From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 43/71] sit: do not call ipip6_dev_free() from sit_init_net()
Date: Mon, 20 Dec 2021 15:34:32 +0100 [thread overview]
Message-ID: <20211220143027.132613208@linuxfoundation.org> (raw)
In-Reply-To: <20211220143025.683747691@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e28587cc491ef0f3c51258fdc87fbc386b1d4c59 ]
ipip6_dev_free is sit dev->priv_destructor, already called
by register_netdevice() if something goes wrong.
Alternative would be to make ipip6_dev_free() robust against
multiple invocations, but other drivers do not implement this
strategy.
syzbot reported:
dst_release underflow
WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173
Modules linked in:
CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173
Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48
RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246
RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000
RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c
R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358
R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000
FS: 00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160
ipip6_dev_free net/ipv6/sit.c:1414 [inline]
sit_init_net+0x229/0x550 net/ipv6/sit.c:1936
ops_init+0x313/0x430 net/core/net_namespace.c:140
setup_net+0x35b/0x9d0 net/core/net_namespace.c:326
copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470
create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226
ksys_unshare+0x57d/0xb50 kernel/fork.c:3075
__do_sys_unshare kernel/fork.c:3146 [inline]
__se_sys_unshare kernel/fork.c:3144 [inline]
__x64_sys_unshare+0x34/0x40 kernel/fork.c:3144
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f66c882ce99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200
RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000
</TASK>
Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20211216111741.1387540-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/sit.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 7f9cae4c49e7e..16e75a996b749 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1876,7 +1876,6 @@ static int __net_init sit_init_net(struct net *net)
return 0;
err_reg_dev:
- ipip6_dev_free(sitn->fb_tunnel_dev);
free_netdev(sitn->fb_tunnel_dev);
err_alloc_dev:
return err;
--
2.33.0
next prev parent reply other threads:[~2021-12-20 14:47 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-20 14:33 [PATCH 5.4 00/71] 5.4.168-rc1 review Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 01/71] KVM: selftests: Make sure kvm_create_max_vcpus test wont hit RLIMIT_NOFILE Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 02/71] mac80211: mark TX-during-stop for TX in in_reconfig Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 03/71] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 04/71] firmware: arm_scpi: Fix string overflow in SCPI genpd driver Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 05/71] virtio_ring: Fix querying of maximum DMA mapping size for virtio device Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 06/71] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 07/71] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 08/71] audit: improve robustness of the audit queue handling Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 09/71] iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 10/71] nfsd: fix use-after-free due to delegation race Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 11/71] arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 12/71] arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 13/71] arm64: dts: rockchip: fix audio-supply for Rock Pi 4 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 14/71] mac80211: track only QoS data frames for admission control Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 15/71] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 16/71] ARM: socfpga: dts: fix qspi node compatible Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 17/71] clk: Dont parent clks until the parent is fully registered Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 18/71] selftests: net: Correct ping6 expected rc from 2 to 1 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 19/71] s390/kexec_file: fix error handling when applying relocations Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 20/71] sch_cake: do not call cake_destroy() from cake_init() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 21/71] inet_diag: use jiffies_delta_to_msecs() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 22/71] inet_diag: fix kernel-infoleak for UDP sockets Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 23/71] selftests: Fix raw socket bind tests with VRF Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 24/71] selftests: Fix IPv6 address bind tests Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 25/71] dmaengine: st_fdma: fix MODULE_ALIAS Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 26/71] selftest/net/forwarding: declare NETIFS p9 p10 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 27/71] mac80211: agg-tx: refactor sending addba Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 28/71] mac80211: agg-tx: dont schedule_and_wake_txq() under sta->lock Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 29/71] mac80211: accept aggregation sessions on 6 GHz Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 30/71] mac80211: fix lookup when adding AddBA extension element Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 31/71] net: sched: lock action when translating it to flow_action infra Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 32/71] flow_offload: return EOPNOTSUPP for the unsupported mpls action type Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 33/71] rds: memory leak in __rds_conn_create() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 34/71] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 35/71] igb: Fix removal of unicast MAC filters of VFs Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 36/71] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 37/71] ixgbe: set X550 MDIO speed before talking to PHY Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 38/71] netdevsim: Zero-initialize memory for new maps value in function nsim_bpf_map_alloc Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 39/71] net/packet: rx_owner_map depends on pg_vec Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 40/71] net: Fix double 0x prefix print in SKB dump Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 41/71] net/smc: Prevent smc_release() from long blocking Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 42/71] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman
2021-12-20 14:34 ` Greg Kroah-Hartman [this message]
2021-12-20 14:34 ` [PATCH 5.4 44/71] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 45/71] USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 46/71] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 47/71] PCI/MSI: Mask MSI-X vectors only on success Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 48/71] usb: xhci: Extend support for runtime power management for AMDs Yellow carp Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 49/71] USB: serial: cp210x: fix CP2105 GPIO registration Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 50/71] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 51/71] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 52/71] libata: if T_LENGTH is zero, dma direction should be DMA_NONE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 53/71] drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 54/71] mac80211: validate extended element ID is present Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 55/71] mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 56/71] Input: touchscreen - avoid bitwise vs logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 57/71] ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 58/71] xsk: Do not sleep in poll() when need_wakeup set Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 59/71] media: mxl111sf: change mutex_init() location Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 60/71] fuse: annotate lock in fuse_reverse_inval_entry() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 61/71] ovl: fix warning in ovl_create_real() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 62/71] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 63/71] rcu: Mark accesses to rcu_state.n_force_qs Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 64/71] mac80211: fix regression in SSN handling of addba tx Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 65/71] net: sched: Fix suspicious RCU usage while accessing tcf_tunnel_info Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 66/71] Revert "xsk: Do not sleep in poll() when need_wakeup set" Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 67/71] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 68/71] xen/netfront: harden netfront " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 69/71] xen/console: harden hvc_xen " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 70/71] xen/netback: fix rx queue stall detection Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.4 71/71] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman
2021-12-20 18:48 ` [PATCH 5.4 00/71] 5.4.168-rc1 review Florian Fainelli
2021-12-20 23:18 ` Shuah Khan
2021-12-21 1:33 ` Samuel Zou
2021-12-21 11:20 ` Sudip Mukherjee
2021-12-21 11:50 ` Naresh Kamboju
2021-12-21 23:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211220143027.132613208@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox