From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
David Ahern <dsa@cumulusnetworks.com>,
"David S. Miller" <davem@davemloft.net>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [PATCH 4.3 02/55] vrf: fix double free and memory corruption on register_netdevice failure
Date: Wed, 20 Jan 2016 16:43:37 -0800 [thread overview]
Message-ID: <20160120232227.553495820@linuxfoundation.org> (raw)
In-Reply-To: <20160120232227.417513468@linuxfoundation.org>
4.3-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit 7f109f7cc37108cba7243bc832988525b0d85909 upstream.
When vrf's ->newlink is called, if register_netdevice() fails then it
does free_netdev(), but that's also done by rtnl_newlink() so a second
free happens and memory gets corrupted, to reproduce execute the
following line a couple of times (1 - 5 usually is enough):
$ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done;
This works because we fail in register_netdevice() because of the wrong
name "vrf:".
And here's a trace of one crash:
[ 28.792157] ------------[ cut here ]------------
[ 28.792407] kernel BUG at fs/namei.c:246!
[ 28.792608] invalid opcode: 0000 [#1] SMP
[ 28.793240] Modules linked in: vrf nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64 psmouse glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev parport_pc parport serio_raw pcspkr virtio_balloon virtio_console i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6 autofs4 ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common ata_piix libata virtio_pci virtio_ring virtio scsi_mod floppy
[ 28.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not tainted
4.4.0-rc1+ #24
[ 28.796016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
[ 28.796016] task: ffff8800352561c0 ti: ffff88003592c000 task.ti: ffff88003592c000
[ 28.796016] RIP: 0010:[<ffffffff812187b3>] [<ffffffff812187b3>] putname+0x43/0x60
[ 28.796016] RSP: 0018:ffff88003592fe88 EFLAGS: 00010246
[ 28.796016] RAX: 0000000000000000 RBX: ffff8800352561c0 RCX: 0000000000000001
[ 28.796016] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003784f000
[ 28.796016] RBP: ffff88003592ff08 R08: 0000000000000001 R09: 0000000000000000
[ 28.796016] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[ 28.796016] R13: 000000000000047c R14: ffff88003784f000 R15: ffff8800358c4a00
[ 28.796016] FS: 0000000000000000(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[ 28.796016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 28.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000 CR4: 00000000000406f0
[ 28.796016] Stack:
[ 28.796016] ffffffff8121045d ffffffff812102d3 ffff8800352561c0 ffff880035a91660
[ 28.796016] ffff8800008a9880 0000000000000000 ffffffff81a49940 00ffffff81218684
[ 28.796016] ffff8800352561c0 000000000000047c 0000000000000000 ffff880035b36d80
[ 28.796016] Call Trace:
[ 28.796016] [<ffffffff8121045d>] ? do_execveat_common.isra.34+0x74d/0x930
[ 28.796016] [<ffffffff812102d3>] ? do_execveat_common.isra.34+0x5c3/0x930
[ 28.796016] [<ffffffff8121066c>] do_execve+0x2c/0x30
[ 28.796016] [<ffffffff810939a0>] call_usermodehelper_exec_async+0xf0/0x140
[ 28.796016] [<ffffffff810938b0>] ? umh_complete+0x40/0x40
[ 28.796016] [<ffffffff815cb1af>] ret_from_fork+0x3f/0x70
[ 28.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 89 fb 48 39 c6 74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b 5d f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb e9
[ 28.796016] RIP [<ffffffff812187b3>] putname+0x43/0x60
[ 28.796016] RSP <ffff88003592fe88>
Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: For 4.3, retain the kfree() on failure]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/vrf.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_n
out_fail:
kfree(vrf_ptr);
- free_netdev(dev);
return err;
}
next prev parent reply other threads:[~2016-01-21 0:46 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-21 0:43 [PATCH 4.3 00/55] 4.3.4-stable review Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 01/55] Revert "vrf: fix double free and memory corruption on register_netdevice failure" Greg Kroah-Hartman
2016-01-21 0:43 ` Greg Kroah-Hartman [this message]
2016-01-21 1:37 ` [PATCH 4.3 02/55] vrf: fix double free and memory corruption on register_netdevice failure Ben Hutchings
2016-01-22 7:53 ` Greg Kroah-Hartman
2016-01-22 7:53 ` Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 03/55] tipc: Fix kfree_skb() of uninitialised pointer Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 04/55] ACPI: Use correct IRQ when uninstalling ACPI interrupt handler Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 05/55] ACPI: Using correct irq when waiting for events Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 06/55] ACPI / PM: Fix incorrect wakeup IRQ setting during suspend-to-idle Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 07/55] tpm, tpm_tis: fix tpm_tis ACPI detection issue with TPM 2.0 Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 08/55] toshiba_acpi: Initialize hotkey_event_type variable Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 09/55] USB: cdc_acm: Ignore Infineon Flash Loader utility Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 10/55] USB: serial: Another Infineon flash loader USB ID Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 11/55] usb-storage: Fix scsi-sd failure "Invalid field in cdb" for USB adapter JMicron Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 12/55] USB: cp210x: Remove CP2110 ID from compatibility list Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 13/55] USB: add quirk for devices with broken LPM Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 14/55] USB: whci-hcd: add check for dma mapping error Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 15/55] usb: gadget: pxa27x: fix suspend callback Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 16/55] USB: host: ohci-at91: fix a crash in ohci_hcd_at91_overcurrent_irq Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 17/55] usb: musb: USB_TI_CPPI41_DMA requires dmaengine support Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 18/55] usb: core : hub: Fix BOS NULL pointer kernel panic Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 19/55] usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 20/55] pppoe: fix memory corruption in padt work structure Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 21/55] gre6: allow to update all parameters via rtnl Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 22/55] atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation Greg Kroah-Hartman
2016-01-21 0:43 ` [PATCH 4.3 24/55] vxlan: fix incorrect RCO bit in VXLAN header Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 25/55] sctp: use the same clock as if sock source timestamps were on Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 26/55] sctp: update the netstamp_needed counter when copying sockets Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 27/55] sctp: also copy sk_tsflags when copying the socket Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 29/55] net: qca_spi: fix transmit queue timeout handling Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 30/55] r8152: fix lockup when runtime PM is enabled Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 31/55] ipv6: sctp: clone options to avoid use after free Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 32/55] phy: micrel: Fix finding PHY properties in MAC node Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 33/55] openvswitch: Fix helper reference leak Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 34/55] openvswitch: Respect conntrack zone even if invalid Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 35/55] uapi: export ila.h Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 37/55] sh_eth: fix kernel oops in skb_put() Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 38/55] net: fix IP early demux races Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 39/55] pptp: verify sockaddr_len in pptp_bind() and pptp_connect() Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 40/55] vlan: Fix untag operations of stacked vlans with REORDER_HEADER off Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 41/55] skbuff: Fix offset error in skb_reorder_vlan_header Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 42/55] net: check both type and procotol for tcp sockets Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 43/55] net_sched: make qdisc_tree_decrease_qlen() work for non mq Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 44/55] bluetooth: Validate socket address length in sco_sock_bind() Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 45/55] net: fix uninitialized variable issue Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 47/55] inet: tcp: fix inetpeer_set_addr_v4() Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 48/55] rhashtable: Enforce minimum size on initial hash table Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 49/55] gianfar: Dont enable RX Filer if not supported Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 50/55] fou: clean up socket with kfree_rcu Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 51/55] af_unix: Revert lock_interruptible in stream receive code Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 52/55] tcp: restore fastopen with no data in SYN packet Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 53/55] rhashtable: Fix walker list corruption Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 54/55] KEYS: Fix race between read and revoke Greg Kroah-Hartman
2016-01-21 0:44 ` [PATCH 4.3 55/55] KEYS: Fix keyring ref leak in join_session_keyring() Greg Kroah-Hartman
2016-01-21 1:39 ` [PATCH 4.3 00/55] 4.3.4-stable review Shuah Khan
2016-01-22 7:51 ` Greg Kroah-Hartman
2016-01-21 9:42 ` Mel Gorman
2016-01-22 7:54 ` Greg Kroah-Hartman
2016-01-22 8:12 ` Mel Gorman
2016-01-21 12:24 ` Guenter Roeck
2016-01-22 7:51 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160120232227.553495820@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=davem@davemloft.net \
--cc=dsa@cumulusnetworks.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.