From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Taehee Yoo <ap420073@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.2 244/249] gtp: fix suspicious RCU usage
Date: Mon, 15 Jul 2019 09:46:49 -0400 [thread overview]
Message-ID: <20190715134655.4076-244-sashal@kernel.org> (raw)
In-Reply-To: <20190715134655.4076-1-sashal@kernel.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit e198987e7dd7d3645a53875151cd6f8fc425b706 ]
gtp_encap_enable_socket() and gtp_encap_destroy() are not protected
by rcu_read_lock(). and it's not safe to write sk->sk_user_data.
This patch make these functions to use lock_sock() instead of
rcu_dereference_sk_user_data().
Test commands:
gtp-link add gtp1
Splat looks like:
[ 83.238315] =============================
[ 83.239127] WARNING: suspicious RCU usage
[ 83.239702] 5.2.0-rc6+ #49 Not tainted
[ 83.240268] -----------------------------
[ 83.241205] drivers/net/gtp.c:799 suspicious rcu_dereference_check() usage!
[ 83.243828]
[ 83.243828] other info that might help us debug this:
[ 83.243828]
[ 83.246325]
[ 83.246325] rcu_scheduler_active = 2, debug_locks = 1
[ 83.247314] 1 lock held by gtp-link/1008:
[ 83.248523] #0: 0000000017772c7f (rtnl_mutex){+.+.}, at: __rtnl_newlink+0x5f5/0x11b0
[ 83.251503]
[ 83.251503] stack backtrace:
[ 83.252173] CPU: 0 PID: 1008 Comm: gtp-link Not tainted 5.2.0-rc6+ #49
[ 83.253271] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 83.254562] Call Trace:
[ 83.254995] dump_stack+0x7c/0xbb
[ 83.255567] gtp_encap_enable_socket+0x2df/0x360 [gtp]
[ 83.256415] ? gtp_find_dev+0x1a0/0x1a0 [gtp]
[ 83.257161] ? memset+0x1f/0x40
[ 83.257843] gtp_newlink+0x90/0xa21 [gtp]
[ 83.258497] ? __netlink_ns_capable+0xc3/0xf0
[ 83.259260] __rtnl_newlink+0xb9f/0x11b0
[ 83.260022] ? rtnl_link_unregister+0x230/0x230
[ ... ]
Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/gtp.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index 01fc51892e48..61f19e66be55 100644
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -289,12 +289,14 @@ static void gtp_encap_destroy(struct sock *sk)
{
struct gtp_dev *gtp;
- gtp = rcu_dereference_sk_user_data(sk);
+ lock_sock(sk);
+ gtp = sk->sk_user_data;
if (gtp) {
udp_sk(sk)->encap_type = 0;
rcu_assign_sk_user_data(sk, NULL);
sock_put(sk);
}
+ release_sock(sk);
}
static void gtp_encap_disable_sock(struct sock *sk)
@@ -796,7 +798,8 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
goto out_sock;
}
- if (rcu_dereference_sk_user_data(sock->sk)) {
+ lock_sock(sock->sk);
+ if (sock->sk->sk_user_data) {
sk = ERR_PTR(-EBUSY);
goto out_sock;
}
@@ -812,6 +815,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg);
out_sock:
+ release_sock(sock->sk);
sockfd_put(sock);
return sk;
}
--
2.20.1
next prev parent reply other threads:[~2019-07-15 14:02 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 13:42 [PATCH AUTOSEL 5.2 001/249] ath10k: Check tx_stats before use it Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 002/249] ath10k: htt: don't use txdone_fifo with SDIO Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 003/249] ath10k: fix incorrect multicast/broadcast rate setting Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 004/249] ath9k: Don't trust TX status TID number when reporting airtime Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 005/249] wil6210: fix potential out-of-bounds read Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 006/249] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 008/249] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 009/249] ath10k: Fix the wrong value of enums for wmi tlv stats id Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 010/249] wil6210: fix missed MISC mbox interrupt Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 011/249] ath6kl: add some bounds checking Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 012/249] ath10k: add peer id check in ath10k_peer_find_by_id Sasha Levin
2019-07-15 13:42 ` [PATCH AUTOSEL 5.2 014/249] wil6210: fix spurious interrupts in 3-msi Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 015/249] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 016/249] ath10k: Fix encoding for protected management frames Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 018/249] batman-adv: fix for leaked TVLV handler Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 024/249] selftests/bpf: adjust verifier scale test Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 027/249] ice: Gracefully handle reset failure in ice_alloc_vfs() Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 030/249] net: stmmac: dwmac1000: Clear unused address entries Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 031/249] net: stmmac: dwmac4/5: " Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 032/249] net: stmmac: Prevent missing interrupts when running NAPI Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 033/249] ice: Fix couple of issues in ice_vsi_release Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 034/249] net: mvpp2: cls: Extract the RSS context when parsing the ethtool rule Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 035/249] net: hns3: initialize CPU reverse mapping Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 036/249] net: hns3: fix for FEC configuration Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 037/249] qed: Set the doorbell address correctly Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 040/249] af_key: fix leaks in key_pol_get_resp and dump_sp Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 041/249] xfrm: Fix xfrm sel prefix length validation Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 047/249] Revert "e1000e: fix cyclic resets at link up with active tx" Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 048/249] e1000e: start network tx queue only when link is up Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 049/249] ice: Check all VFs for MDD activity, don't disable Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 054/249] net: phy: Check against net_device being NULL Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 055/249] net: dsa: sja1105: Fix broken fixed-link interfaces on user ports Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 059/249] batman-adv: Fix duplicated OGMs on NETDEV_UP Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 064/249] net: hns3: add a check to pointer in error_detected and slot_reset Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 065/249] net: hns3: set ops to null when unregister ad_dev Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 072/249] net: stmmac: dwmac4: fix flow control issue Sasha Levin
2019-07-15 13:43 ` [PATCH AUTOSEL 5.2 073/249] net: stmmac: modify default value of tx-frames Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 075/249] net: fec: Do not use netdev messages too early Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 076/249] net: axienet: Fix race condition causing TX hang Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 079/249] net: sfp: add mutex to prevent concurrent state checks Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 080/249] netfilter: ipset: fix a missing check of nla_parse Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 081/249] ipset: Fix memory accounting for hash types on resize Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 085/249] selftests/bpf : clean up feature/ when make clean Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 095/249] bpf: silence warning messages in core Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 104/249] qed: iWARP - Fix tc for MPA ll2 connection Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 105/249] net: hns3: fix for dereferencing before null checking Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 106/249] net: hns3: fix for skb leak when doing selftest Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 107/249] net: hns3: delay ring buffer clearing during reset Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 110/249] xfrm: fix sa selector validation Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 119/249] vhost_net: disable zerocopy by default Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 120/249] iavf: allow null RX descriptors Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 124/249] bpf: fix callees pruning callers Sasha Levin
2019-07-15 13:44 ` [PATCH AUTOSEL 5.2 127/249] net: netsec: initialize tx ring on ndo_open Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 141/249] ipsec: select crypto ciphers for xfrm_algo Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 143/249] ipvs: defer hook registration to avoid leaks Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 156/249] net: stmmac: sun8i: force select external PHY when no internal one Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 157/249] rtlwifi: rtl8192cu: fix error handle when usb probe failed Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 158/249] mt7601u: do not schedule rx_tasklet when the device has been disconnected Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 160/249] mt7601u: fix possible memory leak when the device is disconnected Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 161/249] ipvs: fix tinfo memory leak in start_sync_thread Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 162/249] mt76: mt7615: do not process rx packets if the device is not initialized Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 163/249] ath10k: add missing error handling Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 164/249] ath10k: fix fw crash by moving chip reset after napi disabled Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 165/249] ath10k: fix PCIE device wake up failed Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 174/249] netfilter: ctnetlink: Fix regression in conntrack entry deletion Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 175/249] xsk: Properly terminate assignment in xskq_produce_flush_desc Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 177/249] bpf: fix BPF_ALU32 | BPF_ARSH on BE arches Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 180/249] net: hns3: restore the MAC autoneg state after reset Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 181/249] net/mlx5: Get vport ACL namespace by vport index Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 182/249] ixgbe: Check DDM existence in transceiver before access Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 186/249] ath9k: correctly handle short radar pulses Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 187/249] wil6210: drop old event after wmi_call timeout Sasha Levin
2019-07-15 13:45 ` [PATCH AUTOSEL 5.2 189/249] net/mlx5e: Attach/detach XDP program safely Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 199/249] net: hns3: fix a -Wformat-nonliteral compile warning Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 200/249] net: hns3: add some error checking in hclge_tm module Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 201/249] ath10k: Fix memory leak in qmi Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 202/249] ath10k: destroy sdio workqueue while remove sdio module Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 203/249] net: mvpp2: prs: Don't override the sign bit in SRAM parser shift Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 204/249] igb: clear out skb->tstamp after reading the txtime Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 205/249] net: hns3: add Asym Pause support to fix autoneg problem Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 206/249] net: ethernet: ti: cpsw: Assign OF node to slave devices Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 207/249] ixgbe: Avoid NULL pointer dereference with VF on non-IPsec hw Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 208/249] iwlwifi: mvm: Drop large non sta frames Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 209/249] bpf: fix uapi bpf_prog_info fields alignment Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 210/249] netfilter: Fix remainder of pseudo-header protocol 0 Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 211/249] iwlwifi: dbg: fix debug monitor stop and restart delays Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 212/249] bnxt_en: Disable bus master during PCI shutdown and driver unload Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 213/249] bnxt_en: Fix statistics context reservation logic for RDMA driver Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 214/249] bnxt_en: Cap the returned MSIX vectors to the " Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 220/249] vxlan: do not destroy fdb if register_netdevice() is failed Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 221/249] bnx2x: Prevent ptp_task to be rescheduled indefinitely Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 222/249] net: usb: asix: init MAC address buffers Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 224/249] libbpf: fix GCC8 warning for strncpy Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 225/249] bpf, libbpf, smatch: Fix potential NULL pointer dereference Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 226/249] selftests: bpf: fix inlines in test_lwt_seg6local Sasha Levin
2019-07-17 9:43 ` Jiri Benc
2019-07-17 23:47 ` Sasha Levin
2019-07-18 7:36 ` Jiri Benc
2019-07-18 18:55 ` David Miller
2019-07-19 7:54 ` Jiri Benc
2019-07-18 19:32 ` Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 227/249] bonding: validate ip header before check IPPROTO_IGMP Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 231/249] tools: bpftool: Fix json dump crash on powerpc Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 232/249] net: hns3: enable broadcast promisc mode when initializing VF Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 233/249] net: hns3: fix port capbility updating issue Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 237/249] Bluetooth: 6lowpan: search for destination address in all peers Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 240/249] Bluetooth: Check state in l2cap_disconnect_rsp Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 241/249] Bluetooth: hidp: NUL terminate a string in the compat ioctl Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 242/249] gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 243/249] Bluetooth: validate BLE connection interval updates Sasha Levin
2019-07-15 13:46 ` Sasha Levin [this message]
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 245/249] gtp: fix Illegal context switch in RCU read-side critical section Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 246/249] gtp: fix use-after-free in gtp_encap_destroy() Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 247/249] gtp: fix use-after-free in gtp_newlink() Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 248/249] xdp: fix race on generic receive path Sasha Levin
2019-07-15 13:46 ` [PATCH AUTOSEL 5.2 249/249] net: mvmdio: defer probe of orion-mdio if a clock is not ready Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715134655.4076-244-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=osmocom-net-gprs@lists.osmocom.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).