From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Marcelo Ricardo Leitner <mleitner@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 20/34] Fix race condition between vxlan_sock_add and vxlan_sock_release
Date: Sun, 14 Dec 2014 12:20:58 -0800 [thread overview]
Message-ID: <20141214201804.382183768@linuxfoundation.org> (raw)
In-Reply-To: <20141214201803.791392744@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Leitner <mleitner@redhat.com>
[ Upstream commit 00c83b01d58068dfeb2e1351cca6fccf2a83fa8f ]
Currently, when trying to reuse a socket, vxlan_sock_add will grab
vn->sock_lock, locate a reusable socket, inc refcount and release
vn->sock_lock.
But vxlan_sock_release() will first decrement refcount, and then grab
that lock. refcnt operations are atomic but as currently we have
deferred works which hold vs->refcnt each, this might happen, leading to
a use after free (specially after vxlan_igmp_leave):
CPU 1 CPU 2
deferred work vxlan_sock_add
... ...
spin_lock(&vn->sock_lock)
vs = vxlan_find_sock();
vxlan_sock_release
dec vs->refcnt, reaches 0
spin_lock(&vn->sock_lock)
vxlan_sock_hold(vs), refcnt=1
spin_unlock(&vn->sock_lock)
hlist_del_rcu(&vs->hlist);
vxlan_notify_del_rx_port(vs)
spin_unlock(&vn->sock_lock)
So when we look for a reusable socket, we check if it wasn't freed
already before reusing it.
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Fixes: 7c47cedf43a8b3 ("vxlan: move IGMP join/leave to work queue")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/vxlan.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2106,9 +2106,8 @@ static int vxlan_init(struct net_device
spin_lock(&vn->sock_lock);
vs = vxlan_find_sock(dev_net(dev), ipv6 ? AF_INET6 : AF_INET,
vxlan->dst_port);
- if (vs) {
+ if (vs && atomic_add_unless(&vs->refcnt, 1, 0)) {
/* If we have a socket with same port already, reuse it */
- atomic_inc(&vs->refcnt);
vxlan_vs_add_dev(vs, vxlan);
} else {
/* otherwise make new socket outside of RTNL */
@@ -2574,12 +2573,9 @@ struct vxlan_sock *vxlan_sock_add(struct
spin_lock(&vn->sock_lock);
vs = vxlan_find_sock(net, ipv6 ? AF_INET6 : AF_INET, port);
- if (vs) {
- if (vs->rcv == rcv)
- atomic_inc(&vs->refcnt);
- else
+ if (vs && ((vs->rcv != rcv) ||
+ !atomic_add_unless(&vs->refcnt, 1, 0)))
vs = ERR_PTR(-EBUSY);
- }
spin_unlock(&vn->sock_lock);
if (!vs)
next prev parent reply other threads:[~2014-12-14 20:20 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-14 20:20 [PATCH 3.14 00/34] 3.14.27-stable review Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 01/34] mm: frontswap: invalidate expired data on a dup-store failure Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 02/34] mm/vmpressure.c: fix race in vmpressure_work_fn() Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 03/34] mm: fix swapoff hang after page migration and fork Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 04/34] mm: fix anon_vma_clone() error treatment Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 05/34] xen-netfront: Remove BUGs on paged skb data which crosses a page boundary Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 06/34] i2c: omap: fix NACK and Arbitration Lost irq handling Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 07/34] i2c: omap: fix i207 errata handling Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 09/34] drm/radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6 Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 10/34] drm/i915: More cautious with pch fifo underruns Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 11/34] drm/i915: Unlock panel even when LVDS is disabled Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 12/34] x86: Use $(OBJDUMP) instead of plain objdump Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 13/34] media: smiapp: Only some selection targets are settable Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 14/34] USB: xhci: Reset a halted endpoint immediately when we encounter a stall Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 15/34] AHCI: Add DeviceIDs for Sunrise Point-LP SATA controller Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 16/34] ahci: disable MSI on SAMSUNG 0xa800 SSD Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 17/34] sata_fsl: fix error handling of irq_of_parse_and_map Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 18/34] ip_tunnel: the lack of vti_link_ops dellink() cause kernel panic Greg Kroah-Hartman
2014-12-14 20:20 ` [PATCH 3.14 19/34] ipv6: gre: fix wrong skb->protocol in WCCP Greg Kroah-Hartman
2014-12-14 20:20 ` Greg Kroah-Hartman [this message]
2014-12-14 20:20 ` [PATCH 3.14 21/34] tg3: fix ring init when there are more TX than RX channels Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 22/34] net/mlx4_core: Limit count field to 24 bits in qp_alloc_res Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 23/34] rtnetlink: release net refcnt on error in do_setlink() Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 24/34] gre: Set inner mac header in gro complete Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 25/34] net: mvneta: fix Tx interrupt delay Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 26/34] net: mvneta: fix race condition in mvneta_tx() Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 28/34] perf/x86/intel: Protect LBR and extra_regs against KVM lying Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 29/34] igb: bring link up when PHY is powered up Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 30/34] powerpc: 32 bit getcpu VDSO function uses 64 bit instructions Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 31/34] mac80211: Fix regression that triggers a kernel BUG with CCMP Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 32/34] ALSA: hda - Add EAPD fixup for ASUS Z99He laptop Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 33/34] ALSA: hda - Fix built-in mic at resume on Lenovo Ideapad S210 Greg Kroah-Hartman
2014-12-14 20:21 ` [PATCH 3.14 34/34] ALSA: usb-audio: Dont resubmit pending URBs at MIDI error recovery Greg Kroah-Hartman
2014-12-15 3:30 ` [PATCH 3.14 00/34] 3.14.27-stable review Guenter Roeck
2014-12-16 3:07 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141214201804.382183768@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mleitner@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).