From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.4 063/105] ipv6: reorder icmpv6_init() and ip6_mr_init()
Date: Fri, 15 Dec 2017 10:45:01 +0100 [thread overview]
Message-ID: <20171215092309.166989341@linuxfoundation.org> (raw)
In-Reply-To: <20171215092305.994559179@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ]
Andrey reported the following kernel crash:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88001f311700 task.stack: ffff88001f6e8000
RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
FS: 00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
sock_release+0x8d/0x1e0 net/socket.c:597
__sock_create+0x39d/0x880 net/socket.c:1226
sock_create_kern+0x3f/0x50 net/socket.c:1243
inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
ops_init+0x10a/0x550 net/core/net_namespace.c:115
setup_net+0x261/0x660 net/core/net_namespace.c:291
copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
9pnet_virtio: no channels available for device ./file1
create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
SYSC_unshare kernel/fork.c:2281 [inline]
SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
entry_SYSCALL_64_fastpath+0x1f/0xc2
This is because net->ipv6.mr6_tables is not initialized at that point,
ip6mr_rules_init() is not called yet, therefore on the error path when
we iterator the list, we trigger this oops. Fix this by reordering
ip6mr_rules_init() before icmpv6_sk_init().
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/af_inet6.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -893,12 +893,12 @@ static int __init inet6_init(void)
err = register_pernet_subsys(&inet6_net_ops);
if (err)
goto register_pernet_fail;
- err = icmpv6_init();
- if (err)
- goto icmp_fail;
err = ip6_mr_init();
if (err)
goto ipmr_fail;
+ err = icmpv6_init();
+ if (err)
+ goto icmp_fail;
err = ndisc_init();
if (err)
goto ndisc_fail;
@@ -1016,10 +1016,10 @@ igmp_fail:
ndisc_cleanup();
ndisc_fail:
ip6_mr_cleanup();
-ipmr_fail:
- icmpv6_cleanup();
icmp_fail:
unregister_pernet_subsys(&inet6_net_ops);
+ipmr_fail:
+ icmpv6_cleanup();
register_pernet_fail:
sock_unregister(PF_INET6);
rtnl_unregister_all(PF_INET6);
next prev parent reply other threads:[~2017-12-15 10:32 UTC|newest]
Thread overview: 129+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-15 9:43 [PATCH 4.4 000/105] 4.4.106-stable review Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 002/105] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 003/105] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 004/105] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 005/105] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 006/105] can: ems_usb: " Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 007/105] can: esd_usb2: " Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 008/105] can: usb_8dev: " Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 009/105] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 010/105] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 011/105] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 012/105] scsi: libsas: align sata_devices rps_resp on a cacheline Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 013/105] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 014/105] ASN.1: fix out-of-bounds read when parsing indefinite length item Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 015/105] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 016/105] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 017/105] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 018/105] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 019/105] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 020/105] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 021/105] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 022/105] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 023/105] s390: fix compat system call table Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 024/105] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 025/105] drm: extra printk() wrapper macros Greg Kroah-Hartman
2017-12-15 9:44 ` Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 026/105] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 027/105] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 028/105] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 030/105] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 031/105] ARM: BUG if jumping to usermode address in kernel mode Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 032/105] ARM: avoid faulting on qemu Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 033/105] scsi: storvsc: Workaround for virtual DVD SCSI version Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 034/105] thp: reduce indentation level in change_huge_pmd() Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 035/105] thp: fix MADV_DONTNEED vs. numa balancing race Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 036/105] mm: drop unused pmdp_huge_get_and_clear_notify() Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 037/105] Revert "drm/armada: Fix compile fail" Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 038/105] Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 039/105] Revert "s390/kbuild: enable modversions for symbols exported from asm" Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 040/105] vti6: Dont report path MTU below IPV6_MIN_MTU Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 041/105] ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 042/105] x86/hpet: Prevent might sleep splat on resume Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 043/105] selftest/powerpc: Fix false failures for skipped tests Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 044/105] module: set __jump_table alignment to 8 Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 045/105] ARM: OMAP2+: Fix device node reference counts Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 046/105] ARM: OMAP2+: Release device node after it is no longer needed Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 047/105] gpio: altera: Use handle_level_irq when configured as a level_high Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 048/105] HID: chicony: Add support for another ASUS Zen AiO keyboard Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 049/105] usb: gadget: configs: plug memory leak Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 050/105] USB: gadgetfs: Fix a potential memory leak in dev_config() Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 052/105] libata: drop WARN from protocol error in ata_sff_qc_issue() Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 053/105] workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 054/105] scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 055/105] irqchip/crossbar: Fix incorrect type of register size Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 057/105] arm: KVM: Survive unknown traps from guests Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 058/105] arm64: " Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 059/105] spi_ks8995: fix "BUG: key accdaa28 not in .data!" Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 060/105] bnx2x: prevent crash when accessing PTP with interface down Greg Kroah-Hartman
2017-12-15 9:44 ` [PATCH 4.4 061/105] bnx2x: fix possible overrun of VFPF multicast addresses array Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 062/105] bnx2x: do not rollback VF MAC/VLAN filters we did not configure Greg Kroah-Hartman
2017-12-15 9:45 ` Greg Kroah-Hartman [this message]
2017-12-15 9:45 ` [PATCH 4.4 064/105] crypto: s5p-sss - Fix completing crypto request in IRQ handler Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 065/105] i2c: riic: fix restart condition Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 066/105] zram: set physical queue limits to avoid array out of bounds accesses Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 067/105] netfilter: dont track fragmented packets Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 068/105] axonram: Fix gendisk handling Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 069/105] drm/amd/amdgpu: fix console deadlock if late init failed Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 070/105] powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 073/105] kbuild: pkg: use --transform option to prefix paths in tar Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 074/105] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 075/105] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 076/105] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 077/105] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 078/105] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 079/105] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 080/105] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 081/105] block: wake up all tasks blocked in get_request() Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 082/105] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 083/105] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 084/105] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 085/105] atm: horizon: Fix irq release error Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 086/105] jump_label: Invoke jump_label_test() via early_initcall() Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 087/105] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 088/105] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 089/105] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 090/105] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 091/105] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 092/105] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 093/105] ipmi: Stop timers before cleaning up the module Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 094/105] s390: always save and restore all registers on context switch Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 095/105] more bio_map_user_iov() leak fixes Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 096/105] tipc: fix memory leak in tipc_accept_from_sock() Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 098/105] sit: update frag_off info Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 099/105] packet: fix crash in fanout_demux_rollover() Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 100/105] net/packet: fix a race in packet_bind() and packet_notifier() Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 101/105] Revert "x86/efi: Build our own page table structures" Greg Kroah-Hartman
2017-12-15 9:45 ` Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 102/105] Revert "x86/efi: Hoist page table switching code into efi_call_virt()" Greg Kroah-Hartman
2017-12-15 9:45 ` Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 103/105] Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" Greg Kroah-Hartman
2017-12-15 9:45 ` Greg Kroah-Hartman
2018-08-23 0:48 ` Roland Dreier
2018-08-23 6:12 ` Greg Kroah-Hartman
2018-08-23 16:37 ` Roland Dreier
2018-08-24 14:54 ` Matt Fleming
2018-08-24 16:45 ` Ben Hutchings
2018-08-24 17:08 ` Roland Dreier
2018-08-24 19:17 ` Greg Kroah-Hartman
2018-08-24 20:04 ` Roland Dreier
2018-08-24 20:10 ` Guenter Roeck
2018-08-24 20:16 ` Roland Dreier
2018-08-24 20:32 ` Guenter Roeck
2018-08-31 6:24 ` Guillaume Tucker
2018-08-31 16:02 ` Greg Kroah-Hartman
2018-08-24 21:19 ` Guenter Roeck
2018-08-25 13:52 ` Guenter Roeck
2018-08-25 15:07 ` Greg Kroah-Hartman
2018-08-26 2:30 ` Guenter Roeck
2018-08-29 19:58 ` Roland Dreier
2018-08-30 12:10 ` Greg Kroah-Hartman
2018-08-24 20:06 ` Guenter Roeck
2017-12-15 9:45 ` [PATCH 4.4 104/105] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-15 9:45 ` [PATCH 4.4 105/105] usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping Greg Kroah-Hartman
2017-12-15 10:01 ` [PATCH 4.4 000/105] 4.4.106-stable review Nathan Chancellor
2017-12-15 10:01 ` Nathan Chancellor
2017-12-15 13:07 ` Greg Kroah-Hartman
2017-12-15 17:39 ` Guenter Roeck
2017-12-15 21:14 ` Shuah Khan
2017-12-16 5:36 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171215092309.166989341@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.