linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Taehee Yoo <ap420073@gmail.com>,
	"David S . Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>,
	osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 104/105] gtp: fix use-after-free in gtp_newlink()
Date: Mon, 15 Jul 2019 10:28:38 -0400	[thread overview]
Message-ID: <20190715142839.9896-104-sashal@kernel.org> (raw)
In-Reply-To: <20190715142839.9896-1-sashal@kernel.org>

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ]

Current gtp_newlink() could be called after unregister_pernet_subsys().
gtp_newlink() uses gtp_net but it can be destroyed by
unregister_pernet_subsys().
So unregister_pernet_subsys() should be called after
rtnl_link_unregister().

Test commands:
   #SHELL 1
   while :
   do
	   for i in {1..5}
	   do
		./gtp-link add gtp$i &
	   done
	   killall gtp-link
   done

   #SHELL 2
   while :
   do
	modprobe -rv gtp
   done

Splat looks like:
[  753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp]
[  753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126
[  753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G        W         5.2.0-rc6+ #50
[  753.185801] Call Trace:
[  753.186264]  dump_stack+0x7c/0xbb
[  753.186863]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.187583]  print_address_description+0xc7/0x240
[  753.188382]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.189097]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.189846]  __kasan_report+0x12a/0x16f
[  753.190542]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.191298]  kasan_report+0xe/0x20
[  753.191893]  gtp_newlink+0x9b4/0xa5c [gtp]
[  753.192580]  ? __netlink_ns_capable+0xc3/0xf0
[  753.193370]  __rtnl_newlink+0xb9f/0x11b0
[ ... ]
[  753.241201] Allocated by task 7186:
[  753.241844]  save_stack+0x19/0x80
[  753.242399]  __kasan_kmalloc.constprop.3+0xa0/0xd0
[  753.243192]  __kmalloc+0x13e/0x300
[  753.243764]  ops_init+0xd6/0x350
[  753.244314]  register_pernet_operations+0x249/0x6f0
[ ... ]
[  753.251770] Freed by task 7178:
[  753.252288]  save_stack+0x19/0x80
[  753.252833]  __kasan_slab_free+0x111/0x150
[  753.253962]  kfree+0xc7/0x280
[  753.254509]  ops_free_list.part.11+0x1c4/0x2d0
[  753.255241]  unregister_pernet_operations+0x262/0x390
[ ... ]
[  753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next.
[  753.287241] ------------[ cut here ]------------
[  753.287794] kernel BUG at lib/list_debug.c:25!
[  753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G    B   W         5.2.0-rc6+ #50
[  753.291036] RIP: 0010:__list_add_valid+0x74/0xd0
[  753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b
[  753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286
[  753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000
[  753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69
[  753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21
[  753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878
[  753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458
[  753.299564] FS:  00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000
[  753.300533] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0
[  753.302183] Call Trace:
[  753.302530]  gtp_newlink+0x5f6/0xa5c [gtp]
[  753.303037]  ? __netlink_ns_capable+0xc3/0xf0
[  753.303576]  __rtnl_newlink+0xb9f/0x11b0
[  753.304092]  ? rtnl_link_unregister+0x230/0x230

Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/gtp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index 53fd66534e3a..5de4053774b8 100644
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -1383,9 +1383,9 @@ late_initcall(gtp_init);
 
 static void __exit gtp_fini(void)
 {
-	unregister_pernet_subsys(&gtp_net_ops);
 	genl_unregister_family(&gtp_genl_family);
 	rtnl_link_unregister(&gtp_link_ops);
+	unregister_pernet_subsys(&gtp_net_ops);
 
 	pr_info("GTP module unloaded\n");
 }
-- 
2.20.1


  parent reply	other threads:[~2019-07-15 14:37 UTC|newest]

Thread overview: 107+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-15 14:26 [PATCH AUTOSEL 4.14 001/105] wil6210: fix potential out-of-bounds read Sasha Levin
2019-07-15 14:26 ` [PATCH AUTOSEL 4.14 002/105] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 14:26 ` [PATCH AUTOSEL 4.14 003/105] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 14:26 ` [PATCH AUTOSEL 4.14 004/105] ath6kl: add some bounds checking Sasha Levin
2019-07-15 14:26 ` [PATCH AUTOSEL 4.14 005/105] x86/tsc: Use CPUID.0x16 to calculate missing crystal frequency Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 006/105] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 007/105] batman-adv: fix for leaked TVLV handler Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 008/105] media: dvb: usb: fix use after free in dvb_usb_device_exit Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 009/105] media: spi: IR LED: add missing of table registration Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 010/105] crypto: talitos - fix skcipher failure due to wrong output IV Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 011/105] media: marvell-ccic: fix DMA s/g desc number calculation Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 012/105] media: vpss: fix a potential NULL pointer dereference Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 013/105] media: media_device_enum_links32: clean a reserved field Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 014/105] net: stmmac: dwmac1000: Clear unused address entries Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 015/105] net: stmmac: dwmac4/5: " Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 016/105] qed: Set the doorbell address correctly Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 017/105] signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 018/105] signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 019/105] af_key: fix leaks in key_pol_get_resp and dump_sp Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 020/105] xfrm: Fix xfrm sel prefix length validation Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 021/105] fscrypt: clean up some BUG_ON()s in block encryption/decryption Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 022/105] Revert "e1000e: fix cyclic resets at link up with active tx" Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 023/105] e1000e: start network tx queue only when link is up Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 024/105] media: mc-device.c: don't memset __user pointer contents Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 025/105] media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 026/105] net: phy: Check against net_device being NULL Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 027/105] crypto: talitos - properly handle split ICV Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 028/105] crypto: talitos - Align SEC1 accesses to 32 bits boundaries Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 029/105] tua6100: Avoid build warnings Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 030/105] locking/lockdep: Fix merging of hlocks with non-zero references Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 031/105] media: wl128x: Fix some error handling in fm_v4l2_init_video_device() Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 032/105] cpupower : frequency-set -r option misses the last cpu in related cpu list Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 033/105] net: stmmac: dwmac4: fix flow control issue Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 034/105] net: fec: Do not use netdev messages too early Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 035/105] net: axienet: Fix race condition causing TX hang Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 036/105] s390/qdio: handle PENDING state for QEBSM devices Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 037/105] RAS/CEC: Fix pfn insertion Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 038/105] net: sfp: add mutex to prevent concurrent state checks Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 039/105] ipset: Fix memory accounting for hash types on resize Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 040/105] perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 041/105] perf test 6: Fix missing kvm module load for s390 Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 042/105] media: fdp1: Support M3N and E3 platforms Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 043/105] iommu: Fix a leak in iommu_insert_resv_region Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 044/105] gpio: omap: fix lack of irqstatus_raw0 for OMAP4 Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 045/105] gpio: omap: ensure irq is enabled before wakeup Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 046/105] regmap: fix bulk writes on paged registers Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 047/105] bpf: silence warning messages in core Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 048/105] rcu: Force inlining of rcu_read_lock() Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 049/105] x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 050/105] blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 051/105] xfrm: fix sa selector validation Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 052/105] sched/core: Add __sched tag for io_schedule() Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 053/105] sched/fair: Fix "runnable_avg_yN_inv" not used warnings Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 054/105] x86/atomic: Fix smp_mb__{before,after}_atomic() Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 055/105] perf evsel: Make perf_evsel__name() accept a NULL argument Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 056/105] vhost_net: disable zerocopy by default Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 057/105] ipoib: correcly show a VF hardware address Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 058/105] EDAC/sysfs: Fix memory leak when creating a csrow object Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 059/105] ipsec: select crypto ciphers for xfrm_algo Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 060/105] ipvs: defer hook registration to avoid leaks Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 061/105] media: s5p-mfc: Make additional clocks optional Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 062/105] media: i2c: fix warning same module names Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 063/105] ntp: Limit TAI-UTC offset Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 064/105] timer_list: Guard procfs specific code Sasha Levin
2019-07-15 14:27 ` [PATCH AUTOSEL 4.14 065/105] acpi/arm64: ignore 5.1 FADTs that are reported as 5.0 Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 066/105] media: coda: fix mpeg2 sequence number handling Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 067/105] media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 068/105] media: coda: increment sequence offset for the last returned frame Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 069/105] media: vimc: cap: check v4l2_fill_pixfmt return value Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 070/105] media: hdpvr: fix locking and a missing msleep Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 071/105] rtlwifi: rtl8192cu: fix error handle when usb probe failed Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 072/105] mt7601u: do not schedule rx_tasklet when the device has been disconnected Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 073/105] x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 074/105] mt7601u: fix possible memory leak when the device is disconnected Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 075/105] ipvs: fix tinfo memory leak in start_sync_thread Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 076/105] ath10k: add missing error handling Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 077/105] ath10k: fix PCIE device wake up failed Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 078/105] perf tools: Increase MAX_NR_CPUS and MAX_CACHES Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 079/105] libata: don't request sense data on !ZAC ATA devices Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 080/105] clocksource/drivers/exynos_mct: Increase priority over ARM arch timer Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 081/105] rslib: Fix decoding of shortened codes Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 082/105] rslib: Fix handling of of caller provided syndrome Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 083/105] ixgbe: Check DDM existence in transceiver before access Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 084/105] crypto: serpent - mark __serpent_setkey_sbox noinline Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 085/105] crypto: asymmetric_keys - select CRYPTO_HASH where needed Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 086/105] PCI / ACPI: Use cached ACPI device state to get PCI device power state Sasha Levin
2019-07-16  9:22   ` Rafael J. Wysocki
2019-07-22  0:40     ` Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 087/105] EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 088/105] bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 089/105] net: hns3: fix a -Wformat-nonliteral compile warning Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 090/105] net: hns3: add some error checking in hclge_tm module Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 091/105] ath10k: destroy sdio workqueue while remove sdio module Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 092/105] iwlwifi: mvm: Drop large non sta frames Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 093/105] perf stat: Make metric event lookup more robust Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 094/105] net: usb: asix: init MAC address buffers Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 095/105] gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 096/105] Bluetooth: hci_bcsp: Fix memory leak in rx_skb Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 097/105] Bluetooth: 6lowpan: search for destination address in all peers Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 098/105] Bluetooth: Check state in l2cap_disconnect_rsp Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 099/105] gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 100/105] Bluetooth: validate BLE connection interval updates Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 101/105] gtp: fix suspicious RCU usage Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 102/105] gtp: fix Illegal context switch in RCU read-side critical section Sasha Levin
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 103/105] gtp: fix use-after-free in gtp_encap_destroy() Sasha Levin
2019-07-15 14:28 ` Sasha Levin [this message]
2019-07-15 14:28 ` [PATCH AUTOSEL 4.14 105/105] net: mvmdio: defer probe of orion-mdio if a clock is not ready Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190715142839.9896-104-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=ap420073@gmail.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=osmocom-net-gprs@lists.osmocom.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).