AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-06 21:15:16 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
1788b8569f
linux_dsm_epyc7002/drivers/net
History
Taehee Yoo 1788b8569f gtp: fix use-after-free in gtp_encap_destroy() 
gtp_encap_destroy() is called twice.
1. When interface is deleted.
2. When udp socket is destroyed.
either gtp->sk0 or gtp->sk1u could be freed by sock_put() in
gtp_encap_destroy(). so, when gtp_encap_destroy() is called again,
it would uses freed sk pointer.

patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to
null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected
by rtnl_lock. so, rtnl_lock() is added.

Test command:
   gtp-link add gtp1 &
   killall gtp-link
   ip link del gtp1

Splat looks like:
[   83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0
[   83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008
[   83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50
[   83.188469] Call Trace:
[ ... ]
[   83.200126]  lock_acquire+0x141/0x380
[   83.200575]  ? lock_sock_nested+0x3a/0xf0
[   83.201069]  _raw_spin_lock_bh+0x38/0x70
[   83.201551]  ? lock_sock_nested+0x3a/0xf0
[   83.202044]  lock_sock_nested+0x3a/0xf0
[   83.202520]  gtp_encap_destroy+0x18/0xe0 [gtp]
[   83.203065]  gtp_encap_disable.isra.14+0x13/0x50 [gtp]
[   83.203687]  gtp_dellink+0x56/0x170 [gtp]
[   83.204190]  rtnl_delete_link+0xb4/0x100
[ ... ]
[   83.236513] Allocated by task 976:
[   83.236925]  save_stack+0x19/0x80
[   83.237332]  __kasan_kmalloc.constprop.3+0xa0/0xd0
[   83.237894]  kmem_cache_alloc+0xd8/0x280
[   83.238360]  sk_prot_alloc.isra.42+0x50/0x200
[   83.238874]  sk_alloc+0x32/0x940
[   83.239264]  inet_create+0x283/0xc20
[   83.239684]  __sock_create+0x2dd/0x540
[   83.240136]  __sys_socket+0xca/0x1a0
[   83.240550]  __x64_sys_socket+0x6f/0xb0
[   83.240998]  do_syscall_64+0x9c/0x450
[   83.241466]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   83.242061]
[   83.242249] Freed by task 0:
[   83.242616]  save_stack+0x19/0x80
[   83.243013]  __kasan_slab_free+0x111/0x150
[   83.243498]  kmem_cache_free+0x89/0x250
[   83.244444]  __sk_destruct+0x38f/0x5a0
[   83.245366]  rcu_core+0x7e9/0x1c20
[   83.245766]  __do_softirq+0x213/0x8fa

Fixes: 1e3a3abd8b ("gtp: make GTP sockets in gtp_newlink optional")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-07 18:42:47 -07:00
..
appletalk treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
arcnet treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
bonding bonding: validate ip header before check IPPROTO_IGMP 2019-07-03 13:26:12 -07:00
caif treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 194 2019-05-30 11:29:22 -07:00
can SPDX update for 5.2-rc6 2019-06-21 09:58:42 -07:00
dsa net: dsa: mv88e6xxx: wait after reset deactivation 2019-06-29 12:21:18 -07:00
ethernet net: hns: add support for vlan TSO 2019-07-03 11:48:49 -07:00
fddi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
fjes treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 308 2019-06-05 17:37:04 +02:00
hamradio treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 400 2019-06-05 17:37:13 +02:00
hippi treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 128 2019-05-30 11:25:13 -07:00
hyperv hv_netvsc: Set probe mode to sync 2019-06-14 19:47:05 -07:00
ieee802154 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
ipvlan Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 09:29:14 -07:00
netdevsim netdevsim: Make nsim_num_vf static 2019-05-05 10:48:45 -07:00
phy Revert "net: phylink: set the autoneg state in phylink_phy_change" 2019-06-15 18:10:30 -07:00
plip treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ppp ppp: mppe: Add softdep to arc4 2019-06-22 09:44:23 -04:00
slip treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
team team: Always enable vlan tx offload 2019-06-26 10:14:08 -07:00
usb r8152: set RTL8152_UNPLUG only for real disconnection 2019-07-05 15:37:32 -07:00
vmxnet3
wan treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 426 2019-06-05 17:37:16 +02:00
wimax treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 268 2019-06-05 17:30:29 +02:00
wireless mt76: usb: fix rx A-MSDU support 2019-06-27 19:48:36 +03:00
xen-netback treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
dummy.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
eql.c
geneve.c SPDX update for 5.2-rc6 2019-06-21 09:58:42 -07:00
gtp.c gtp: fix use-after-free in gtp_encap_destroy() 2019-07-07 18:42:47 -07:00
ifb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
LICENSE.SRC
loopback.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
macsec.c macsec: fix checksumming after decryption 2019-07-02 14:12:29 -07:00
macvlan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
macvtap.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
Makefile net: Always descend into dsa/ 2019-05-14 15:20:11 -07:00
mdio.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mii.c
net_failover.c net: remove 'fallback' argument from dev->ndo_select_queue() 2019-03-20 11:18:55 -07:00
netconsole.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 153 2019-05-30 11:26:32 -07:00
nlmon.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
ntb_netdev.c
rionet.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sb1000.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
Space.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
sungem_phy.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
tap.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
thunderbolt.c net: thunderbolt: Unregister ThunderboltIP protocol handler when suspending 2019-04-18 11:18:51 +03:00
tun.c tun: wake up waitqueues after IFF_UP is set 2019-06-18 10:46:52 -07:00
veth.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
virtio_net.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
vrf.c ipv6: constify rt6_nexthop() 2019-06-26 13:26:08 -07:00
vsockmon.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
vxlan.c vxlan: do not destroy fdb if register_netdevice() is failed 2019-07-01 19:06:02 -07:00
xen-netfront.c xen-netfront: mark expected switch fall-through 2019-04-16 21:03:02 -07:00