netlink: GPF in netlink_dump

From: Dmitry Vyukov
Date: Thu Dec 08 2016 - 06:16:26 EST


Hello,

The following program triggers GPF in netlink_dump:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/uio.h>

int main()
{
syscall(__NR_mmap, 0x20000000ul, 0xd25000ul, 0x3ul, 0x32ul, -1, 0);
int fd = syscall(__NR_socket, 0x10ul, 0x3ul, 0x10ul);
struct iovec iov;
iov.iov_base = "\x16\x00\x00\x00\x23\x00\x19\x07\x00\x00\x00\x46"
"\xf1\xff\xff\xe8\x03\x00\x04\xff\xff\x75";
iov.iov_len = 22;
syscall(__NR_writev, fd, &iov, 1);
return 0;
}


kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 0 PID: 6913 Comm: a.out Not tainted 4.9.0-rc7+ #76
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006716a840 task.stack: ffff880063a38000
RIP: 0010:[<ffffffff81567f65>] [<ffffffff81567f65>]
__lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221
RSP: 0018:ffff880063a3e578 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 000000000000000c RSI: 0000000000000000 RDI: 1ffff1000c747d09
RBP: ffff880063a3eab0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000060 R11: 0000000000000000 R12: ffff88006716a840
R13: 0000000000000001 R14: ffffffff8baba1a0 R15: 0000000000000001
FS: 000000000082a880(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b20e0 CR3: 000000003dd5d000 CR4: 00000000000006f0
Stack:
ffff88006716b060 ffff880063a3e5f0 ffff88006716b088 0000000041b58ab3
ffffffff894ee650 ffffffff81562600 ffff88006716b058 ffff880063a3e930
00000000894d005b 1ffff1000c747cbe 0000000100000000 ffffffff81557640
Call Trace:
[<ffffffff8156b682>] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff88193a3f>] mutex_lock_nested+0x23f/0xf20 kernel/locking/mutex.c:621
[<ffffffff86cb2228>] netlink_dump+0xd8/0xd70 net/netlink/af_netlink.c:2067
[<ffffffff86cb6e8a>] __netlink_dump_start+0x4ea/0x760
net/netlink/af_netlink.c:2200
[<ffffffff86cc12e7>] genl_family_rcv_msg+0xa77/0x1070
net/netlink/genetlink.c:597
[<ffffffff86cc1a90>] genl_rcv_msg+0x1b0/0x260 net/netlink/genetlink.c:660
[<ffffffff86cbf66c>] netlink_rcv_skb+0x2bc/0x3a0 net/netlink/af_netlink.c:2281
[<ffffffff86cc085d>] genl_rcv+0x2d/0x40 net/netlink/genetlink.c:671
[< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1214
[<ffffffff86cbde8a>] netlink_unicast+0x51a/0x740 net/netlink/af_netlink.c:1240
[<ffffffff86cbeb54>] netlink_sendmsg+0xaa4/0xe50 net/netlink/af_netlink.c:1786
[< inline >] sock_sendmsg_nosec net/socket.c:621
[<ffffffff86a7517f>] sock_sendmsg+0xcf/0x110 net/socket.c:631
[<ffffffff86a754eb>] sock_write_iter+0x32b/0x620 net/socket.c:829
[<ffffffff81a6ef33>] do_iter_readv_writev+0x363/0x670 fs/read_write.c:695
[<ffffffff81a71981>] do_readv_writev+0x431/0x9b0 fs/read_write.c:872
[<ffffffff81a724bc>] vfs_writev+0x8c/0xc0 fs/read_write.c:911
[<ffffffff81a72605>] do_writev+0x115/0x2d0 fs/read_write.c:944
[< inline >] SYSC_writev fs/read_write.c:1017
[<ffffffff81a75dbc>] SyS_writev+0x2c/0x40 fs/read_write.c:1014
[<ffffffff881a3d05>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209
Code: e9 03 f3 48 ab 48 81 c4 10 05 00 00 44 89 e8 5b 41 5c 41 5d 41
5e 41 5f 5d c3 4c 89 d2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>
3c 02 00 0f 85 00 26 00 00 49 81 3a c0 64 e2 8a 41 bf 00 00
RIP [<ffffffff81567f65>] __lock_acquire+0xb35/0x3380
kernel/locking/lockdep.c:3221
RSP <ffff880063a3e578>
---[ end trace 8d9cfd5e00f7ff0c ]---
==================================================================



On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1).