From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 3.18 42/64] ipv6: reorder icmpv6_init() and ip6_mr_init()
Date: Fri, 15 Dec 2017 10:22:06 +0100 [thread overview]
Message-ID: <20171215092213.660355990@linuxfoundation.org> (raw)
In-Reply-To: <20171215092212.018372669@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ]
Andrey reported the following kernel crash:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88001f311700 task.stack: ffff88001f6e8000
RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
FS: 00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
sock_release+0x8d/0x1e0 net/socket.c:597
__sock_create+0x39d/0x880 net/socket.c:1226
sock_create_kern+0x3f/0x50 net/socket.c:1243
inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
ops_init+0x10a/0x550 net/core/net_namespace.c:115
setup_net+0x261/0x660 net/core/net_namespace.c:291
copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
9pnet_virtio: no channels available for device ./file1
create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
SYSC_unshare kernel/fork.c:2281 [inline]
SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
entry_SYSCALL_64_fastpath+0x1f/0xc2
This is because net->ipv6.mr6_tables is not initialized at that point,
ip6mr_rules_init() is not called yet, therefore on the error path when
we iterator the list, we trigger this oops. Fix this by reordering
ip6mr_rules_init() before icmpv6_sk_init().
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/af_inet6.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -887,12 +887,12 @@ static int __init inet6_init(void)
err = register_pernet_subsys(&inet6_net_ops);
if (err)
goto register_pernet_fail;
- err = icmpv6_init();
- if (err)
- goto icmp_fail;
err = ip6_mr_init();
if (err)
goto ipmr_fail;
+ err = icmpv6_init();
+ if (err)
+ goto icmp_fail;
err = ndisc_init();
if (err)
goto ndisc_fail;
@@ -1010,10 +1010,10 @@ igmp_fail:
ndisc_cleanup();
ndisc_fail:
ip6_mr_cleanup();
-ipmr_fail:
- icmpv6_cleanup();
icmp_fail:
unregister_pernet_subsys(&inet6_net_ops);
+ipmr_fail:
+ icmpv6_cleanup();
register_pernet_fail:
sock_unregister(PF_INET6);
rtnl_unregister_all(PF_INET6);
next prev parent reply other threads:[~2017-12-15 9:24 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-15 9:21 [PATCH 3.18 00/64] 3.18.88-stable review Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 01/64] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 02/64] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 03/64] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 04/64] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 05/64] can: ems_usb: " Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 06/64] can: esd_usb2: " Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 07/64] can: usb_8dev: " Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 08/64] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 09/64] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 10/64] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 11/64] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 12/64] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 13/64] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 14/64] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 15/64] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 16/64] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 17/64] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 18/64] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 19/64] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 20/64] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 21/64] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 22/64] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 23/64] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 25/64] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 27/64] sit: update frag_off info Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 28/64] net/packet: fix a race in packet_bind() and packet_notifier() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 29/64] Revert "drm/armada: Fix compile fail" Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 30/64] Revert "s390/kbuild: enable modversions for symbols exported from asm" Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 31/64] selftest/powerpc: Fix false failures for skipped tests Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 32/64] usb: gadget: configs: plug memory leak Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 33/64] USB: gadgetfs: Fix a potential memory leak in dev_config() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 34/64] libata: drop WARN from protocol error in ata_sff_qc_issue() Greg Kroah-Hartman
2017-12-15 9:21 ` [PATCH 3.18 35/64] workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 36/64] scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 37/64] irqchip/crossbar: Fix incorrect type of register size Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 39/64] arm: KVM: Survive unknown traps from guests Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 40/64] spi_ks8995: fix "BUG: key accdaa28 not in .data!" Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 41/64] bnx2x: fix possible overrun of VFPF multicast addresses array Greg Kroah-Hartman
2017-12-15 9:22 ` Greg Kroah-Hartman [this message]
2017-12-15 9:22 ` [PATCH 3.18 43/64] crypto: s5p-sss - Fix completing crypto request in IRQ handler Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 44/64] i2c: riic: fix restart condition Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 45/64] axonram: Fix gendisk handling Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 48/64] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 49/64] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 50/64] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 51/64] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 52/64] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 53/64] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 54/64] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 55/64] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 56/64] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 57/64] atm: horizon: Fix irq release error Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 58/64] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 59/64] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 60/64] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 61/64] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 62/64] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 63/64] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-15 9:22 ` [PATCH 3.18 64/64] usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping Greg Kroah-Hartman
2017-12-15 11:22 ` [PATCH 3.18 00/64] 3.18.88-stable review Sebastian Gottschall
2017-12-15 12:55 ` Greg Kroah-Hartman
2017-12-15 17:39 ` Guenter Roeck
2017-12-15 21:18 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171215092213.660355990@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).