leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
032be5f19a
linux/net
History
Eric Dumazet 032be5f19a rxrpc: fix race condition in rxrpc_input_packet() 
After commit 5271953cad ("rxrpc: Use the UDP encap_rcv hook"),
rxrpc_input_packet() is directly called from lockless UDP receive
path, under rcu_read_lock() protection.

It must therefore use RCU rules :

- udp_sk->sk_user_data can be cleared at any point in this function.
  rcu_dereference_sk_user_data() is what we need here.

- Also, since sk_user_data might have been set in rxrpc_open_socket()
  we must observe a proper RCU grace period before kfree(local) in
  rxrpc_lookup_local()

v4: @local can be NULL in xrpc_lookup_local() as reported by kbuild test robot <lkp@intel.com>
        and Julia Lawall <julia.lawall@lip6.fr>, thanks !

v3,v2 : addressed David Howells feedback, thanks !

syzbot reported :

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 19236 Comm: syz-executor703 Not tainted 5.1.0-rc6 #79
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xbef/0x3fb0 kernel/locking/lockdep.c:3573
Code: 00 0f 85 a5 1f 00 00 48 81 c4 10 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 4a 21 00 00 49 81 7d 00 20 54 9c 89 0f 84 cf f4
RSP: 0018:ffff88809d7aef58 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000026 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff88809d7af090 R08: 0000000000000001 R09: 0000000000000001
R10: ffffed1015d05bc7 R11: ffff888089428600 R12: 0000000000000000
R13: 0000000000000130 R14: 0000000000000001 R15: 0000000000000001
FS:  00007f059044d700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b6040 CR3: 00000000955ca000 CR4: 00000000001406f0
Call Trace:
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
 skb_queue_tail+0x26/0x150 net/core/skbuff.c:2972
 rxrpc_reject_packet net/rxrpc/input.c:1126 [inline]
 rxrpc_input_packet+0x4a0/0x5536 net/rxrpc/input.c:1414
 udp_queue_rcv_one_skb+0xaf2/0x1780 net/ipv4/udp.c:2011
 udp_queue_rcv_skb+0x128/0x730 net/ipv4/udp.c:2085
 udp_unicast_rcv_skb.isra.0+0xb9/0x360 net/ipv4/udp.c:2245
 __udp4_lib_rcv+0x701/0x2ca0 net/ipv4/udp.c:2301
 udp_rcv+0x22/0x30 net/ipv4/udp.c:2482
 ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208
 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:413
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:523
 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4987
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5099
 netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5202
 napi_frags_finish net/core/dev.c:5769 [inline]
 napi_gro_frags+0xade/0xd10 net/core/dev.c:5843
 tun_get_user+0x2f24/0x3fb0 drivers/net/tun.c:1981
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2027
 call_write_iter include/linux/fs.h:1866 [inline]
 do_iter_readv_writev+0x5e1/0x8e0 fs/read_write.c:681
 do_iter_write fs/read_write.c:957 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:938
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1002
 do_writev+0x15e/0x370 fs/read_write.c:1037
 __do_sys_writev fs/read_write.c:1110 [inline]
 __se_sys_writev fs/read_write.c:1107 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1107
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 5271953cad ("rxrpc: Use the UDP encap_rcv hook")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-24 14:05:09 -07:00
..
6lowpan
9p 9p/net: fix memory leak in p9_client_create 2019-03-13 11:50:04 +01:00
802
8021q vlan: conditional inclusion of FCoE hooks to match netdevice.h and bnx2x 2019-04-04 17:18:34 -07:00
appletalk appletalk: Fix potential NULL pointer dereference in unregister_snap_client 2019-03-15 11:25:48 -07:00
atm net: atm: Fix potential Spectre v1 vulnerabilities 2019-04-16 21:01:45 -07:00
ax25
batman-adv batman-adv: Fix genl notification for throughput_override 2019-03-25 09:31:19 +01:00
bluetooth Bluetooth: Check address length before reading address field 2019-04-12 10:25:03 -07:00
bpf bpf: fix warning about using plain integer as NULL 2019-03-08 21:17:07 +01:00
bpfilter bpfilter: re-add header search paths to tools include to fix build error 2019-02-23 13:34:40 -08:00
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2019-04-22 21:23:55 -07:00
caif net: caif: use skb helpers instead of open-coding them 2019-02-17 11:01:17 -08:00
can
ceph libceph: fix breakage caused by multipage bvecs 2019-03-25 22:28:07 +01:00
core socket: fix compat SO_RCVTIMEO_NEW/SO_SNDTIMEO_NEW 2019-04-16 21:52:22 -07:00
dcb
dccp dccp: Fix memleak in __feat_register_sp 2019-04-01 18:15:10 -07:00
decnet
dns_resolver
dsa net: dsa: Implement flow_dissect callback for tag_qca 2019-03-28 16:57:19 -07:00
ethernet net/ethernet: Add parse_protocol header_ops support 2019-02-22 12:55:31 -08:00
hsr net/hsr: fix possible crash in add_timer() 2019-03-07 11:02:08 -08:00
ieee802154 net: remove unused struct inet_frag_queue.fragments field 2019-02-26 08:27:05 -08:00
ife
ipv4 ipv4: set the tcp_min_rtt_wlen range from 0 to one day 2019-04-17 13:57:11 -07:00
ipv6 net: ipv6: addrlabel: fix spelling mistake "requewst" -> "request" 2019-04-18 10:44:17 -07:00
iucv
kcm kcm: switch order of device registration to fix a crash 2019-04-01 14:59:20 -07:00
key af_key: unconditionally clone on broadcast 2019-02-12 10:36:42 +01:00
l2tp l2tp: fix infoleak in l2tp_ip6_recvmsg() 2019-03-13 14:19:35 -07:00
l3mdev
lapb
llc llc: Check address length before reading address field 2019-04-12 10:25:03 -07:00
mac80211 mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode 2019-04-09 13:40:32 +02:00
mac802154
mpls mpls: Fix 6PE forwarding 2019-03-19 16:00:22 -07:00
ncsi net/ncsi: handle overflow when incrementing mac address 2019-04-23 21:15:15 -07:00
netfilter netfilter: fix nf_l4proto_log_invalid to log invalid packets 2019-04-22 10:38:50 +02:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-02-27 21:45:24 -08:00
netlink net: netlink: Check address length before reading groups field 2019-04-12 10:25:03 -07:00
netrom net: netrom: Fix error cleanup path of nr_proto_init 2019-04-11 13:59:49 -07:00
nfc NFC: nci: Add some bounds checking in nci_hci_cmd_received() 2019-04-06 15:05:07 -07:00
nsh
openvswitch openvswitch: fix flow actions reallocation 2019-03-28 17:15:44 -07:00
packet net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec 2019-03-20 10:46:50 -07:00
phonet phonet: fix building with clang 2019-02-21 16:23:56 -08:00
psample
qrtr mm: replace all open encodings for NUMA_NO_NODE 2019-03-05 21:07:14 -08:00
rds net: rds: exchange of 8K and 1M pool 2019-04-24 12:07:08 -07:00
rfkill
rose net: rose: fix a possible stack overflow 2019-03-18 16:53:22 -07:00
rxrpc rxrpc: fix race condition in rxrpc_input_packet() 2019-04-24 14:05:09 -07:00
sched sch_cake: Make sure we can write the IP header before changing DSCP bits 2019-04-04 10:55:59 -07:00
sctp sctp: Check address length before reading address family 2019-04-12 10:25:03 -07:00
smc net/smc: move unhash before release of clcsock 2019-04-11 11:04:08 -07:00
strparser net: strparser: partially revert "strparser: Call skb_unclone conditionally" 2019-04-10 13:07:02 -07:00
sunrpc Revert "SUNRPC: Micro-optimise when the task is known not to be sleeping" 2019-04-11 15:41:14 -04:00
switchdev switchdev: Remove unused transaction item queue 2019-03-01 21:35:19 -08:00
tipc tipc: set sysctl_tipc_rmem and named_timeout right range 2019-04-16 21:32:02 -07:00
tls net/tls: don't leak IV and record seq when offload fails 2019-04-20 20:36:51 -07:00
unix io_uring-2019-03-06 2019-03-08 14:48:40 -08:00
vmw_vsock vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock 2019-03-08 15:15:44 -08:00
wimax
wireless nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands 2019-03-29 11:23:09 +01:00
x25 net/x25: reset state in x25_connect() 2019-03-11 15:40:14 -07:00
xdp xsk: fix umem memory leak on cleanup 2019-03-16 01:27:51 +01:00
xfrm xfrm: Fix inbound traffic via XFRM interfaces across network namespaces 2019-02-18 10:58:54 +01:00
compat.c Merge branch 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-05 14:08:26 -08:00
Kconfig net: devlink: turn devlink into a built-in 2019-02-26 08:49:05 -08:00
Makefile net: split out functions related to registering inflight socket files 2019-02-28 08:24:23 -07:00
socket.c net: add documentation to socket.c 2019-03-15 15:29:47 -07:00
sysctl_net.c