Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-19 09:32:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
33902b4a42
linux/drivers/net
History
YueHaibing 33902b4a42 netdevsim: Fix error handling in nsim_fib_init and nsim_fib_exit 
In nsim_fib_init(), if register_fib_notifier failed, nsim_fib_net_ops
should be unregistered before return.

In nsim_fib_exit(), unregister_fib_notifier should be called before
nsim_fib_net_ops be unregistered, otherwise may cause use-after-free:

BUG: KASAN: use-after-free in nsim_fib_event_nb+0x342/0x570 [netdevsim]
Read of size 8 at addr ffff8881daaf4388 by task kworker/0:3/3499

CPU: 0 PID: 3499 Comm: kworker/0:3 Not tainted 5.3.0-rc7+ #30
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work [ipv6]
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xa9/0x10e lib/dump_stack.c:113
 print_address_description+0x65/0x380 mm/kasan/report.c:351
 __kasan_report+0x149/0x18d mm/kasan/report.c:482
 kasan_report+0xe/0x20 mm/kasan/common.c:618
 nsim_fib_event_nb+0x342/0x570 [netdevsim]
 notifier_call_chain+0x52/0xf0 kernel/notifier.c:95
 __atomic_notifier_call_chain+0x78/0x140 kernel/notifier.c:185
 call_fib_notifiers+0x30/0x60 net/core/fib_notifier.c:30
 call_fib6_entry_notifiers+0xc1/0x100 [ipv6]
 fib6_add+0x92e/0x1b10 [ipv6]
 __ip6_ins_rt+0x40/0x60 [ipv6]
 ip6_ins_rt+0x84/0xb0 [ipv6]
 __ipv6_ifa_notify+0x4b6/0x550 [ipv6]
 ipv6_ifa_notify+0xa5/0x180 [ipv6]
 addrconf_dad_completed+0xca/0x640 [ipv6]
 addrconf_dad_work+0x296/0x960 [ipv6]
 process_one_work+0x5c0/0xc00 kernel/workqueue.c:2269
 worker_thread+0x5c/0x670 kernel/workqueue.c:2415
 kthread+0x1d7/0x200 kernel/kthread.c:255
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 3388:
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:493
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:748 [inline]
 ops_init+0xa9/0x220 net/core/net_namespace.c:127
 __register_pernet_operations net/core/net_namespace.c:1135 [inline]
 register_pernet_operations+0x1d4/0x420 net/core/net_namespace.c:1212
 register_pernet_subsys+0x24/0x40 net/core/net_namespace.c:1253
 nsim_fib_init+0x12/0x70 [netdevsim]
 veth_get_link_ksettings+0x2b/0x50 [veth]
 do_one_initcall+0xd4/0x454 init/main.c:939
 do_init_module+0xe0/0x330 kernel/module.c:3490
 load_module+0x3c2f/0x4620 kernel/module.c:3841
 __do_sys_finit_module+0x163/0x190 kernel/module.c:3931
 do_syscall_64+0x72/0x2e0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3534:
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:455
 slab_free_hook mm/slub.c:1423 [inline]
 slab_free_freelist_hook mm/slub.c:1474 [inline]
 slab_free mm/slub.c:3016 [inline]
 kfree+0xe9/0x2d0 mm/slub.c:3957
 ops_free net/core/net_namespace.c:151 [inline]
 ops_free_list.part.7+0x156/0x220 net/core/net_namespace.c:184
 ops_free_list net/core/net_namespace.c:182 [inline]
 __unregister_pernet_operations net/core/net_namespace.c:1165 [inline]
 unregister_pernet_operations+0x221/0x2a0 net/core/net_namespace.c:1224
 unregister_pernet_subsys+0x1d/0x30 net/core/net_namespace.c:1271
 nsim_fib_exit+0x11/0x20 [netdevsim]
 nsim_module_exit+0x16/0x21 [netdevsim]
 __do_sys_delete_module kernel/module.c:1015 [inline]
 __se_sys_delete_module kernel/module.c:958 [inline]
 __x64_sys_delete_module+0x244/0x330 kernel/module.c:958
 do_syscall_64+0x72/0x2e0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 59c84b9fcf ("netdevsim: Restore per-network namespace accounting for fib entries")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-10-13 11:30:14 -07:00
..
appletalk
arcnet drivers: net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
bonding bonding: fix potential NULL deref in bond_update_slave_arr 2019-10-09 16:07:27 -07:00
caif caif: no need to check return value of debugfs_create functions 2019-08-11 21:31:25 -07:00
can drivers: net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
dsa net: dsa: b53: Do not clear existing mirrored port mask 2019-10-06 15:55:14 +02:00
ethernet net/ibmvnic: Fix EOI when running in XIVE mode. 2019-10-13 11:18:56 -07:00
fddi
fjes
hamradio Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-09-15 14:17:27 +02:00
hippi
hyperv hv_netvsc: Sync offloading features to VF NIC 2019-09-07 17:42:52 +02:00
ieee802154 Merge tag 'ieee802154-for-davem-2019-09-28' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan 2019-09-30 17:14:45 -07:00
ipvlan ipvlan: set hw_enc_features like macvlan 2019-08-16 15:58:34 -07:00
netdevsim netdevsim: Fix error handling in nsim_fib_init and nsim_fib_exit 2019-10-13 11:30:14 -07:00
phy phylink: fix kernel-doc warnings 2019-10-09 17:44:41 -07:00
plip
ppp netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
slip net: delete "register" keyword 2019-08-08 18:03:42 -07:00
team team: Add vlan tx offload to hw_enc_features 2019-08-08 22:41:41 -07:00
usb net: usb: qmi_wwan: add Telit 0x1050 composition 2019-10-09 19:59:19 -07:00
vmxnet3
wan net/wan: dscc4: remove broken dscc4 driver 2019-09-16 09:14:41 +02:00
wimax wimax/i2400m: remove unlikely() from WARN*() condition 2019-09-26 10:10:30 -07:00
wireless mac80211_hwsim: fix incorrect dev_alloc_name failure goto 2019-10-04 13:59:48 +02:00
xen-netback Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-08-19 11:54:03 -07:00
dummy.c
eql.c
geneve.c Convert usage of IN_MULTICAST to ipv4_is_multicast 2019-09-05 09:38:32 +02:00
gtp.c
ifb.c
Kconfig drivers: net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
LICENSE.SRC
loopback.c
macsec.c macsec: drop skb sk before calling gro_cells_receive 2019-09-26 09:25:03 +02:00
macvlan.c
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c net: tap: clean up an indentation issue 2019-09-27 20:58:35 +02:00
thunderbolt.c
tun.c tun: remove possible false sharing in tun_flow_update() 2019-10-09 21:29:33 -07:00
veth.c
virtio_net.c netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
vrf.c netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
vsockmon.c
vxlan.c
xen-netfront.c xen-netfront: do not use ~0U as error return value for xennet_fill_frags() 2019-10-01 21:49:51 -04:00