From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, YueHaibing <yuehaibing@huawei.com>,
Hulk Robot <hulkci@huawei.com>, Kees Cook <keescook@chromium.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.18 07/86] fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
Date: Wed, 15 May 2019 12:54:44 +0200 [thread overview]
Message-ID: <20190515090643.908752341@linuxfoundation.org> (raw)
In-Reply-To: <20190515090642.339346723@linuxfoundation.org>
From: YueHaibing <yuehaibing@huawei.com>
commit 89189557b47b35683a27c80ee78aef18248eefb4 upstream.
Syzkaller report this:
sysctl could not get directory: /net//bridge -12
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
erase_entry fs/proc/proc_sysctl.c:178 [inline]
erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
start_unregistering fs/proc/proc_sysctl.c:331 [inline]
drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
get_subdir fs/proc/proc_sysctl.c:1022 [inline]
__register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
br_netfilter_init+0x68/0x1000 [br_netfilter]
do_one_initcall+0xbc/0x47d init/main.c:901
do_init_module+0x1b5/0x547 kernel/module.c:3456
load_module+0x6405/0x8c10 kernel/module.c:3804
__do_sys_finit_module+0x162/0x190 kernel/module.c:3898
do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 68741688d5fbfe85 ]---
commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer
dereference in put_links") forgot to handle start_unregistering() case,
while header->parent is NULL, it calls erase_header() and as seen in the
above syzkaller call trace, accessing &header->parent->root will trigger
a NULL pointer dereference.
As that commit explained, there is also no need to call
start_unregistering() if header->parent is NULL.
Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/proc_sysctl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -1512,9 +1512,11 @@ static void drop_sysctl_table(struct ctl
if (--header->nreg)
return;
- if (parent)
+ if (parent) {
put_links(header);
- start_unregistering(header);
+ start_unregistering(header);
+ }
+
if (!--header->count)
kfree_rcu(header, rcu);
next prev parent reply other threads:[~2019-05-15 10:58 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 10:54 [PATCH 3.18 00/86] 3.18.140-stable review Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 01/86] MIPS: scall64-o32: Fix indirect syscall number load Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 02/86] trace: Fix preempt_enable_no_resched() abuse Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 03/86] sched/numa: Fix a possible divide-by-zero Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 04/86] ceph: ensure d_name stability in ceph_dentry_hash() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 05/86] sunrpc: dont mark uninitialised items as VALID Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 06/86] slip: make slhc_free() silently accept an error pointer Greg Kroah-Hartman
2019-05-15 10:54 ` Greg Kroah-Hartman [this message]
2019-05-15 10:54 ` [PATCH 3.18 08/86] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 09/86] netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 10/86] Revert "block/loop: Use global lock for ioctl() operation." Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 11/86] ipv4: add sanity checks in ipv4_link_failure() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 12/86] team: fix possible recursive locking when add slaves Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 13/86] net: stmmac: move stmmac_check_ether_addr() to driver probe Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 14/86] qlcnic: Avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 15/86] usb: gadget: net2280: Fix overrun of OUT messages Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 16/86] usb: gadget: net2272: Fix net2272_dequeue() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 17/86] net: ks8851: Dequeue RX packets explicitly Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 18/86] net: ks8851: Reassert reset pin if chip ID check fails Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 19/86] net: ks8851: Delay requesting IRQ until opened Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 20/86] net: ks8851: Set initial carrier state to down Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 21/86] net: ibm: fix possible object reference leak Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 22/86] scsi: qla4xxx: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 23/86] usb: u132-hcd: fix resource leak Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 24/86] ceph: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 25/86] scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 26/86] libata: fix using DMA buffers on stack Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 27/86] kconfig/[mn]conf: handle backspace (^H) key Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 28/86] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 29/86] ipv6: invert flowlabel sharing check in process and user mode Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 30/86] packet: validate msg_namelen in send directly Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 31/86] ipv6/flowlabel: wait rcu grace period before put_pid() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 32/86] USB: yurex: Fix protection fault after device removal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 33/86] USB: w1 ds2490: Fix bug caused by improper use of altsetting array Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 34/86] USB: core: Fix unterminated string returned by usb_string() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 35/86] USB: media: disable tlg2300 driver Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 36/86] USB: core: Fix bug caused by duplicate interface PM usage counter Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 37/86] HID: debug: fix race condition with between rdesc_show() and device removal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 38/86] rtc: sh: Fix invalid alarm warning for non-enabled alarm Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 39/86] igb: Fix WARN_ONCE on runtime suspend Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 40/86] bonding: show full hw address in sysfs for slave entries Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 41/86] jffs2: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 42/86] scsi: storvsc: Fix calculation of sub-channel count Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 43/86] hugetlbfs: fix memory leak for resv_map Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 44/86] xsysace: Fix error handling in ace_setup Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 45/86] ARM: orion: dont use using 64-bit DMA masks Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 46/86] ARM: iop: " Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 47/86] usb: usbip: fix isoc packet num validation in get_pipe Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 48/86] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 49/86] staging: iio: adt7316: fix the dac read calculation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 50/86] staging: iio: adt7316: fix the dac write calculation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 51/86] media: v4l2: i2c: ov7670: Fix PLL bypass register values Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 52/86] scsi: libsas: fix a race condition when smp task timeout Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 53/86] ASoC:soc-pcm:fix a codec fixup issue in TDM case Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 54/86] ASoC: cs4270: Set auto-increment bit for register writes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 55/86] ASoC: tlv320aic32x4: Fix Common Pins Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 56/86] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 57/86] iommu/amd: Set exclusion range correctly Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 58/86] genirq: Prevent use-after-free and work list corruption Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 59/86] scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 60/86] Bluetooth: hidp: fix buffer overflow Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 61/86] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 62/86] timer/debug: Change /proc/timer_stats from 0644 to 0600 Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 63/86] netfilter: compat: initialize all fields in xt_init Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 64/86] platform/x86: sony-laptop: Fix unintentional fall-through Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 65/86] iio: adc: xilinx: fix potential use-after-free on remove Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 66/86] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 67/86] s390/dasd: Fix capacity calculation for large volumes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 68/86] s390/3270: fix lockdep false positive on view->lock Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 69/86] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 70/86] tools lib traceevent: Fix missing equality check for strcmp Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 71/86] init: initialize jump labels before command line option parsing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 72/86] s390: ctcm: fix ctcm_new_device error return code Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 73/86] selftests/net: correct the return value for run_netsocktests Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 74/86] gpu: ipu-v3: dp: fix CSC handling Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 75/86] Dont jump to compute_result state from check_result state Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 76/86] USB: serial: use variable for status Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 77/86] USB: serial: fix unthrottle races Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 78/86] bridge: Fix error path for kobject_init_and_add() Greg Kroah-Hartman
2019-05-15 20:48 ` Tobin C. Harding
2019-05-16 5:57 ` Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 79/86] net: ucc_geth - fix Oops when changing number of buffers in the ring Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 80/86] packet: Fix error path in packet_init Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 81/86] vlan: disable SIOCSHWTSTAMP in container Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 82/86] ipv4: Fix raw socket lookup for local traffic Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 83/86] bonding: fix arp_validate toggling in active-backup mode Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 84/86] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 85/86] drivers/virt/fsl_hypervisor.c: prevent integer overflow " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 86/86] powerpc/booke64: set RI in default MSR Greg Kroah-Hartman
2019-05-15 15:07 ` [PATCH 3.18 00/86] 3.18.140-stable review kernelci.org bot
2019-05-16 3:33 ` Guenter Roeck
2019-05-16 14:27 ` shuah
2019-05-16 14:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515090643.908752341@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hulkci@huawei.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.