Patch "genetlink: fix family dump race" has been added to the 3.0-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    genetlink: fix family dump race

to the 3.0-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     genetlink-fix-family-dump-race.patch
and it can be found in the queue-3.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 58ad436fcf49810aa006016107f494c9ac9013db Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.b...@intel.com>
Date: Tue, 13 Aug 2013 09:04:05 +0200
Subject: genetlink: fix family dump race

From: Johannes Berg <johannes.b...@intel.com>

commit 58ad436fcf49810aa006016107f494c9ac9013db upstream.

When dumping generic netlink families, only the first dump call
is locked with genl_lock(), which protects the list of families,
and thus subsequent calls can access the data without locking,
racing against family addition/removal. This can cause a crash.
Fix it - the locking needs to be conditional because the first
time around it's already locked.

A similar bug was reported to me on an old kernel (3.4.47) but
the exact scenario that happened there is no longer possible,
on those kernels the first round wasn't locked either. Looking
at the current code I found the race described above, which had
also existed on the old kernel.

Reported-by: Andrei Otcheretianski <andrei.otcheretian...@intel.com>
Signed-off-by: Johannes Berg <johannes.b...@intel.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 net/netlink/genetlink.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -700,6 +700,10 @@ static int ctrl_dumpfamily(struct sk_buf
        struct net *net = sock_net(skb->sk);
        int chains_to_skip = cb->args[0];
        int fams_to_skip = cb->args[1];
+       bool need_locking = chains_to_skip || fams_to_skip;
+
+       if (need_locking)
+               genl_lock();
 
        for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) {
                n = 0;
@@ -721,6 +725,9 @@ errout:
        cb->args[0] = i;
        cb->args[1] = n;
 
+       if (need_locking)
+               genl_unlock();
+
        return skb->len;
 }
 


Patches currently in stable-queue which might be from johannes.b...@intel.com 
are

queue-3.0/genetlink-fix-family-dump-race.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html