From: Ben Hutchings <ben@decadent.org.uk>
To: Francesco Ruggeri <fruggeri@arista.com>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
akpm@linux-foundation.org,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Francesco Ruggeri <fruggeri@aristanetworks.com>
Subject: Re: [PATCH 3.2 42/70] net: possible use after free in dst_release
Date: Mon, 18 Jan 2016 11:50:24 +0000 [thread overview]
Message-ID: <1453117824.2519.114.camel@decadent.org.uk> (raw)
In-Reply-To: <CA+HUmGh5Qf7mtWVaqemC7eA9go=gziK8jtC9z4D0=kG6pBGW1g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2251 bytes --]
On Sun, 2016-01-17 at 19:49 -0800, Francesco Ruggeri wrote:
> On Sun, Jan 17, 2016 at 7:18 PM, Ben Hutchings <ben@decadent.org.uk> wrote:
> > 3.2.76-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Francesco Ruggeri <fruggeri@aristanetworks.com>
> >
> > commit 07a5d38453599052aff0877b16bb9c1585f08609 upstream.
> >
> > dst_release should not access dst->flags after decrementing
> > __refcnt to 0. The dst_entry may be in dst_busy_list and
> > dst_gc_task may dst_destroy it before dst_release gets a chance
> > to access dst->flags.
> >
> > Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()")
> > Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
> > Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
> > Acked-by: Eric Dumazet <edumazet@google.com>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> > [bwh: Backported to 3.2: adjust context]
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > ---
> > net/core/dst.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > --- a/net/core/dst.c
> > +++ b/net/core/dst.c
> > @@ -269,10 +269,11 @@ void dst_release(struct dst_entry *dst)
> > {
> > if (dst) {
> > int newrefcnt;
> > + unsigned short nocache = dst->flags & DST_NOCACHE;
>
> Only one minor thing. Before 3.6 dst->flags was an int.
I noticed that - but no flags outside the 16-bit range are assigned, so
I think this is OK.
Ben.
> Thanks,
> Francesco
>
> >
> > newrefcnt = atomic_dec_return(&dst->__refcnt);
> > WARN_ON(newrefcnt < 0);
> > - if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) {
> > + if (!newrefcnt && unlikely(nocache)) {
> > dst = dst_destroy(dst);
> > if (dst)
> > __dst_free(dst);
> >
--
Ben Hutchings
A free society is one where it is safe to be unpopular. - Adlai Stevenson
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
next prev parent reply other threads:[~2016-01-18 11:50 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-18 3:18 [PATCH 3.2 00/70] 3.2.76-rc1 review Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 70/70] HID: dragonrise: fix HID Descriptor for 0x0006 PID Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 32/70] KEYS: Fix race between read and revoke Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 30/70] USB: ipaq.c: fix a timeout loop Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 04/70] crypto: skcipher - Copy iv from desc even for 0-len walks Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 19/70] s390/dis: Fix handling of format specifiers Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 24/70] xen/pciback: Save xen_pci_op commands before processing it Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 52/70] ahci: add new Intel device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 63/70] i2c: i801: Add Device IDs for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 28/70] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 51/70] ahci: Add Marvell 88se91a2 device id Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 50/70] ahci: Remove Device ID for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 22/70] xen-netback: use RING_COPY_REQUEST() throughout Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 17/70] net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 09/70] ALSA: tlv: compute TLV_*_ITEM lengths automatically Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 64/70] i2c: i801: Add DeviceIDs for SunrisePoint LP Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 29/70] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 23/70] xen-blkback: only read request operation from shared ring once Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 34/70] ipv6/addrlabel: fix ip6addrlbl_get() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 47/70] vmstat: allocate vmstat_wq before it is used Ben Hutchings
2016-01-18 22:26 ` Luis Henriques
2016-01-18 3:18 ` [PATCH 3.2 02/70] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 26/70] xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 69/70] cdrom: Random writing support for BD-RE media Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 61/70] i2c: i801: Add device ID for Intel Wildcat Point PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 42/70] net: possible use after free in dst_release Ben Hutchings
2016-01-18 3:49 ` Francesco Ruggeri
2016-01-18 11:50 ` Ben Hutchings [this message]
2016-01-18 3:18 ` [PATCH 3.2 35/70] ocfs2: fix BUG when calculate new backup super Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 05/70] rfkill: copy the name into the rfkill struct Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 43/70] KVM: x86: Reload pit counters for all channels when restoring state Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 08/70] tty: Fix GPF in flush_to_ldisc() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 12/70] sh_eth: fix TX buffer byte-swapping Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 33/70] parisc: Fix syscall restarts Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 31/70] USB: fix invalid memory access in hub_activate() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 16/70] scripts: recordmcount: break hardlinks Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 40/70] genirq: Prevent chip buslock deadlock Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 54/70] ahci: Order SATA device IDs for codename Lewisburg Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 15/70] spi: fix parent-device reference leak Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 48/70] ahci: Add Device IDs for Intel Wellsburg PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 66/70] i2c: i801: Add support for Intel Broxton Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 39/70] net/core: revert "net: fix __netdev_update_features return.." and add comment Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 44/70] kvm: x86: only channel 0 of the i8254 is linked to the HPET Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 36/70] mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 38/70] drm/radeon: fix hotplug race at startup Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 46/70] udp: properly support MSG_PEEK with truncated buffers Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 14/70] ser_gigaset: fix deallocation of platform device structure Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 68/70] i2c: i801: add Intel Lewisburg device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 45/70] Revert "net: add length argument to skb_copy_and_csum_datagram_iovec" Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 27/70] xen/pciback: Do not install an IRQ handler for MSI interrupts Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 49/70] ahci: Add JMicron 362 device IDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 07/70] ses: fix additional element traversal bug Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 18/70] ftrace/scripts: Have recordmcount copy the object file Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 41/70] ftrace/scripts: Fix incorrect use of sprintf in recordmcount Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 21/70] xen-netback: don't use last request to determine minimum Tx credit Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 20/70] xen: Add RING_COPY_REQUEST() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 62/70] i2c: i801: Add PCI ID for Intel Braswell Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 56/70] i2c: i801: Add Device IDs for Intel Wellsburg PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 65/70] i2c: i801: Add support for Intel DNV Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 25/70] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 13/70] mISDN: fix a loop count Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 67/70] i2c: i801: Document Intel DNV and Broxton Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 57/70] i2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 03/70] video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 60/70] i2c: i801: Fix the alignment of the device table Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 10/70] ALSA: tlv: add DECLARE_TLV_DB_RANGE() Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 59/70] i2c: i801: enable Intel BayTrail SMBUS Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 58/70] i2c: i801: Add Device IDs for Intel Wildcat Point-LP PCH Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 06/70] ses: Fix problems with simple enclosures Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 55/70] i2c: i801: SMBus patch for Intel Avoton DeviceIDs Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 37/70] MIPS: Fix restart of indirect syscalls Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 01/70] sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 11/70] ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly Ben Hutchings
2016-01-18 3:18 ` [PATCH 3.2 53/70] ahci: Add Device ID for Intel Sunrise Point PCH Ben Hutchings
2016-01-18 3:45 ` [PATCH 3.2 00/70] 3.2.76-rc1 review Ben Hutchings
2016-01-18 9:12 ` Guenter Roeck
2016-01-18 11:50 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1453117824.2519.114.camel@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=fruggeri@aristanetworks.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox