linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Yuejie Shi <syjcnss@gmail.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Mark Salyzyn <salyzyn@android.com>
Subject: [PATCH 3.18 01/92] af_key: Add lock to key dump
Date: Wed,  9 Aug 2017 13:36:29 -0700	[thread overview]
Message-ID: <20170809202155.503295889@linuxfoundation.org> (raw)
In-Reply-To: <20170809202155.435709888@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yuejie Shi <syjcnss@gmail.com>

commit 89e357d83c06b6fac581c3ca7f0ee3ae7e67109e upstream.

A dump may come in the middle of another dump, modifying its dump
structure members. This race condition will result in NULL pointer
dereference in kernel. So add a lock to prevent that race.

Fixes: 83321d6b9872 ("[AF_KEY]: Dump SA/SP entries non-atomically")
Signed-off-by: Yuejie Shi <syjcnss@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/key/af_key.c |   46 ++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 38 insertions(+), 8 deletions(-)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -63,6 +63,7 @@ struct pfkey_sock {
 		} u;
 		struct sk_buff	*skb;
 	} dump;
+	struct mutex dump_lock;
 };
 
 static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
@@ -143,6 +144,7 @@ static int pfkey_create(struct net *net,
 {
 	struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
 	struct sock *sk;
+	struct pfkey_sock *pfk;
 	int err;
 
 	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
@@ -157,6 +159,9 @@ static int pfkey_create(struct net *net,
 	if (sk == NULL)
 		goto out;
 
+	pfk = pfkey_sk(sk);
+	mutex_init(&pfk->dump_lock);
+
 	sock->ops = &pfkey_ops;
 	sock_init_data(sock, sk);
 
@@ -285,13 +290,23 @@ static int pfkey_do_dump(struct pfkey_so
 	struct sadb_msg *hdr;
 	int rc;
 
+	mutex_lock(&pfk->dump_lock);
+	if (!pfk->dump.dump) {
+		rc = 0;
+		goto out;
+	}
+
 	rc = pfk->dump.dump(pfk);
-	if (rc == -ENOBUFS)
-		return 0;
+	if (rc == -ENOBUFS) {
+		rc = 0;
+		goto out;
+	}
 
 	if (pfk->dump.skb) {
-		if (!pfkey_can_dump(&pfk->sk))
-			return 0;
+		if (!pfkey_can_dump(&pfk->sk)) {
+			rc = 0;
+			goto out;
+		}
 
 		hdr = (struct sadb_msg *) pfk->dump.skb->data;
 		hdr->sadb_msg_seq = 0;
@@ -302,6 +317,9 @@ static int pfkey_do_dump(struct pfkey_so
 	}
 
 	pfkey_terminate_dump(pfk);
+
+out:
+	mutex_unlock(&pfk->dump_lock);
 	return rc;
 }
 
@@ -1805,19 +1823,26 @@ static int pfkey_dump(struct sock *sk, s
 	struct xfrm_address_filter *filter = NULL;
 	struct pfkey_sock *pfk = pfkey_sk(sk);
 
-	if (pfk->dump.dump != NULL)
+	mutex_lock(&pfk->dump_lock);
+	if (pfk->dump.dump != NULL) {
+		mutex_unlock(&pfk->dump_lock);
 		return -EBUSY;
+	}
 
 	proto = pfkey_satype2proto(hdr->sadb_msg_satype);
-	if (proto == 0)
+	if (proto == 0) {
+		mutex_unlock(&pfk->dump_lock);
 		return -EINVAL;
+	}
 
 	if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
 		struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
 
 		filter = kmalloc(sizeof(*filter), GFP_KERNEL);
-		if (filter == NULL)
+		if (filter == NULL) {
+			mutex_unlock(&pfk->dump_lock);
 			return -ENOMEM;
+		}
 
 		memcpy(&filter->saddr, &xfilter->sadb_x_filter_saddr,
 		       sizeof(xfrm_address_t));
@@ -1833,6 +1858,7 @@ static int pfkey_dump(struct sock *sk, s
 	pfk->dump.dump = pfkey_dump_sa;
 	pfk->dump.done = pfkey_dump_sa_done;
 	xfrm_state_walk_init(&pfk->dump.u.state, proto, filter);
+	mutex_unlock(&pfk->dump_lock);
 
 	return pfkey_do_dump(pfk);
 }
@@ -2692,14 +2718,18 @@ static int pfkey_spddump(struct sock *sk
 {
 	struct pfkey_sock *pfk = pfkey_sk(sk);
 
-	if (pfk->dump.dump != NULL)
+	mutex_lock(&pfk->dump_lock);
+	if (pfk->dump.dump != NULL) {
+		mutex_unlock(&pfk->dump_lock);
 		return -EBUSY;
+	}
 
 	pfk->dump.msg_version = hdr->sadb_msg_version;
 	pfk->dump.msg_portid = hdr->sadb_msg_pid;
 	pfk->dump.dump = pfkey_dump_sp;
 	pfk->dump.done = pfkey_dump_sp_done;
 	xfrm_policy_walk_init(&pfk->dump.u.policy, XFRM_POLICY_TYPE_MAIN);
+	mutex_unlock(&pfk->dump_lock);
 
 	return pfkey_do_dump(pfk);
 }

  reply	other threads:[~2017-08-09 21:02 UTC|newest]

Thread overview: 95+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-09 20:36 [PATCH 3.18 00/92] 3.18.64-stable review - take 2 Greg Kroah-Hartman
2017-08-09 20:36 ` Greg Kroah-Hartman [this message]
2017-08-09 20:36 ` [PATCH 3.18 02/92] pstore: Make spinlock per zone instead of global Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 03/92] net: reduce skb_warn_bad_offload() noise Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 04/92] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 05/92] md/raid5: add thread_group worker async_tx_issue_pending_all Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 06/92] drm/vmwgfx: Fix gcc-7.1.1 warning Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 07/92] KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 08/92] KVM: PPC: Book3S HV: Reload HTM registers explicitly Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 09/92] KVM: PPC: Book3S HV: Save/restore host values of debug registers Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 10/92] Revert "powerpc/numa: Fix percpu allocations to be NUMA aware" Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 11/92] Staging: comedi: comedi_fops: Avoid orphaned proc entry Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 12/92] Bluetooth: bnep: bnep_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 13/92] Bluetooth: Fix potential NULL dereference Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 14/92] Bluetooth: cmtp: cmtp_add_connection() should verify that its dealing with l2cap socket Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 15/92] net: phy: Do not perform software reset for Generic PHY Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 16/92] isdn: Fix a sleep-in-atomic bug Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 17/92] string: provide strscpy() Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 18/92] strscpy: zero any trailing garbage bytes in the destination Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 19/92] isdn/i4l: fix buffer overflow Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 20/92] wil6210: fix deadlock when using fw_no_recovery option Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 21/92] mailbox: always wait in mbox_send_message for blocking Tx mode Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 22/92] mailbox: skip complete wait event if timer expired Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 23/92] mailbox: handle empty message in tx_tick Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 24/92] mpt3sas: Dont overreach ioc->reply_post[] during initialization Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 25/92] kaweth: fix firmware download Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 26/92] kaweth: fix oops upon failed memory allocation Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 27/92] ipv6: fix possible deadlock in ip6_fl_purge / ip6_fl_gc Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 28/92] net: sctp: fix race for one-to-many sockets in sendmsgs auto associate Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 29/92] sh_eth: Fix ethtool operation crash when net device is down Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 30/92] net, sched: fix soft lockup in tc_classify Greg Kroah-Hartman
2017-08-09 20:36 ` [PATCH 3.18 31/92] ipmi/watchdog: fix watchdog timeout set on reboot Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 32/92] dentry name snapshots Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 33/92] [media] v4l: s5c73m3: fix negation operator Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 34/92] pstore: Allow prz to control need for locking Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 35/92] pstore: Correctly initialize spinlock and flags Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 36/92] pstore: Use dynamic spinlock initializer Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 37/92] net: skb_needs_check() accepts CHECKSUM_NONE for tx Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 38/92] tpm: fix a kernel memory leak in tpm-sysfs.c Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 39/92] x86/mce/AMD: Make the init code more robust Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 40/92] r8169: add support for RTL8168 series add-on card Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 42/92] ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 43/92] net/mlx4: Remove BUG_ON from ICM allocation routine Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 44/92] drm/msm: Ensure that the hardware write pointer is valid Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 45/92] drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 46/92] vfio-pci: use 32-bit comparisons for register address for gcc-4.5 Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 47/92] ASoC: tlv320aic3x: Mark the RESET register as volatile Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 48/92] spi: dw: Make debugfs name unique between instances Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 49/92] vlan: Propagate MAC address to VLANs Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 50/92] xfrm: Dont use sk_family for socket policy lookups Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 51/92] tile: add <asm/word-at-a-time.h> and enable support functions Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 52/92] word-at-a-time.h: support zero_bytemask() on alpha and tile Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 53/92] Make asm/word-at-a-time.h available on all architectures Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 54/92] arch/powerpc: provide zero_bytemask() for big-endian Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 55/92] tile: use global strscpy() rather than private copy Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 56/92] libata: array underflow in ata_find_dev() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 57/92] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 58/92] ALSA: hda - Fix speaker output from VAIO VPCL14M1R Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 59/92] ASoC: do not close shared backend dailink Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 61/92] mm/page_alloc: Remove kernel address exposure in free_reserved_area() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 62/92] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 63/92] ext4: fix overflow caused by missing cast in ext4_resize_fs() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 64/92] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 65/92] target: Avoid mappedlun symlink creation during lun shutdown Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 66/92] iscsi-target: Always wait for kthread_should_stop() before kthread exit Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 67/92] iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 68/92] iscsi-target: Fix initial login PDU asynchronous socket close OOPs Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 69/92] iscsi-target: Fix delayed logout processing greater than SECONDS_FOR_LOGOUT_COMP Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 70/92] f2fs: sanity check checkpoint segno and blkoff Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 71/92] net: Zero terminate ifr_name in dev_ifname() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 72/92] ipv6: avoid overflow of offset in ip6_find_1stfragopt Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 73/92] ipv4: initialize fib_trie prior to register_netdev_notifier call Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 74/92] rtnetlink: allocate more memory for dev_set_mac_address() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 75/92] mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 76/92] packet: fix use-after-free in prb_retire_rx_blk_timer_expired() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 77/92] dccp: fix a memleak for dccp_feat_init err process Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 78/92] sctp: dont dereference ptr before leaving _sctp_walk_{params, errors}() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 79/92] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 80/92] net: phy: Correctly process PHY_HALTED in phy_stop_machine() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 81/92] xen-netback: correctly schedule rate-limited queues Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 82/92] wext: handle NULL extra data in iwe_stream_add_point better Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 83/92] sh_eth: R8A7740 supports packet shecksumming Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 84/92] tg3: Fix race condition in tg3_get_stats64() Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 85/92] x86/boot: Add missing declaration of string functions Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 86/92] scsi: qla2xxx: Get mutex lock before checking optrom_state Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 87/92] ARM: 8632/1: ftrace: fix syscall name matching Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 88/92] mm, slab: make sure that KMALLOC_MAX_SIZE will fit into MAX_ORDER Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 89/92] lib/Kconfig.debug: fix frv build failure Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 90/92] signal: protect SIGNAL_UNKILLABLE from unintentional clearing Greg Kroah-Hartman
2017-08-09 20:37 ` [PATCH 3.18 91/92] mm: dont dereference struct page fields of invalid pages Greg Kroah-Hartman
2017-08-09 20:38 ` [PATCH 3.18 92/92] ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output Greg Kroah-Hartman
2017-08-09 23:59 ` [PATCH 3.18 00/92] 3.18.64-stable review - take 2 Shuah Khan
2017-08-10  2:34   ` Greg Kroah-Hartman
2017-08-10  0:29 ` Guenter Roeck
2017-08-10  2:34   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170809202155.503295889@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=salyzyn@android.com \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=syjcnss@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).