Re: KASAN: use-after-free Read in l2tp_session_create - Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Dmitry Vyukov <dvyukov@google.com>, stable@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>,
	David Miller <davem@davemloft.net>,
	"Reshetova, Elena" <elena.reshetova@intel.com>,
	Hans Liljestrand <ishkamiel@gmail.com>,
	Kees Cook <keescook@chromium.org>,
	LKML <linux-kernel@vger.kernel.org>,
	netdev <netdev@vger.kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	Greg Hackmann <ghackmann@google.com>,
	syzbot <syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com>,
	Guillaume Nault <g.nault@alphalink.fr>
Subject: Re: KASAN: use-after-free Read in l2tp_session_create
Date: Fri, 20 Jul 2018 11:49:11 +0200	[thread overview]
Message-ID: <20180720094911.GA24081@kroah.com> (raw)
In-Reply-To: <CACT4Y+YRmX2ROxWZcT4w-NHR76cVV4_U6-Y0T=x4on67r8dNzQ@mail.gmail.com>

On Fri, Jul 20, 2018 at 10:00:34AM +0200, Dmitry Vyukov wrote:
> On Fri, Jul 20, 2018 at 9:53 AM, James Chapman <jchapman@katalix.com> wrote:
> > On 18/07/18 12:00, Dmitry Vyukov wrote:
> >> On Tue, Jan 16, 2018 at 7:29 PM, syzbot
> >> <syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com> wrote:
> >>> Hello,
> >>>
> >>> syzkaller hit the following crash on
> >>> a8750ddca918032d6349adbf9a4b6555e7db20da
> >>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> >>> compiler: gcc (GCC) 7.1.1 20170620
> >>> .config is attached
> >>> Raw console output is attached.
> >>> Unfortunately, I don't have any reproducer for this bug yet.
> >>>
> >>>
> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >>> Reported-by: syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com
> >>> It will help syzbot understand when the bug is fixed. See footer for
> >>> details.
> >>> If you forward the report, please keep this part and the footer.
> >>
> >> James,
> >>
> >> Did you fix this? You asked syzbot to test a fix for this bug some time ago.
> >> If yes, did you include the Reported-by tag in the commit? This bug is
> >> still considered open by syzbot. But it stopped happening ~4 months
> >> ago:
> >
> > Yes, I think this has been fixed now. I think it was fixed by
> > Guillaume's 6b9f34239b00e6956a267abed2bc559ede556ad6 that was actually
> > to fix another syzbot bug fbeeb5c3b538e8545644 which looks similar to
> > this one.
> >
> >> https://syzkaller.appspot.com/bug?id=6fed0854381422329e78d7e16fb9cf4af8c9aef1
> >> We are also seeing these crashes in 4.4 and 4.9, it would be good to
> >> backport the fix.
> >
> > It looks like 6b9f34239b00e6956a267abed2bc559ede556ad6 hasn't made it to
> > 4.9 or 4.4.
> 
> Thanks for the update!
> 
> Let's tell syzbot that this is fixed:
> 
> #syz fix: l2tp: fix races in tunnel creation
> 
> Greg H: so this is probably the patch we need.
> 
> +Greg KH: I think we need this in stable, we hit this in both 4.4 and 4.9.

It's also needed in 4.14.y.  But it doesn't apply to any of those kernel
trees cleanly, can someone please provide a working backport?

thanks,

greg k-h