[PATCH 4.4 15/20] sit: fix a double free on error path

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 15/20] sit: fix a double free on error path
Date: Thu, 16 Feb 2017 09:53:45 -0800	[thread overview]
Message-ID: <20170216175300.163864637@linuxfoundation.org> (raw)
In-Reply-To: <20170216175259.514980415@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.wangcong@gmail.com>


[ Upstream commit d7426c69a1942b2b9b709bf66b944ff09f561484 ]

Dmitry reported a double free in sit_init_net():

  kernel BUG at mm/percpu.c:689!
  invalid opcode: 0000 [#1] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 0 PID: 15692 Comm: syz-executor1 Not tainted 4.10.0-rc6-next-20170206 #1
  Hardware name: Google Google Compute Engine/Google Compute Engine,
  BIOS Google 01/01/2011
  task: ffff8801c9cc27c0 task.stack: ffff88017d1d8000
  RIP: 0010:pcpu_free_area+0x68b/0x810 mm/percpu.c:689
  RSP: 0018:ffff88017d1df488 EFLAGS: 00010046
  RAX: 0000000000010000 RBX: 00000000000007c0 RCX: ffffc90002829000
  RDX: 0000000000010000 RSI: ffffffff81940efb RDI: ffff8801db841d94
  RBP: ffff88017d1df590 R08: dffffc0000000000 R09: 1ffffffff0bb3bdd
  R10: dffffc0000000000 R11: 00000000000135dd R12: ffff8801db841d80
  R13: 0000000000038e40 R14: 00000000000007c0 R15: 00000000000007c0
  FS:  00007f6ea608f700(0000) GS:ffff8801dbe00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000000002000aff8 CR3: 00000001c8d44000 CR4: 00000000001426f0
  DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
  Call Trace:
   free_percpu+0x212/0x520 mm/percpu.c:1264
   ipip6_dev_free+0x43/0x60 net/ipv6/sit.c:1335
   sit_init_net+0x3cb/0xa10 net/ipv6/sit.c:1831
   ops_init+0x10a/0x530 net/core/net_namespace.c:115
   setup_net+0x2ed/0x690 net/core/net_namespace.c:291
   copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
   create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
   unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
   SYSC_unshare kernel/fork.c:2281 [inline]
   SyS_unshare+0x64e/0xfc0 kernel/fork.c:2231
   entry_SYSCALL_64_fastpath+0x1f/0xc2

This is because when tunnel->dst_cache init fails, we free dev->tstats
once in ipip6_tunnel_init() and twice in sit_init_net(). This looks
redundant but its ndo_uinit() does not seem enough to clean up everything
here. So avoid this by setting dev->tstats to NULL after the first free,
at least for -net.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/sit.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1389,6 +1389,7 @@ static int ipip6_tunnel_init(struct net_
 	tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst);
 	if (!tunnel->dst_cache) {
 		free_percpu(dev->tstats);
+		dev->tstats = NULL;
 		return -ENOMEM;
 	}

next prev parent reply	other threads:[~2017-02-16 17:54 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-16 17:53 [PATCH 4.4 00/20] 4.4.50-stable review Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 01/20] can: Fix kernel panic at security_sock_rcv_skb Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 02/20] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 03/20] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 04/20] tcp: fix 0 divide in __tcp_select_window() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 05/20] net: use a work queue to defer net_disable_timestamp() work Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 06/20] ipv4: keep skb->dst around in presence of IP options Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 07/20] netlabel: out of bound access in cipso_v4_validate() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 08/20] ip6_gre: fix ip6gre_err() invalid reads Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 09/20] ipv6: tcp: add a missing tcp_v6_restore_cb() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 10/20] tcp: avoid infinite loop in tcp_splice_read() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 11/20] tun: read vnet_hdr_sz once Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 12/20] macvtap: read vnet_hdr_size once Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 13/20] mlx4: Invoke softirqs after napi_reschedule Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 14/20] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Greg Kroah-Hartman
2017-02-21 16:08   ` Ben Hutchings
2017-02-21 16:56     ` Marcelo
2017-02-21 19:54       ` Marcelo Ricardo Leitner
2017-02-16 17:53 ` Greg Kroah-Hartman [this message]
2017-02-16 17:53 ` [PATCH 4.4 16/20] net: introduce device min_header_len Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 17/20] packet: round up linear to header len Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 18/20] ping: fix a null pointer dereference Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 19/20] l2tp: do not use udp_ioctl() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 20/20] tcp: fix mark propagation with fwmark_reflect enabled Greg Kroah-Hartman
2017-02-17 10:37 ` [PATCH 4.4 00/20] 4.4.50-stable review Guenter Roeck
     [not found] ` <58a74eeb.c910190a.1e315.c4dd@mx.google.com>
2017-02-17 23:43   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170216175300.163864637@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=dvyukov@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).