| Message ID | 20180110210039.4763-1-dsahern@gmail.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net] netlink: extack needs to be reset each time through loop | expand |
From: David Ahern <dsahern@gmail.com> Date: Wed, 10 Jan 2018 13:00:39 -0800 > syzbot triggered the WARN_ON in netlink_ack testing the bad_attr value. > The problem is that netlink_rcv_skb loops over the skb repeatedly invoking > the callback and without resetting the extack leaving potentially stale > data. Initializing each time through avoids the WARN_ON. > > Fixes: 2d4bc93368f5a ("netlink: extended ACK reporting") > Reported-by: syzbot+315fa6766d0f7c359327@syzkaller.appspotmail.com > Signed-off-by: David Ahern <dsahern@gmail.com> Applied and queued up for -stable, thanks David.
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 972bfe113043..ee8252d7b3d4 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -2417,7 +2417,7 @@ int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *, struct nlmsghdr *, struct netlink_ext_ack *)) { - struct netlink_ext_ack extack = {}; + struct netlink_ext_ack extack; struct nlmsghdr *nlh; int err; @@ -2438,6 +2438,7 @@ int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *, if (nlh->nlmsg_type < NLMSG_MIN_TYPE) goto ack; + memset(&extack, 0, sizeof(extack)); err = cb(skb, nlh, &extack); if (err == -EINTR) goto skip;
syzbot triggered the WARN_ON in netlink_ack testing the bad_attr value. The problem is that netlink_rcv_skb loops over the skb repeatedly invoking the callback and without resetting the extack leaving potentially stale data. Initializing each time through avoids the WARN_ON. Fixes: 2d4bc93368f5a ("netlink: extended ACK reporting") Reported-by: syzbot+315fa6766d0f7c359327@syzkaller.appspotmail.com Signed-off-by: David Ahern <dsahern@gmail.com> --- net/netlink/af_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)