From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Liu Jian <liujian56@huawei.com>,
"David S. Miller" <davem@davemloft.net>,
Lee Jones <lee.jones@linaro.org>
Subject: [PATCH 5.4 22/37] igmp: Add ip_mc_list lock in ip_check_mc_rcu
Date: Fri, 10 Sep 2021 14:30:25 +0200 [thread overview]
Message-ID: <20210910122917.893921909@linuxfoundation.org> (raw)
In-Reply-To: <20210910122917.149278545@linuxfoundation.org>
From: Liu Jian <liujian56@huawei.com>
commit 23d2b94043ca8835bd1e67749020e839f396a1c2 upstream.
I got below panic when doing fuzz test:
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4056 Comm: syz-executor.3 Tainted: G B 5.14.0-rc1-00195-gcff5c4254439-dirty #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x7a/0x9b
panic+0x2cd/0x5af
end_report.cold+0x5a/0x5a
kasan_report+0xec/0x110
ip_check_mc_rcu+0x556/0x5d0
__mkroute_output+0x895/0x1740
ip_route_output_key_hash_rcu+0x2d0/0x1050
ip_route_output_key_hash+0x182/0x2e0
ip_route_output_flow+0x28/0x130
udp_sendmsg+0x165d/0x2280
udpv6_sendmsg+0x121e/0x24f0
inet6_sendmsg+0xf7/0x140
sock_sendmsg+0xe9/0x180
____sys_sendmsg+0x2b8/0x7a0
___sys_sendmsg+0xf0/0x160
__sys_sendmmsg+0x17e/0x3c0
__x64_sys_sendmmsg+0x9e/0x100
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x462eb9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8
48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48>
3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3df5af1c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9
RDX: 0000000000000312 RSI: 0000000020001700 RDI: 0000000000000007
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3df5af26bc
R13: 00000000004c372d R14: 0000000000700b10 R15: 00000000ffffffff
It is one use-after-free in ip_check_mc_rcu.
In ip_mc_del_src, the ip_sf_list of pmc has been freed under pmc->lock protection.
But access to ip_sf_list in ip_check_mc_rcu is not protected by the lock.
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/igmp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -2730,6 +2730,7 @@ int ip_check_mc_rcu(struct in_device *in
rv = 1;
} else if (im) {
if (src_addr) {
+ spin_lock_bh(&im->lock);
for (psf = im->sources; psf; psf = psf->sf_next) {
if (psf->sf_inaddr == src_addr)
break;
@@ -2740,6 +2741,7 @@ int ip_check_mc_rcu(struct in_device *in
im->sfcount[MCAST_EXCLUDE];
else
rv = im->sfcount[MCAST_EXCLUDE] != 0;
+ spin_unlock_bh(&im->lock);
} else
rv = 1; /* unspecified source; tentatively allow */
}
next prev parent reply other threads:[~2021-09-10 12:36 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-10 12:30 [PATCH 5.4 00/37] 5.4.145-rc1 review Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 01/37] ext4: fix race writing to an inline_data file while its xattrs are changing Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 02/37] fscrypt: add fscrypt_symlink_getattr() for computing st_size Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 03/37] ext4: report correct st_size for encrypted symlinks Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 04/37] f2fs: " Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 05/37] ubifs: " Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 06/37] kthread: Fix PF_KTHREAD vs to_kthread() race Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 07/37] xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 08/37] gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 09/37] reset: reset-zynqmp: Fixed the argument data type Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 10/37] qed: Fix the VF msix vectors flow Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 11/37] net: macb: Add a NULL check on desc_ptp Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 12/37] qede: Fix memset corruption Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 13/37] perf/x86/intel/pt: Fix mask of num_address_ranges Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 14/37] perf/x86/amd/ibs: Work around erratum #1197 Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 15/37] perf/x86/amd/power: Assign pmu.module Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 16/37] cryptoloop: add a deprecation warning Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 17/37] ARM: 8918/2: only build return_address() if needed Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 18/37] ALSA: hda/realtek: Workaround for conflicting SSID on ASUS ROG Strix G17 Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 19/37] ALSA: pcm: fix divide error in snd_pcm_lib_ioctl Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 20/37] ARC: wireup clone3 syscall Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 21/37] media: stkwebcam: fix memory leak in stk_camera_probe Greg Kroah-Hartman
2021-09-10 12:30 ` Greg Kroah-Hartman [this message]
2021-09-10 12:30 ` [PATCH 5.4 23/37] USB: serial: mos7720: improve OOM-handling in read_mos_reg() Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 24/37] ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 25/37] powerpc/boot: Delete unneeded .globl _zimage_start Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 26/37] net: ll_temac: Remove left-over debug message Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 27/37] mm/page_alloc: speed up the iteration of max_order Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 28/37] Revert "r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM" Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 29/37] x86/events/amd/iommu: Fix invalid Perf result due to IOMMU PMC power-gating Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 30/37] Revert "btrfs: compression: dont try to compress if we dont have enough pages" Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 31/37] ALSA: usb-audio: Add registration quirk for JBL Quantum 800 Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 32/37] usb: host: xhci-rcar: Dont reload firmware after the completion Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 33/37] usb: mtu3: use @mult for HS isoc or intr Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 34/37] usb: mtu3: fix the wrong HS mult value Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 35/37] xhci: fix unsafe memory usage in xhci tracing Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 36/37] x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 37/37] PCI: Call Max Payload Size-related fixup quirks early Greg Kroah-Hartman
2021-09-10 18:45 ` [PATCH 5.4 00/37] 5.4.145-rc1 review Florian Fainelli
2021-09-10 23:18 ` Shuah Khan
2021-09-11 6:11 ` Samuel Zou
2021-09-11 15:58 ` Sudip Mukherjee
2021-09-11 19:37 ` Guenter Roeck
2021-09-12 0:50 ` Daniel Díaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210910122917.893921909@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=lee.jones@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liujian56@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).