From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Taehee Yoo <ap420073@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.2 247/249] gtp: fix use-after-free in gtp_newlink()
Date: Mon, 15 Jul 2019 09:46:52 -0400 [thread overview]
Message-ID: <20190715134655.4076-247-sashal@kernel.org> (raw)
In-Reply-To: <20190715134655.4076-1-sashal@kernel.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ]
Current gtp_newlink() could be called after unregister_pernet_subsys().
gtp_newlink() uses gtp_net but it can be destroyed by
unregister_pernet_subsys().
So unregister_pernet_subsys() should be called after
rtnl_link_unregister().
Test commands:
#SHELL 1
while :
do
for i in {1..5}
do
./gtp-link add gtp$i &
done
killall gtp-link
done
#SHELL 2
while :
do
modprobe -rv gtp
done
Splat looks like:
[ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp]
[ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126
[ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50
[ 753.185801] Call Trace:
[ 753.186264] dump_stack+0x7c/0xbb
[ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp]
[ 753.187583] print_address_description+0xc7/0x240
[ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp]
[ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp]
[ 753.189846] __kasan_report+0x12a/0x16f
[ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp]
[ 753.191298] kasan_report+0xe/0x20
[ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp]
[ 753.192580] ? __netlink_ns_capable+0xc3/0xf0
[ 753.193370] __rtnl_newlink+0xb9f/0x11b0
[ ... ]
[ 753.241201] Allocated by task 7186:
[ 753.241844] save_stack+0x19/0x80
[ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0
[ 753.243192] __kmalloc+0x13e/0x300
[ 753.243764] ops_init+0xd6/0x350
[ 753.244314] register_pernet_operations+0x249/0x6f0
[ ... ]
[ 753.251770] Freed by task 7178:
[ 753.252288] save_stack+0x19/0x80
[ 753.252833] __kasan_slab_free+0x111/0x150
[ 753.253962] kfree+0xc7/0x280
[ 753.254509] ops_free_list.part.11+0x1c4/0x2d0
[ 753.255241] unregister_pernet_operations+0x262/0x390
[ ... ]
[ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next.
[ 753.287241] ------------[ cut here ]------------
[ 753.287794] kernel BUG at lib/list_debug.c:25!
[ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50
[ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0
[ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b
[ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286
[ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000
[ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69
[ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21
[ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878
[ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458
[ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000
[ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0
[ 753.302183] Call Trace:
[ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp]
[ 753.303037] ? __netlink_ns_capable+0xc3/0xf0
[ 753.303576] __rtnl_newlink+0xb9f/0x11b0
[ 753.304092] ? rtnl_link_unregister+0x230/0x230
Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/gtp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index 5615cdb7202c..607f38712b4e 100644
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -1382,9 +1382,9 @@ late_initcall(gtp_init);
static void __exit gtp_fini(void)
{
- unregister_pernet_subsys(>p_net_ops);
genl_unregister_family(>p_genl_family);
rtnl_link_unregister(>p_link_ops);
+ unregister_pernet_subsys(>p_net_ops);
pr_info("GTP module unloaded\n");
}
--
2.20.1
next prev parent reply other threads:[~2019-07-15 14:03 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 13:42 [PATCH AUTOSEL 5.2 001/249] ath10k: Check tx_stats before use it Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 002/249] ath10k: htt: don't use txdone_fifo with SDIO Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 003/249] ath10k: fix incorrect multicast/broadcast rate setting Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 004/249] ath9k: Don't trust TX status TID number when reporting airtime Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 005/249] wil6210: fix potential out-of-bounds read Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 006/249] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 008/249] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 009/249] ath10k: Fix the wrong value of enums for wmi tlv stats id Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 010/249] wil6210: fix missed MISC mbox interrupt Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 011/249] ath6kl: add some bounds checking Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 012/249] ath10k: add peer id check in ath10k_peer_find_by_id Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 014/249] wil6210: fix spurious interrupts in 3-msi Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 015/249] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 016/249] ath10k: Fix encoding for protected management frames Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 018/249] batman-adv: fix for leaked TVLV handler Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 024/249] selftests/bpf: adjust verifier scale test Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 027/249] ice: Gracefully handle reset failure in ice_alloc_vfs() Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 030/249] net: stmmac: dwmac1000: Clear unused address entries Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 031/249] net: stmmac: dwmac4/5: " Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 032/249] net: stmmac: Prevent missing interrupts when running NAPI Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 033/249] ice: Fix couple of issues in ice_vsi_release Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 034/249] net: mvpp2: cls: Extract the RSS context when parsing the ethtool rule Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 035/249] net: hns3: initialize CPU reverse mapping Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 036/249] net: hns3: fix for FEC configuration Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 037/249] qed: Set the doorbell address correctly Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 040/249] af_key: fix leaks in key_pol_get_resp and dump_sp Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 041/249] xfrm: Fix xfrm sel prefix length validation Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 047/249] Revert "e1000e: fix cyclic resets at link up with active tx" Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 048/249] e1000e: start network tx queue only when link is up Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 049/249] ice: Check all VFs for MDD activity, don't disable Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 054/249] net: phy: Check against net_device being NULL Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 055/249] net: dsa: sja1105: Fix broken fixed-link interfaces on user ports Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 059/249] batman-adv: Fix duplicated OGMs on NETDEV_UP Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 064/249] net: hns3: add a check to pointer in error_detected and slot_reset Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 065/249] net: hns3: set ops to null when unregister ad_dev Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 072/249] net: stmmac: dwmac4: fix flow control issue Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 073/249] net: stmmac: modify default value of tx-frames Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 075/249] net: fec: Do not use netdev messages too early Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 076/249] net: axienet: Fix race condition causing TX hang Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 079/249] net: sfp: add mutex to prevent concurrent state checks Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 080/249] netfilter: ipset: fix a missing check of nla_parse Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 081/249] ipset: Fix memory accounting for hash types on resize Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 085/249] selftests/bpf : clean up feature/ when make clean Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 095/249] bpf: silence warning messages in core Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 104/249] qed: iWARP - Fix tc for MPA ll2 connection Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 105/249] net: hns3: fix for dereferencing before null checking Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 106/249] net: hns3: fix for skb leak when doing selftest Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 107/249] net: hns3: delay ring buffer clearing during reset Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 110/249] xfrm: fix sa selector validation Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 119/249] vhost_net: disable zerocopy by default Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 120/249] iavf: allow null RX descriptors Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 124/249] bpf: fix callees pruning callers Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 127/249] net: netsec: initialize tx ring on ndo_open Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 141/249] ipsec: select crypto ciphers for xfrm_algo Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 143/249] ipvs: defer hook registration to avoid leaks Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 156/249] net: stmmac: sun8i: force select external PHY when no internal one Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 157/249] rtlwifi: rtl8192cu: fix error handle when usb probe failed Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 158/249] mt7601u: do not schedule rx_tasklet when the device has been disconnected Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 160/249] mt7601u: fix possible memory leak when the device is disconnected Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 161/249] ipvs: fix tinfo memory leak in start_sync_thread Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 162/249] mt76: mt7615: do not process rx packets if the device is not initialized Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 163/249] ath10k: add missing error handling Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 164/249] ath10k: fix fw crash by moving chip reset after napi disabled Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 165/249] ath10k: fix PCIE device wake up failed Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 174/249] netfilter: ctnetlink: Fix regression in conntrack entry deletion Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 175/249] xsk: Properly terminate assignment in xskq_produce_flush_desc Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 177/249] bpf: fix BPF_ALU32 | BPF_ARSH on BE arches Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 180/249] net: hns3: restore the MAC autoneg state after reset Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 181/249] net/mlx5: Get vport ACL namespace by vport index Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 182/249] ixgbe: Check DDM existence in transceiver before access Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 186/249] ath9k: correctly handle short radar pulses Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 187/249] wil6210: drop old event after wmi_call timeout Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 189/249] net/mlx5e: Attach/detach XDP program safely Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 199/249] net: hns3: fix a -Wformat-nonliteral compile warning Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 200/249] net: hns3: add some error checking in hclge_tm module Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 201/249] ath10k: Fix memory leak in qmi Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 202/249] ath10k: destroy sdio workqueue while remove sdio module Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 203/249] net: mvpp2: prs: Don't override the sign bit in SRAM parser shift Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 204/249] igb: clear out skb->tstamp after reading the txtime Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 205/249] net: hns3: add Asym Pause support to fix autoneg problem Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 206/249] net: ethernet: ti: cpsw: Assign OF node to slave devices Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 207/249] ixgbe: Avoid NULL pointer dereference with VF on non-IPsec hw Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 208/249] iwlwifi: mvm: Drop large non sta frames Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 209/249] bpf: fix uapi bpf_prog_info fields alignment Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 210/249] netfilter: Fix remainder of pseudo-header protocol 0 Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 211/249] iwlwifi: dbg: fix debug monitor stop and restart delays Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 212/249] bnxt_en: Disable bus master during PCI shutdown and driver unload Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 213/249] bnxt_en: Fix statistics context reservation logic for RDMA driver Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 214/249] bnxt_en: Cap the returned MSIX vectors to the " Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 220/249] vxlan: do not destroy fdb if register_netdevice() is failed Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 221/249] bnx2x: Prevent ptp_task to be rescheduled indefinitely Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 222/249] net: usb: asix: init MAC address buffers Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 224/249] libbpf: fix GCC8 warning for strncpy Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 225/249] bpf, libbpf, smatch: Fix potential NULL pointer dereference Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 226/249] selftests: bpf: fix inlines in test_lwt_seg6local Sasha Levin
2019-07-17 9:43 ` Jiri Benc
2019-07-17 23:47 ` Sasha Levin
2019-07-18 7:36 ` Jiri Benc
2019-07-18 18:55 ` David Miller
2019-07-19 7:54 ` Jiri Benc
2019-07-18 19:32 ` Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 227/249] bonding: validate ip header before check IPPROTO_IGMP Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 231/249] tools: bpftool: Fix json dump crash on powerpc Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 232/249] net: hns3: enable broadcast promisc mode when initializing VF Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 233/249] net: hns3: fix port capbility updating issue Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 237/249] Bluetooth: 6lowpan: search for destination address in all peers Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 240/249] Bluetooth: Check state in l2cap_disconnect_rsp Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 241/249] Bluetooth: hidp: NUL terminate a string in the compat ioctl Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 242/249] gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 243/249] Bluetooth: validate BLE connection interval updates Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 244/249] gtp: fix suspicious RCU usage Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 245/249] gtp: fix Illegal context switch in RCU read-side critical section Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 246/249] gtp: fix use-after-free in gtp_encap_destroy() Sasha Levin
2019-07-15 13:46 ` Sasha Levin [this message]
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 248/249] xdp: fix race on generic receive path Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 249/249] net: mvmdio: defer probe of orion-mdio if a clock is not ready Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715134655.4076-247-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=osmocom-net-gprs@lists.osmocom.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).