From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Guillaume Nault <g.nault@alphalink.fr>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 06/23] l2ip: fix possible use-after-free
Date: Sat, 4 May 2019 12:25:08 +0200 [thread overview]
Message-ID: <20190504102451.775191829@linuxfoundation.org> (raw)
In-Reply-To: <20190504102451.512405835@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a622b40035d16196bf19b2b33b854862595245fc ]
Before taking a refcount on a rcu protected structure,
we need to make sure the refcount is not zero.
syzbot reported :
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 1 PID: 23533 at lib/refcount.c:156 refcount_inc_checked lib/refcount.c:156 [inline]
WARNING: CPU: 1 PID: 23533 at lib/refcount.c:156 refcount_inc_checked+0x61/0x70 lib/refcount.c:154
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 23533 Comm: syz-executor.2 Not tainted 5.1.0-rc7+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x2cb/0x65c kernel/panic.c:214
__warn.cold+0x20/0x45 kernel/panic.c:571
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:refcount_inc_checked lib/refcount.c:156 [inline]
RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:154
Code: 1d 98 2b 2a 06 31 ff 89 de e8 db 2c 40 fe 84 db 75 dd e8 92 2b 40 fe 48 c7 c7 20 7a a1 87 c6 05 78 2b 2a 06 01 e8 7d d9 12 fe <0f> 0b eb c1 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41
RSP: 0018:ffff888069f0fba8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000f353 RSI: ffffffff815afcb6 RDI: ffffed100d3e1f67
RBP: ffff888069f0fbb8 R08: ffff88809b1845c0 R09: ffffed1015d23ef1
R10: ffffed1015d23ef0 R11: ffff8880ae91f787 R12: ffff8880a8f26968
R13: 0000000000000004 R14: dffffc0000000000 R15: ffff8880a49a6440
l2tp_tunnel_inc_refcount net/l2tp/l2tp_core.h:240 [inline]
l2tp_tunnel_get+0x250/0x580 net/l2tp/l2tp_core.c:173
pppol2tp_connect+0xc00/0x1c70 net/l2tp/l2tp_ppp.c:702
__sys_connect+0x266/0x330 net/socket.c:1808
__do_sys_connect net/socket.c:1819 [inline]
__se_sys_connect net/socket.c:1816 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1816
Fixes: 54652eb12c1b ("l2tp: hold tunnel while looking up sessions in l2tp_netlink")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -169,8 +169,8 @@ struct l2tp_tunnel *l2tp_tunnel_get(cons
rcu_read_lock_bh();
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
- if (tunnel->tunnel_id == tunnel_id) {
- l2tp_tunnel_inc_refcount(tunnel);
+ if (tunnel->tunnel_id == tunnel_id &&
+ refcount_inc_not_zero(&tunnel->ref_count)) {
rcu_read_unlock_bh();
return tunnel;
@@ -190,8 +190,8 @@ struct l2tp_tunnel *l2tp_tunnel_get_nth(
rcu_read_lock_bh();
list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
- if (++count > nth) {
- l2tp_tunnel_inc_refcount(tunnel);
+ if (++count > nth &&
+ refcount_inc_not_zero(&tunnel->ref_count)) {
rcu_read_unlock_bh();
return tunnel;
}
next prev parent reply other threads:[~2019-05-04 10:28 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-04 10:25 [PATCH 4.19 00/23] 4.19.40-stable review Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 01/23] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 02/23] ipv6: A few fixes on dereferencing rt->from Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 03/23] ipv6: fix races in ip6_dst_destroy() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 04/23] ipv6/flowlabel: wait rcu grace period before put_pid() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 05/23] ipv6: invert flowlabel sharing check in process and user mode Greg Kroah-Hartman
2019-05-04 10:25 ` Greg Kroah-Hartman [this message]
2019-05-04 10:25 ` [PATCH 4.19 07/23] l2tp: use rcu_dereference_sk_user_data() in l2tp_udp_encap_recv() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 08/23] net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 09/23] net: phy: marvell: Fix buffer overrun with stats counters Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 10/23] net/tls: avoid NULL pointer deref on nskb->sk in fallback Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 11/23] rxrpc: Fix net namespace cleanup Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 12/23] sctp: avoid running the sctp state machine recursively Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 13/23] selftests: fib_rule_tests: print the result and return 1 if any tests failed Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 14/23] packet: validate msg_namelen in send directly Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 15/23] bnxt_en: Improve multicast address setup logic Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 16/23] bnxt_en: Free short FW command HWRM memory in error path in bnxt_init_one() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 17/23] bnxt_en: Fix uninitialized variable usage in bnxt_rx_pkt() Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 18/23] net/tls: dont copy negative amounts of data in reencrypt Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 19/23] net/tls: fix copy to fragments " Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 20/23] KVM: x86: Whitelist port 0x7e for pre-incrementing %rip Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 21/23] KVM: nVMX: Fix size checks in vmx_set_nested_state Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 22/23] ALSA: line6: use dynamic buffers Greg Kroah-Hartman
2019-05-04 10:25 ` [PATCH 4.19 23/23] ath10k: Drop WARN_ON()s that always trigger during system resume Greg Kroah-Hartman
2019-05-04 18:46 ` [PATCH 4.19 00/23] 4.19.40-stable review kernelci.org bot
2019-05-04 23:32 ` Guenter Roeck
2019-05-05 3:00 ` Dan Rue
2019-05-05 7:08 ` Greg Kroah-Hartman
2019-05-05 8:53 ` Naresh Kamboju
2019-05-05 9:02 ` Greg Kroah-Hartman
2019-05-05 12:38 ` Dan Rue
2019-05-05 11:12 ` Bharath Vedartham
2019-05-05 11:53 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190504102451.775191829@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=g.nault@alphalink.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.