Description
In the Linux kernel, the following vulnerability has been resolved: netlink: annotate accesses to nlk->cb_running Both netlink_recvmsg() and netlink_native_seq_show() read nlk->cb_running locklessly. Use READ_ONCE() there. Add corresponding WRITE_ONCE() to netlink_dump() and __netlink_dump_start() syzbot reported: BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0: __netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399 netlink_dump_start include/linux/netlink.h:308 [inline] rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] sock_write_iter+0x1aa/0x230 net/socket.c:1138 call_write_iter include/linux/fs.h:1851 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x463/0x760 fs/read_write.c:584 ksys_write+0xeb/0x1a0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x42/0x50 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1: netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022 sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017 ____sys_recvmsg+0x2db/0x310 net/socket.c:2718 ___sys_recvmsg net/socket.c:2762 [inline] do_recvmmsg+0x2e5/0x710 net/socket.c:2856 __sys_recvmmsg net/socket.c:2935 [inline] __do_sys_recvmmsg net/socket.c:2958 [inline] __se_sys_recvmmsg net/socket.c:2951 [inline] __x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x00 -> 0x01
Product status
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before e25e9d8a210ed78bdf0f364576dbee13aefadbf8
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before 840a647499b093621167de56ffa8756dfc69f242
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before a507022c862e10744a92c4bf5709775450a110ad
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before f92557f79a60cb142258f5fa7194f327573fadd8
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before 1d5c8b01f1df0461256a6d75854ed806f50645a3
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before a115dadf8995b1730c36c474401d97355705cb88
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before 02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3
16b304f3404f8e0243d5ee2b70b68767b7b59b2b (git) before a939d14919b799e6fff8a9c80296ca229ba2f8a4
3.12
Any version before 3.12
4.14.316 (semver)
4.19.284 (semver)
5.4.244 (semver)
5.10.181 (semver)
5.15.113 (semver)
6.1.30 (semver)
6.3.4 (semver)
6.4 (original_commit_for_fix)
References
git.kernel.org/...c/e25e9d8a210ed78bdf0f364576dbee13aefadbf8
git.kernel.org/...c/840a647499b093621167de56ffa8756dfc69f242
git.kernel.org/...c/a507022c862e10744a92c4bf5709775450a110ad
git.kernel.org/...c/f92557f79a60cb142258f5fa7194f327573fadd8
git.kernel.org/...c/1d5c8b01f1df0461256a6d75854ed806f50645a3
git.kernel.org/...c/a115dadf8995b1730c36c474401d97355705cb88
git.kernel.org/...c/02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3
git.kernel.org/...c/a939d14919b799e6fff8a9c80296ca229ba2f8a4
