LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com
Subject: [PATCH 4.4 16/88] ax25: fix a use-after-free in ax25_fillin_cb()
Date: Fri, 11 Jan 2019 15:07:45 +0100
Message-ID: <20190111131048.530410589@linuxfoundation.org> (raw)
In-Reply-To: <20190111131045.137499039@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit c433570458e49bccea5c551df628d058b3526289 ]

There are multiple issues here:

1. After freeing dev->ax25_ptr, we need to set it to NULL otherwise
   we may use a dangling pointer.

2. There is a race between ax25_setsockopt() and device notifier as
   reported by syzbot. Close it by holding RTNL lock.

3. We need to test if dev->ax25_ptr is NULL before using it.

Reported-and-tested-by: syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ax25/af_ax25.c  |   11 +++++++++--
 net/ax25/ax25_dev.c |    2 ++
 2 files changed, 11 insertions(+), 2 deletions(-)

--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket
 			break;
 		}
 
-		dev = dev_get_by_name(&init_net, devname);
+		rtnl_lock();
+		dev = __dev_get_by_name(&init_net, devname);
 		if (!dev) {
+			rtnl_unlock();
 			res = -ENODEV;
 			break;
 		}
 
 		ax25->ax25_dev = ax25_dev_ax25dev(dev);
+		if (!ax25->ax25_dev) {
+			rtnl_unlock();
+			res = -ENODEV;
+			break;
+		}
 		ax25_fillin_cb(ax25, ax25->ax25_dev);
-		dev_put(dev);
+		rtnl_unlock();
 		break;
 
 	default:
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_dev
 	if ((s = ax25_dev_list) == ax25_dev) {
 		ax25_dev_list = s->next;
 		spin_unlock_bh(&ax25_dev_lock);
+		dev->ax25_ptr = NULL;
 		dev_put(dev);
 		kfree(ax25_dev);
 		return;
@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_dev
 		if (s->next == ax25_dev) {
 			s->next = ax25_dev->next;
 			spin_unlock_bh(&ax25_dev_lock);
+			dev->ax25_ptr = NULL;
 			dev_put(dev);
 			kfree(ax25_dev);
 			return;



  parent reply index

Thread overview: 102+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-11 14:07 [PATCH 4.4 00/88] 4.4.170-stable review Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 01/88] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 02/88] xhci: Dont prevent USB2 bus suspend in state check intended for USB3 only Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 03/88] USB: serial: option: add GosunCn ZTE WeLink ME3630 Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 04/88] USB: serial: option: add HP lt4132 Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 05/88] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 06/88] USB: serial: option: add Fibocom NL668 series Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 07/88] USB: serial: option: add Telit LN940 series Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 08/88] mmc: core: Reset HPI enabled state during re-init and in case of errors Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 09/88] mmc: omap_hsmmc: fix DMA API warning Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 10/88] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 11/88] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 12/88] x86/mtrr: Dont copy uninitialized gentry fields back to userspace Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 13/88] drm/ioctl: Fix Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 14/88] ip6mr: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 15/88] ipv4: " Greg Kroah-Hartman
2019-01-11 14:07 ` Greg Kroah-Hartman [this message]
2019-01-11 14:07 ` [PATCH 4.4 17/88] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 18/88] ieee802154: lowpan_header_create check must check daddr Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 19/88] ipv6: explicitly initialize udp6_addr in udp_sock_create6() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 20/88] isdn: fix kernel-infoleak in capi_unlocked_ioctl Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 21/88] netrom: fix locking in nr_find_socket() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 22/88] packet: validate address length Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 23/88] packet: validate address length if non-zero Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 24/88] sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 25/88] vhost: make sure used idx is seen before log in vhost_add_used_n() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 26/88] VSOCK: Send reset control packet when socket is partially bound Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 27/88] xen/netfront: tolerate frags with no data Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 28/88] gro_cell: add napi_disable in gro_cells_destroy Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 29/88] sock: Make sock->sk_stamp thread-safe Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 4.4 30/88] ALSA: rme9652: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 31/88] ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 32/88] ALSA: pcm: Fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 33/88] ALSA: emux: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 34/88] ALSA: hda: add mute LED support for HP EliteBook 840 G4 Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 35/88] ALSA: hda/tegra: clear pending irq handlers Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 36/88] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 37/88] USB: serial: option: add Fibocom NL678 series Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 38/88] usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 39/88] Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 40/88] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 41/88] perf pmu: Suppress potential format-truncation warning Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 42/88] ext4: fix possible use after free in ext4_quota_enable Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 43/88] ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 44/88] ext4: fix EXT4_IOC_GROUP_ADD ioctl Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 45/88] ext4: force inode writes when nfsd calls commit_metadata() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 46/88] spi: bcm2835: Fix race on DMA termination Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 47/88] spi: bcm2835: Fix book-keeping of " Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 48/88] spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 49/88] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 50/88] media: vivid: free bitmap_cap when updating std/timings/etc Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 51/88] MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 52/88] MIPS: Align kernel load address to 64KB Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 53/88] CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 54/88] x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 55/88] spi: bcm2835: Unbreak the build of esoteric configs Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 56/88] powerpc: Fix COFF zImage booting on old powermacs Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 57/88] ARM: imx: update the cpu power up timing setting on i.mx6sx Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 58/88] Input: restore EV_ABS ABS_RESERVED Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 59/88] checkstack.pl: fix for aarch64 Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 60/88] xfrm: Fix bucket count reported to userspace Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 61/88] scsi: bnx2fc: Fix NULL dereference in error handling Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 62/88] Input: omap-keypad - fix idle configuration to not block SoC idle states Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 63/88] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 64/88] fork: record start_time late Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 65/88] hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 66/88] mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 67/88] mm, devm_memremap_pages: kill mapping "System RAM" support Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 68/88] sunrpc: fix cache_head leak due to queued request Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 69/88] sunrpc: use SVC_NET() in svcauth_gss_* functions Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 70/88] crypto: x86/chacha20 - avoid sleeping with preemption disabled Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 71/88] block: break discard submissions into the user defined size Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 72/88] block: dont deal with discard limit in blkdev_issue_discard() Greg Kroah-Hartman
2019-01-11 14:25   ` Mike Snitzer
2019-01-11 14:34     ` Mike Snitzer
2019-01-11 14:35     ` Greg Kroah-Hartman
2019-01-11 15:06       ` Mike Snitzer
2019-01-11 15:17         ` Greg Kroah-Hartman
2019-01-11 15:23           ` Mike Snitzer
2019-01-11 15:44             ` Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 73/88] ALSA: cs46xx: Potential NULL dereference in probe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 74/88] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 75/88] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 76/88] dlm: fixed memory leaks after failed ls_remove_names allocation Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 77/88] dlm: possible memory leak on error path in create_lkb() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 78/88] dlm: lost put_lkb on error path in receive_convert() and receive_unlock() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 79/88] dlm: memory leaks on error path in dlm_user_request() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 80/88] gfs2: Fix loop in gfs2_rbm_find Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 81/88] b43: Fix error in cordic routine Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 82/88] 9p/net: put a lower bound on msize Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 83/88] iommu/vt-d: Handle domain agaw being less than iommu agaw Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 84/88] ceph: dont update importing caps mseq when handing cap export Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 85/88] genwqe: Fix size check Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 86/88] intel_th: msu: Fix an off-by-one in attribute store Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 87/88] power: supply: olpc_battery: correct the temperature units Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 4.4 88/88] vhost/vsock: fix uninitialized vhost_vsock->guest_cid Greg Kroah-Hartman
2019-01-11 14:33   ` Greg Kroah-Hartman
2019-01-11 21:46 ` [PATCH 4.4 00/88] 4.4.170-stable review shuah
2019-01-12  8:06 ` Naresh Kamboju
2019-01-12 14:57 ` Harsh Shandilya
2019-01-12 15:46   ` Greg Kroah-Hartman
2019-01-12 17:42 ` Guenter Roeck

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190111131048.530410589@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox