From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Liu Jian <liujian56@huawei.com>,
"David S. Miller" <davem@davemloft.net>,
Lee Jones <lee.jones@linaro.org>
Subject: [PATCH 5.13 02/22] igmp: Add ip_mc_list lock in ip_check_mc_rcu
Date: Fri, 10 Sep 2021 14:30:01 +0200 [thread overview]
Message-ID: <20210910122916.020183134@linuxfoundation.org> (raw)
In-Reply-To: <20210910122915.942645251@linuxfoundation.org>
From: Liu Jian <liujian56@huawei.com>
commit 23d2b94043ca8835bd1e67749020e839f396a1c2 upstream.
I got below panic when doing fuzz test:
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 4056 Comm: syz-executor.3 Tainted: G B 5.14.0-rc1-00195-gcff5c4254439-dirty #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x7a/0x9b
panic+0x2cd/0x5af
end_report.cold+0x5a/0x5a
kasan_report+0xec/0x110
ip_check_mc_rcu+0x556/0x5d0
__mkroute_output+0x895/0x1740
ip_route_output_key_hash_rcu+0x2d0/0x1050
ip_route_output_key_hash+0x182/0x2e0
ip_route_output_flow+0x28/0x130
udp_sendmsg+0x165d/0x2280
udpv6_sendmsg+0x121e/0x24f0
inet6_sendmsg+0xf7/0x140
sock_sendmsg+0xe9/0x180
____sys_sendmsg+0x2b8/0x7a0
___sys_sendmsg+0xf0/0x160
__sys_sendmmsg+0x17e/0x3c0
__x64_sys_sendmmsg+0x9e/0x100
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x462eb9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8
48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48>
3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3df5af1c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9
RDX: 0000000000000312 RSI: 0000000020001700 RDI: 0000000000000007
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3df5af26bc
R13: 00000000004c372d R14: 0000000000700b10 R15: 00000000ffffffff
It is one use-after-free in ip_check_mc_rcu.
In ip_mc_del_src, the ip_sf_list of pmc has been freed under pmc->lock protection.
But access to ip_sf_list in ip_check_mc_rcu is not protected by the lock.
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/igmp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -2720,6 +2720,7 @@ int ip_check_mc_rcu(struct in_device *in
rv = 1;
} else if (im) {
if (src_addr) {
+ spin_lock_bh(&im->lock);
for (psf = im->sources; psf; psf = psf->sf_next) {
if (psf->sf_inaddr == src_addr)
break;
@@ -2730,6 +2731,7 @@ int ip_check_mc_rcu(struct in_device *in
im->sfcount[MCAST_EXCLUDE];
else
rv = im->sfcount[MCAST_EXCLUDE] != 0;
+ spin_unlock_bh(&im->lock);
} else
rv = 1; /* unspecified source; tentatively allow */
}
next prev parent reply other threads:[~2021-09-10 12:32 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-10 12:29 [PATCH 5.13 00/22] 5.13.16-rc1 review Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 01/22] firmware: dmi: Move product_sku info to the end of the modalias Greg Kroah-Hartman
2021-09-10 12:30 ` Greg Kroah-Hartman [this message]
2021-09-10 12:30 ` [PATCH 5.13 03/22] net: ll_temac: Remove left-over debug message Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 04/22] Revert "r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM" Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 05/22] blk-mq: fix kernel panic during iterating over flush request Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 06/22] blk-mq: fix is_flush_rq Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 07/22] blk-mq: clearing flush request reference in tags->rqs[] Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 08/22] ALSA: usb-audio: Add registration quirk for JBL Quantum 800 Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 09/22] Bluetooth: Add additional Bluetooth part for Realtek 8852AE Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 10/22] Bluetooth: btusb: Make the CSR clone chip force-suspend workaround more generic Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 11/22] usb: host: xhci-rcar: Dont reload firmware after the completion Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 12/22] usb: xhci-mtk: fix issue of out-of-bounds array access Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 13/22] usb: cdnsp: fix the wrong mult value for HS isoc or intr Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 14/22] usb: gadget: tegra-xudc: " Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 15/22] usb: mtu3: restore HS function when set SS/SSP Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 16/22] usb: mtu3: use @mult for HS isoc or intr Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 17/22] usb: mtu3: fix the wrong HS mult value Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 18/22] xhci: fix even more unsafe memory usage in xhci tracing Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 19/22] xhci: fix " Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 20/22] xhci: Fix failure to give back some cached cancelled URBs Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 21/22] x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.13 22/22] PCI: Call Max Payload Size-related fixup quirks early Greg Kroah-Hartman
2021-09-10 18:38 ` [PATCH 5.13 00/22] 5.13.16-rc1 review Fox Chen
2021-09-10 19:43 ` Florian Fainelli
2021-09-10 23:17 ` Shuah Khan
2021-09-11 16:20 ` Justin Forbes
2021-09-11 19:36 ` Guenter Roeck
2021-09-12 0:48 ` Daniel Díaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210910122916.020183134@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=lee.jones@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liujian56@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).