From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Masahiro Fujiwara <fujiwara.masahiro@gmail.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.4 16/49] gtp: fix an use-before-init in gtp_newlink()
Date: Sat, 31 Oct 2020 12:35:12 +0100 [thread overview]
Message-ID: <20201031113456.231051332@linuxfoundation.org> (raw)
In-Reply-To: <20201031113455.439684970@linuxfoundation.org>
From: Masahiro Fujiwara <fujiwara.masahiro@gmail.com>
[ Upstream commit 51467431200b91682b89d31317e35dcbca1469ce ]
*_pdp_find() from gtp_encap_recv() would trigger a crash when a peer
sends GTP packets while creating new GTP device.
RIP: 0010:gtp1_pdp_find.isra.0+0x68/0x90 [gtp]
<SNIP>
Call Trace:
<IRQ>
gtp_encap_recv+0xc2/0x2e0 [gtp]
? gtp1_pdp_find.isra.0+0x90/0x90 [gtp]
udp_queue_rcv_one_skb+0x1fe/0x530
udp_queue_rcv_skb+0x40/0x1b0
udp_unicast_rcv_skb.isra.0+0x78/0x90
__udp4_lib_rcv+0x5af/0xc70
udp_rcv+0x1a/0x20
ip_protocol_deliver_rcu+0xc5/0x1b0
ip_local_deliver_finish+0x48/0x50
ip_local_deliver+0xe5/0xf0
? ip_protocol_deliver_rcu+0x1b0/0x1b0
gtp_encap_enable() should be called after gtp_hastable_new() otherwise
*_pdp_find() will access the uninitialized hash table.
Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
Signed-off-by: Masahiro Fujiwara <fujiwara.masahiro@gmail.com>
Link: https://lore.kernel.org/r/20201027114846.3924-1-fujiwara.masahiro@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/gtp.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -663,10 +663,6 @@ static int gtp_newlink(struct net *src_n
gtp = netdev_priv(dev);
- err = gtp_encap_enable(gtp, data);
- if (err < 0)
- return err;
-
if (!data[IFLA_GTP_PDP_HASHSIZE]) {
hashsize = 1024;
} else {
@@ -677,12 +673,16 @@ static int gtp_newlink(struct net *src_n
err = gtp_hashtable_new(gtp, hashsize);
if (err < 0)
- goto out_encap;
+ return err;
+
+ err = gtp_encap_enable(gtp, data);
+ if (err < 0)
+ goto out_hashtable;
err = register_netdevice(dev);
if (err < 0) {
netdev_dbg(dev, "failed to register new netdev %d\n", err);
- goto out_hashtable;
+ goto out_encap;
}
gn = net_generic(dev_net(dev), gtp_net_id);
@@ -693,11 +693,11 @@ static int gtp_newlink(struct net *src_n
return 0;
+out_encap:
+ gtp_encap_disable(gtp);
out_hashtable:
kfree(gtp->addr_hash);
kfree(gtp->tid_hash);
-out_encap:
- gtp_encap_disable(gtp);
return err;
}
next prev parent reply other threads:[~2020-10-31 11:35 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-31 11:34 [PATCH 5.4 00/49] 5.4.74-rc1 review Greg Kroah-Hartman
2020-10-31 11:34 ` [PATCH 5.4 01/49] netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create Greg Kroah-Hartman
2020-10-31 11:34 ` [PATCH 5.4 02/49] socket: dont clear SOCK_TSTAMP_NEW when SO_TIMESTAMPNS is disabled Greg Kroah-Hartman
2020-10-31 11:34 ` [PATCH 5.4 03/49] objtool: Support Clang non-section symbols in ORC generation Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 04/49] scripts/setlocalversion: make git describe output more reliable Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 05/49] arm64: Run ARCH_WORKAROUND_1 enabling code on all CPUs Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 06/49] arm64: Run ARCH_WORKAROUND_2 " Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 07/49] arm64: link with -z norelro regardless of CONFIG_RELOCATABLE Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 08/49] x86/PCI: Fix intel_mid_pci.c build error when ACPI is not enabled Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 09/49] efivarfs: Replace invalid slashes with exclamation marks in dentries Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 10/49] bnxt_en: Check abort error state in bnxt_open_nic() Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 11/49] bnxt_en: Send HWRM_FUNC_RESET fw command unconditionally Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 12/49] chelsio/chtls: fix deadlock issue Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 13/49] chelsio/chtls: fix memory leaks in CPL handlers Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 14/49] chelsio/chtls: fix tls record info to user Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 15/49] cxgb4: set up filter action after rewrites Greg Kroah-Hartman
2020-10-31 11:35 ` Greg Kroah-Hartman [this message]
2020-10-31 11:35 ` [PATCH 5.4 17/49] ibmvnic: fix ibmvnic_set_mac Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 18/49] mlxsw: core: Fix memory leak on module removal Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 19/49] netem: fix zero division in tabledist Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 20/49] net/sched: act_mpls: Add softdep on mpls_gso.ko Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 21/49] r8169: fix issue with forced threading in combination with shared interrupts Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 22/49] ravb: Fix bit fields checking in ravb_hwtstamp_get() Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 23/49] tcp: Prevent low rmem stalls with SO_RCVLOWAT Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 24/49] tipc: fix memory leak caused by tipc_buf_append() Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 25/49] net: hns3: Clear the CMDQ registers before unmapping BAR region Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 26/49] bnxt_en: Re-write PCI BARs after PCI fatal error Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 27/49] bnxt_en: Fix regression in workqueue cleanup logic in bnxt_remove_one() Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 28/49] bnxt_en: Invoke cancel_delayed_work_sync() for PFs also Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 29/49] erofs: avoid duplicated permission check for "trusted." xattrs Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 30/49] arch/x86/amd/ibs: Fix re-arming IBS Fetch Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 31/49] x86/xen: disable Firmware First mode for correctable memory errors Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 32/49] ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 33/49] fuse: fix page dereference after free Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 34/49] bpf: Fix comment for helper bpf_current_task_under_cgroup() Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 35/49] evm: Check size of security.evm before using it Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 36/49] p54: avoid accessing the data mapped to streaming DMA Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 37/49] cxl: Rework error message for incompatible slots Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 38/49] RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 39/49] mtd: lpddr: Fix bad logic in print_drs_error Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 40/49] drm/i915/gem: Serialise debugfs i915_gem_objects with ctx->mutex Greg Kroah-Hartman
2020-10-31 11:42 ` Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 41/49] serial: qcom_geni_serial: To correct QUP Version detection logic Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 42/49] serial: pl011: Fix lockdep splat when handling magic-sysrq interrupt Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 43/49] PM: runtime: Fix timer_expires data type on 32-bit arches Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 44/49] ata: sata_rcar: Fix DMA boundary mask Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 45/49] xen/gntdev.c: Mark pages as dirty Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 46/49] crypto: x86/crc32c - fix building with clang ias Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 47/49] openrisc: Fix issue with get_user for 64-bit values Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 48/49] misc: rtsx: do not setting OC_POWER_DOWN reg in rtsx_pci_init_ocp() Greg Kroah-Hartman
2020-10-31 11:35 ` [PATCH 5.4 49/49] phy: marvell: comphy: Convert internal SMCC firmware return codes to errno Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201031113456.231051332@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fujiwara.masahiro@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.