net: GPF in __netlink_ns_capable

From: Dmitry Vyukov
Date: Fri Jan 15 2016 - 17:32:03 EST


Hello,

The following program causes GPF in __netlink_ns_capable:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

int main()
{
syscall(SYS_mmap, 0x20000000ul, 0xd000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
int fd = syscall(SYS_socket, 0x10ul, 0x3ul, 0x14ul, 0, 0, 0);
*(uint32_t*)0x200067bb = (uint32_t)0x12;
*(uint32_t*)0x200067bf = (uint32_t)0xffffffffffff1000;
*(uint64_t*)0x200067c3 = (uint64_t)0x0;
*(uint16_t*)0x200067cb = (uint16_t)0x4;
syscall(SYS_write, fd, 0x200067bbul, 0x12ul, 0, 0, 0);
return 0;
}

general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 3 PID: 7448 Comm: syz-executor Not tainted 4.4.0+ #255
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006a534740 ti: ffff880063240000 task.ti: ffff880063240000
RIP: 0010:[<ffffffff8529bfbb>] [<ffffffff8529bfbb>]
__netlink_ns_capable+0x8b/0x120
RSP: 0018:ffff880063247578 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000079 RSI: ffffffff87597ba0 RDI: 00000000000003c8
RBP: ffff880063247590 R08: ffffed000c4c8f3d R09: ffff8800626479d0
R10: ffffed000c4c8f3e R11: 1ffff1000c4c8f3a R12: ffffffff87597ba0
R13: 000000000000000c R14: ffff880065895400 R15: ffff880063e4d338
FS: 0000000002638880(0063) GS:ffff88006d700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000200067bb CR3: 0000000063149000 CR4: 00000000000006e0
Stack:
ffff880063752100 000000000000000c ffff880065895381 ffff8800632475b0
ffffffff8529c0a5 00000000ffffffff dffffc0000000000 ffff880063247700
ffffffff84986fef 1ffff1000c648ebf ffff880062646b10 0000000000000000
Call Trace:
[< inline >] netlink_ns_capable net/netlink/af_netlink.c:1417
[<ffffffff8529c0a5>] netlink_capable+0x25/0x30 net/netlink/af_netlink.c:1432
[<ffffffff84986fef>] ib_nl_handle_resolve_resp+0xbf/0x910
drivers/infiniband/core/sa_query.c:792
[<ffffffff852a34bd>] netlink_dump+0x38d/0xb20 net/netlink/af_netlink.c:2837
[<ffffffff852a5844>] __netlink_dump_start+0x554/0x7e0
net/netlink/af_netlink.c:2934
[< inline >] netlink_dump_start include/linux/netlink.h:175
[<ffffffff8495ce63>] ibnl_rcv_msg+0x3c3/0x4b0
drivers/infiniband/core/netlink.c:184
[<ffffffff852aded7>] netlink_rcv_skb+0x297/0x390 net/netlink/af_netlink.c:3016
[<ffffffff8495d1ab>] ibnl_rcv+0x25b/0x300 drivers/infiniband/core/netlink.c:226
[< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1834
[<ffffffff852abd3a>] netlink_unicast+0x47a/0x700 net/netlink/af_netlink.c:1860
[<ffffffff852ad046>] netlink_sendmsg+0x1086/0x1760
net/netlink/af_netlink.c:2511
[< inline >] sock_sendmsg_nosec net/socket.c:611
[<ffffffff85103bba>] sock_sendmsg+0xca/0x110 net/socket.c:621
[<ffffffff85103e16>] sock_write_iter+0x216/0x3a0 net/socket.c:820
[< inline >] new_sync_write fs/read_write.c:517
[<ffffffff8178d122>] __vfs_write+0x302/0x480 fs/read_write.c:530
[<ffffffff8178e9c7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<ffffffff81791cb1>] SyS_write+0x111/0x220 fs/read_write.c:616
[<ffffffff8626be76>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 9f 00 00 00 48 8b 5b 18 48 b8
00 00 00 00 00 fc ff df 48 8d bb c8 03 00 00 48 89 fa 48 c1 ea 03 <80>
3c 02 00 75 76 48 8b 9b c8 03 00 00 48 b8 00 00 00 00 00 fc
RIP [<ffffffff8529bfbb>] __netlink_ns_capable+0x8b/0x120
net/netlink/af_netlink.c:1399
RSP <ffff880063247578>
---[ end trace 53f9276d885fafc4 ]---

On commit 67990608c8b95d2b8ccc29932376ae73d5818727.