Jeremy Kerr 3a732b4673 mctp: prevent double key removal and unref ... Currently, we have a bug where a simultaneous DROPTAG ioctl and socket close may race, as we attempt to remove a key from lists twice, and perform an unref for each removal operation. This may result in a uaf when we attempt the second unref. This change fixes the race by making __mctp_key_remove tolerant to being called on a key that has already been removed from the socket/net lists, and only performs the unref when we do the actual remove. We also need to hold the list lock on the ioctl cleanup path. This fix is based on a bug report and comprehensive analysis from butt3rflyh4ck <butterflyhuangxx@gmail.com>, found via syzkaller. Cc: stable@vger.kernel.org Fixes: 63ed1aab3d ("mctp: Add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control") Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com> Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>		2022-10-12 13:30:50 +01:00
..
6lowpan	…
9p	iov_iter stuff, part 2, rebased	2022-08-08 20:04:35 -07:00
802	…
8021q	net: gro: skb_gro_header helper function	2022-08-25 10:33:21 +02:00
appletalk	…
atm	…
ax25	ax25: move from strlcpy with unused retval to strscpy	2022-08-22 17:55:50 -07:00
batman-adv	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-09-22 13:02:10 -07:00
bluetooth	Bluetooth: hci_sync: Fix not indicating power state	2022-09-30 17:32:12 -07:00
bpf	selftests/bpf: Add tests for kfunc returning a memory pointer	2022-09-07 11:05:17 -07:00
bpfilter	…
bridge	net: bridge: assign path_cost for 2.5G and 5G link speed	2022-09-30 12:35:29 +01:00
caif	caif: move from strlcpy with unused retval to strscpy	2022-08-22 17:57:35 -07:00
can	can: bcm: check the result of can_send() in bcm_can_tx()	2022-09-23 13:53:10 +02:00
ceph	libceph: clean up ceph_osdc_start_request prototype	2022-08-03 14:05:39 +02:00
core	Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2022-10-03 13:02:49 -07:00
dcb	…
dccp	tcp: Introduce optional per-netns ehash.	2022-09-20 10:21:50 -07:00
dns_resolver	…
dsa	net: dsa: fix wrong pointer passed to PTR_ERR() in dsa_port_phylink_create()	2022-10-09 20:01:32 +01:00
ethernet	net: gro: skb_gro_header helper function	2022-08-25 10:33:21 +02:00
ethtool	ethtool: add interface to interact with Ethernet Power Equipment	2022-10-03 17:33:57 -07:00
hsr	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
ieee802154	net/ieee802154: don't warn zero-sized raw_sendmsg()	2022-10-05 12:37:10 +02:00
ife	…
ipv4	netfilter: rpfilter/fib: Populate flowic_l3mdev field	2022-10-12 14:08:15 +02:00
ipv6	netfilter: rpfilter/fib: Populate flowic_l3mdev field	2022-10-12 14:08:15 +02:00
iucv	…
kcm	kcm: fix strp_init() order and cleanup	2022-08-31 12:16:44 -07:00
key	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec	2022-08-24 12:51:50 +01:00
l2tp	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
l3mdev	…
lapb	…
llc	…
mac80211	wifi: mac80211: netdev compatible TX stop for iTXQ drivers	2022-10-07 14:48:14 +02:00
mac802154	net: mac802154: Fix a condition in the receive path	2022-08-29 11:10:22 +02:00
mctp	mctp: prevent double key removal and unref	2022-10-12 13:30:50 +01:00
mpls	net: Use u64_stats_fetch_begin_irq() for stats fetch.	2022-08-29 13:02:27 +01:00
mptcp	mptcp: update misleading comments.	2022-10-03 11:18:53 +01:00
ncsi	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
netfilter	Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2022-10-03 13:02:49 -07:00
netlabel	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
netlink	genetlink: reject use of nlmsg_flags for new commands	2022-09-30 17:43:09 -07:00
netrom	…
nfc	NFC: hci: Split memcpy() of struct hcp_message flexible array	2022-09-27 07:45:18 -07:00
nsh	…
openvswitch	net: openvswitch: allow conntrack in non-initial user namespace	2022-09-27 11:31:36 +02:00
packet	net/af_packet: registration process optimization in packet_init()	2022-09-21 12:59:22 +01:00
phonet	…
psample	genetlink: start to validate reserved header bytes	2022-08-29 12:47:15 +01:00
qrtr	net: qrtr: start MHI channel after endpoit creation	2022-08-15 11:21:42 +01:00
rds	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-10-03 17:44:18 -07:00
rfkill	…
rose	rose: check NULL rose_loopback_neigh->loopback	2022-08-22 14:24:54 +01:00
rxrpc	rxrpc: remove rxrpc_max_call_lifetime declaration	2022-09-19 17:58:47 -07:00
sched	Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs"	2022-10-05 20:32:15 -07:00
sctp	sctp: handle the error returned from sctp_auth_asoc_init_active_key	2022-09-30 12:36:40 +01:00
smc	net/smc: Support SO_REUSEPORT	2022-09-27 10:26:17 +02:00
strparser	…
sunrpc	SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment	2022-09-26 14:02:47 -04:00
switchdev	…
tipc	net/tipc: Remove unused struct distr_queue_item	2022-09-29 18:48:32 -07:00
tls	net: tls: Add ARIA-GCM algorithm	2022-09-27 17:29:09 -07:00
unix	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-10-03 17:44:18 -07:00
vmw_vsock	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-10-03 17:44:18 -07:00
wireless	wifi: nl80211: Split memcpy() of struct nl80211_wowlan_tcp_data_token flexible array	2022-10-07 15:19:06 +02:00
x25	net/x25: fix call timeouts in blocking connects	2022-08-08 20:48:51 -07:00
xdp	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-10-03 17:44:18 -07:00
xfrm	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-10-03 17:44:18 -07:00
Kconfig	Remove DECnet support from kernel	2022-08-22 14:26:30 +01:00
Kconfig.debug	net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET	2022-09-20 14:23:56 -07:00
Makefile	Remove DECnet support from kernel	2022-08-22 14:26:30 +01:00
compat.c	net: clear msg_get_inq in __get_compat_msghdr()	2022-09-20 08:23:20 -07:00
devres.c	…
socket.c	net: Fix a data-race around sysctl_somaxconn.	2022-08-24 13:46:58 +01:00
sysctl_net.c	…