openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux/drivers/net
History
Taehee Yoo a2bed90704 gtp: fix use-after-free in gtp_newlink() 
Current gtp_newlink() could be called after unregister_pernet_subsys().
gtp_newlink() uses gtp_net but it can be destroyed by
unregister_pernet_subsys().
So unregister_pernet_subsys() should be called after
rtnl_link_unregister().

Test commands:
   #SHELL 1
   while :
   do
	   for i in {1..5}
	   do
		./gtp-link add gtp$i &
	   done
	   killall gtp-link
   done

   #SHELL 2
   while :
   do
	modprobe -rv gtp
   done

Splat looks like:
[  753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp]
[  753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126
[  753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G        W         5.2.0-rc6+ #50
[  753.185801] Call Trace:
[  753.186264]  dump_stack+0x7c/0xbb
[  753.186863]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.187583]  print_address_description+0xc7/0x240
[  753.188382]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.189097]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.189846]  __kasan_report+0x12a/0x16f
[  753.190542]  ? gtp_newlink+0x9b4/0xa5c [gtp]
[  753.191298]  kasan_report+0xe/0x20
[  753.191893]  gtp_newlink+0x9b4/0xa5c [gtp]
[  753.192580]  ? __netlink_ns_capable+0xc3/0xf0
[  753.193370]  __rtnl_newlink+0xb9f/0x11b0
[ ... ]
[  753.241201] Allocated by task 7186:
[  753.241844]  save_stack+0x19/0x80
[  753.242399]  __kasan_kmalloc.constprop.3+0xa0/0xd0
[  753.243192]  __kmalloc+0x13e/0x300
[  753.243764]  ops_init+0xd6/0x350
[  753.244314]  register_pernet_operations+0x249/0x6f0
[ ... ]
[  753.251770] Freed by task 7178:
[  753.252288]  save_stack+0x19/0x80
[  753.252833]  __kasan_slab_free+0x111/0x150
[  753.253962]  kfree+0xc7/0x280
[  753.254509]  ops_free_list.part.11+0x1c4/0x2d0
[  753.255241]  unregister_pernet_operations+0x262/0x390
[ ... ]
[  753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next.
[  753.287241] ------------[ cut here ]------------
[  753.287794] kernel BUG at lib/list_debug.c:25!
[  753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G    B   W         5.2.0-rc6+ #50
[  753.291036] RIP: 0010:__list_add_valid+0x74/0xd0
[  753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b
[  753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286
[  753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000
[  753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69
[  753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21
[  753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878
[  753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458
[  753.299564] FS:  00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000
[  753.300533] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0
[  753.302183] Call Trace:
[  753.302530]  gtp_newlink+0x5f6/0xa5c [gtp]
[  753.303037]  ? __netlink_ns_capable+0xc3/0xf0
[  753.303576]  __rtnl_newlink+0xb9f/0x11b0
[  753.304092]  ? rtnl_link_unregister+0x230/0x230

Fixes: 459aa660eb ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2019-07-07 18:42:47 -07:00
..
appletalk treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
arcnet treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
bonding bonding: validate ip header before check IPPROTO_IGMP 2019-07-03 13:26:12 -07:00
caif treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 194 2019-05-30 11:29:22 -07:00
can SPDX update for 5.2-rc6 2019-06-21 09:58:42 -07:00
dsa net: dsa: mv88e6xxx: wait after reset deactivation 2019-06-29 12:21:18 -07:00
ethernet net: hns: add support for vlan TSO 2019-07-03 11:48:49 -07:00
fddi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
fjes treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 308 2019-06-05 17:37:04 +02:00
hamradio treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 400 2019-06-05 17:37:13 +02:00
hippi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 128 2019-05-30 11:25:13 -07:00
hyperv hv_netvsc: Set probe mode to sync 2019-06-14 19:47:05 -07:00
ieee802154 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
ipvlan Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 09:29:14 -07:00
netdevsim netdevsim: Make nsim_num_vf static 2019-05-05 10:48:45 -07:00
phy Revert "net: phylink: set the autoneg state in phylink_phy_change" 2019-06-15 18:10:30 -07:00
plip treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ppp ppp: mppe: Add softdep to arc4 2019-06-22 09:44:23 -04:00
slip treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
team team: Always enable vlan tx offload 2019-06-26 10:14:08 -07:00
usb r8152: set RTL8152_UNPLUG only for real disconnection 2019-07-05 15:37:32 -07:00
vmxnet3
wan treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 426 2019-06-05 17:37:16 +02:00
wimax treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 268 2019-06-05 17:30:29 +02:00
wireless mt76: usb: fix rx A-MSDU support 2019-06-27 19:48:36 +03:00
xen-netback treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
LICENSE.SRC
Makefile net: Always descend into dsa/ 2019-05-14 15:20:11 -07:00
Space.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
dummy.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
eql.c
geneve.c SPDX update for 5.2-rc6 2019-06-21 09:58:42 -07:00
gtp.c gtp: fix use-after-free in gtp_newlink() 2019-07-07 18:42:47 -07:00
ifb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
loopback.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
macsec.c macsec: fix checksumming after decryption 2019-07-02 14:12:29 -07:00
macvlan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
macvtap.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
mdio.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mii.c
net_failover.c net: remove 'fallback' argument from dev->ndo_select_queue() 2019-03-20 11:18:55 -07:00
netconsole.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 153 2019-05-30 11:26:32 -07:00
nlmon.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ntb_netdev.c
rionet.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sb1000.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sungem_phy.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
tap.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
thunderbolt.c net: thunderbolt: Unregister ThunderboltIP protocol handler when suspending 2019-04-18 11:18:51 +03:00
tun.c tun: wake up waitqueues after IFF_UP is set 2019-06-18 10:46:52 -07:00
veth.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
virtio_net.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
vrf.c ipv6: constify rt6_nexthop() 2019-06-26 13:26:08 -07:00
vsockmon.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
vxlan.c vxlan: do not destroy fdb if register_netdevice() is failed 2019-07-01 19:06:02 -07:00
xen-netfront.c xen-netfront: mark expected switch fall-through 2019-04-16 21:03:02 -07:00