
    90 a8 aa 83 ff ff ff ff 00 00 b5 0f 81 88 ff ff  ................
  backtrace:
    [<ffffffff83a8c59b>] kmalloc include/linux/slab.h:600 [inline]
    [<ffffffff83a8c59b>] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1901
    [<ffffffff83a9239a>] nft_chain_parse_netdev net/netfilter/nf_tables_api.c:1998 [inline]
    [<ffffffff83a9239a>] nft_chain_parse_hook+0x33a/0x530 net/netfilter/nf_tables_api.c:2073
    [<ffffffff83a9b14b>] nf_tables_addchain.constprop.0+0x10b/0x950 net/netfilter/nf_tables_api.c:2218
    [<ffffffff83a9c41b>] nf_tables_newchain+0xa8b/0xc60 net/netfilter/nf_tables_api.c:2593
    [<ffffffff83a3d6a6>] nfnetlink_rcv_batch+0xa46/0xd20 net/netfilter/nfnetlink.c:517
    [<ffffffff83a3db79>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:638 [inline]
    [<ffffffff83a3db79>] nfnetlink_rcv+0x1f9/0x220 net/netfilter/nfnetlink.c:656
    [<ffffffff83a13b17>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
    [<ffffffff83a13b17>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
    [<ffffffff83a13fd6>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
    [<ffffffff83865ab6>] sock_sendmsg_nosec net/socket.c:714 [inline]
    [<ffffffff83865ab6>] sock_sendmsg+0x56/0x80 net/socket.c:734
    [<ffffffff8386601c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2482
    [<ffffffff8386a918>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536
    [<ffffffff8386aaa8>] __sys_sendmsg+0x88/0x100 net/socket.c:2565
    [<ffffffff845e5955>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff845e5955>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fixes: d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook")
Reported-by: syzbot+5fcdbfab6d6744c57418@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-09-15 11:32:05 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
net/9p: Initialize the iounit field during fid creation
2022-08-21 15:16:26 +02:00
802
net/802/garp: fix memleak in garp_request_join()
2021-07-31 08:16:11 +02:00
8021q
net: make free_netdev() more lenient with unregistering devices
2022-07-29 17:19:07 +02:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net: atm: fix update of position index in lec_seq_next
2020-10-31 12:26:30 -07:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
Bluetooth: L2CAP: Fix build errors in some archs
2022-09-05 10:28:55 +02:00
bpf
bpf: Don't redirect packets with invalid pkt_len
2022-09-05 10:28:56 +02:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
netfilter: br_netfilter: Drop dst references before setting.
2022-09-15 11:32:05 +02:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-22 12:27:56 +02:00
can
can: j1939: j1939_session_destroy(): fix memory leak of skbs
2022-08-25 11:38:23 +02:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:17:56 +02:00
core
net/core/skbuff: Check the return value of skb_copy_bits()
2022-09-15 11:32:03 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock
2022-08-21 15:15:52 +02:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
dns_resolver
docs: networking: convert dns_resolver.txt to ReST
2020-04-28 14:39:46 -07:00
dsa
net: dsa: Add missing of_node_put() in dsa_port_link_register_of
2022-05-09 09:05:02 +02:00
ethernet
net: move devres helpers into a separate source file
2020-05-23 16:56:17 -07:00
ethtool
ethtool: do not perform operations on net devices being unregistered
2021-12-17 10:14:41 +01:00
hsr
net: hsr: fix mac_len checks
2021-06-03 09:00:50 +02:00
ieee802154
net: ieee802154: Return meaningful error codes from the netlink helpers
2022-02-08 18:30:37 +01:00
ife
ipv4
ip: fix triggering of 'icmp redirect'
2022-09-08 11:11:40 +02:00
ipv6
net: Fix data-races around sysctl_devconf_inherit_init_net.
2022-08-31 17:15:21 +02:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:34:05 +01:00
kcm
kcm: fix strp_init() order and cleanup
2022-09-08 11:11:37 +02:00
key
af_key: Do not call xfrm_probe_algs in parallel
2022-08-31 17:15:15 +02:00
l2tp
ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
2022-06-22 14:13:15 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:57:10 +02:00
mac80211
net: Use u64_stats_fetch_begin_irq() for stats fetch.
2022-09-08 11:11:40 +02:00
mac802154
net: mac802154: Fix a condition in the receive path
2022-09-08 11:11:40 +02:00
mpls
net: Use u64_stats_fetch_begin_irq() for stats fetch.
2022-09-08 11:11:40 +02:00
mptcp
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: nf_tables: clean up hook list when offload flags check fails
2022-09-15 11:32:05 +02:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
net: genl: fix error path memory leak in policy dumping
2022-08-25 11:38:07 +02:00
netrom
netrom: fix api breakage in nr_setsockopt()
2022-01-27 10:54:03 +01:00
nfc
NFC: NULL out the dev->rfkill to prevent UAF
2022-06-09 10:21:01 +02:00
nsh
treewide: replace '---help---' in Kconfig files with 'help'
2020-06-14 01:57:21 +09:00
openvswitch
net: openvswitch: fix parsing of nw_proto for IPv6 fragments
2022-06-29 08:59:45 +02:00
packet
net/af_packet: check len when min_header_len equals to 0
2022-09-05 10:28:59 +02:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
qrtr: Convert qrtr_ports from IDR to XArray
2022-08-25 11:38:23 +02:00
rds
rds: add missing barrier to release_refill
2022-08-25 11:37:49 +02:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-12 09:18:06 +01:00
rose
rose: check NULL rose_loopback_neigh->loopback
2022-08-31 17:15:16 +02:00
rxrpc
rxrpc: Fix locking in rxrpc's sendmsg
2022-08-31 17:15:21 +02:00
sched
Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb"
2022-09-08 11:11:37 +02:00
sctp
sctp: leave the err path free in sctp_stream_init to sctp_stream_free
2022-08-03 12:00:49 +02:00
smc
net/smc: Remove redundant refcount increase
2022-09-08 11:11:37 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
SUNRPC: RPC level errors should set task->tk_rpc_status
2022-08-31 17:15:15 +02:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
tls
net/tls: Remove the context from the list in tls_device_down
2022-08-03 12:00:46 +02:00
unix
af_unix: Fix a data-race in unix_dgram_peer_wake_me().
2022-06-14 18:32:40 +02:00
vmw_vsock
vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
2022-08-25 11:37:59 +02:00
wimax
genetlink: move to smaller ops wherever possible
2020-10-02 19:11:11 -07:00
wireless
wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()
2022-09-08 11:11:36 +02:00
x25
net/x25: Fix null-ptr-deref caused by x25_disconnect
2022-04-08 14:40:30 +02:00
xdp
xsk: Clear page contiguity bit when unmapping pool
2022-07-12 16:32:21 +02:00
xfrm
net: Fix data-races around netdev_max_backlog.
2022-08-31 17:15:19 +02:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
net: devres: rename the release callback of devm_register_netdev()
2020-06-30 15:57:34 -07:00
Kconfig
drop_monitor: Convert to using devlink tracepoint
2020-09-30 18:01:26 -07:00
Makefile
net: move devres helpers into a separate source file
2020-05-23 16:56:17 -07:00
socket.c
net: Fix a data-race around sysctl_somaxconn.
2022-08-31 17:15:21 +02:00
sysctl_net.c