Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965235AbbLORDK (ORCPT <rfc822;w@1wt.eu>);
	Tue, 15 Dec 2015 12:03:10 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35639 "EHLO
	shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S965044AbbLORDH (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 15 Dec 2015 12:03:07 -0500
Message-ID: <1450198973.3944.50.camel@decadent.org.uk>
Subject: Re: [PATCH 4.3 2/2] vrf: fix double free and memory corruption on
 register_netdevice failure
From: Ben Hutchings <ben@decadent.org.uk>
To: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: David Ahern <dsa@cumulusnetworks.com>, linux-kernel@vger.kernel.org,
        stable@vger.kernel.org, "David S. Miller" <davem@davemloft.net>
Date: Tue, 15 Dec 2015 17:02:53 +0000
In-Reply-To: <20151215153220.GP28542@decadent.org.uk>
References: <56702E7E.5000604@cumulusnetworks.com>
	 <20151215153220.GP28542@decadent.org.uk>
Content-Type: multipart/signed; micalg="pgp-sha512";
	protocol="application/pgp-signature"; boundary="=-2lzElq3L3mh3D6Qs/BZ3"
X-Mailer: Evolution 3.18.2-1 
Mime-Version: 1.0
X-SA-Exim-Connect-IP: 192.168.2.112
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 6473
Lines: 165


--=-2lzElq3L3mh3D6Qs/BZ3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Sorry, this was from me; I didn't mean to forge Nikolay's address.

Ben.

On Tue, 2015-12-15 at 15:32 +0000, Nikolay Aleksandrov wrote:
> commit 7f109f7cc37108cba7243bc832988525b0d85909 upstream.
>=20
> When vrf's ->newlink is called, if register_netdevice() fails then it
> does free_netdev(), but that's also done by rtnl_newlink() so a
> second
> free happens and memory gets corrupted, to reproduce execute the
> following line a couple of times (1 - 5 usually is enough):
> $ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done;
> This works because we fail in register_netdevice() because of the
> wrong
> name "vrf:".
>=20
> And here's a trace of one crash:
> [=C2=A0=C2=A0=C2=A028.792157] ------------[ cut here ]------------
> [=C2=A0=C2=A0=C2=A028.792407] kernel BUG at fs/namei.c:246!
> [=C2=A0=C2=A0=C2=A028.792608] invalid opcode: 0000 [#1] SMP
> [=C2=A0=C2=A0=C2=A028.793240] Modules linked in: vrf nfsd auth_rpcgss oid=
_registry
> nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul
> crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64
> psmouse
> glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev
> parport_pc parport serio_raw pcspkr virtio_balloon virtio_console
> i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6
> autofs4
> ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom
> ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common
> ata_piix
> libata virtio_pci virtio_ring virtio scsi_mod floppy
> [=C2=A0=C2=A0=C2=A028.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not =
tainted
> 4.4.0-rc1+ #24
> [=C2=A0=C2=A0=C2=A028.796016] Hardware name: QEMU Standard PC (i440FX + P=
IIX, 1996),
> BIOS 1.8.1-20150318_183358- 04/01/2014
> [=C2=A0=C2=A0=C2=A028.796016] task: ffff8800352561c0 ti: ffff88003592c000=
 task.ti:
> ffff88003592c000
> [=C2=A0=C2=A0=C2=A028.796016] RIP: 0010:[<ffffffff812187b3>]=C2=A0=C2=A0[=
<ffffffff812187b3>]
> putname+0x43/0x60
> [=C2=A0=C2=A0=C2=A028.796016] RSP: 0018:ffff88003592fe88=C2=A0=C2=A0EFLAG=
S: 00010246
> [=C2=A0=C2=A0=C2=A028.796016] RAX: 0000000000000000 RBX: ffff8800352561c0=
 RCX:
> 0000000000000001
> [=C2=A0=C2=A0=C2=A028.796016] RDX: 0000000000000000 RSI: 0000000000000000=
 RDI:
> ffff88003784f000
> [=C2=A0=C2=A0=C2=A028.796016] RBP: ffff88003592ff08 R08: 0000000000000001=
 R09:
> 0000000000000000
> [=C2=A0=C2=A0=C2=A028.796016] R10: 0000000000000000 R11: 0000000000000001=
 R12:
> 0000000000000000
> [=C2=A0=C2=A0=C2=A028.796016] R13: 000000000000047c R14: ffff88003784f000=
 R15:
> ffff8800358c4a00
> [=C2=A0=C2=A0=C2=A028.796016] FS:=C2=A0=C2=A00000000000000000(0000) GS:ff=
ff88003fc00000(0000)
> knlGS:0000000000000000
> [=C2=A0=C2=A0=C2=A028.796016] CS:=C2=A0=C2=A00010 DS: 0000 ES: 0000 CR0: =
0000000080050033
> [=C2=A0=C2=A0=C2=A028.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000=
 CR4:
> 00000000000406f0
> [=C2=A0=C2=A0=C2=A028.796016] Stack:
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0ffffffff8121045d ffffffff812102d=
3 ffff8800352561c0
> ffff880035a91660
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0ffff8800008a9880 000000000000000=
0 ffffffff81a49940
> 00ffffff81218684
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0ffff8800352561c0 000000000000047=
c 0000000000000000
> ffff880035b36d80
> [=C2=A0=C2=A0=C2=A028.796016] Call Trace:
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0[<ffffffff8121045d>] ?
> do_execveat_common.isra.34+0x74d/0x930
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0[<ffffffff812102d3>] ?
> do_execveat_common.isra.34+0x5c3/0x930
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0[<ffffffff8121066c>] do_execve+0=
x2c/0x30
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0[<ffffffff810939a0>]
> call_usermodehelper_exec_async+0xf0/0x140
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0[<ffffffff810938b0>] ? umh_compl=
ete+0x40/0x40
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0[<ffffffff815cb1af>] ret_from_fo=
rk+0x3f/0x70
> [=C2=A0=C2=A0=C2=A028.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 8=
9 fb 48 39
> c6
> 74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b
> 5d
> f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb
> e9
> [=C2=A0=C2=A0=C2=A028.796016] RIP=C2=A0=C2=A0[<ffffffff812187b3>] putname=
+0x43/0x60
> [=C2=A0=C2=A0=C2=A028.796016]=C2=A0=C2=A0RSP <ffff88003592fe88>
>=20
> Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
> Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
> Acked-by: David Ahern <dsa@cumulusnetworks.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> [bwh: For 4.3, retain the kfree() on failure]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> =C2=A0drivers/net/vrf.c | 1 -
> =C2=A01 file changed, 1 deletion(-)
>=20
> diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
> index 488c6f5..374feba 100644
> --- a/drivers/net/vrf.c
> +++ b/drivers/net/vrf.c
> @@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net,
> struct net_device *dev,
> =C2=A0
> =C2=A0out_fail:
> =C2=A0	kfree(vrf_ptr);
> -	free_netdev(dev);
> =C2=A0	return err;
> =C2=A0}
> =C2=A0
--=20
Ben Hutchings
Logic doesn't apply to the real world. - Marvin Minsky

--=-2lzElq3L3mh3D6Qs/BZ3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUAVnBHvee/yOyVhhEJAQqMAA/+P9a6p3KYJOPA2d2CqEsS89rmDIp5HcxY
mPzRPdqwktAJN/571zuDqeZgo+tZHmXM6akMtA6+hQVcvkIH0tZL7TL6HfbFozul
V6PhRprnAkLljOXwHOsTxhRdcrAmhuojeksh6LBUSK076aSLc3nVdcyPFBzM/F4l
4QCntQJv3/cn7+bli4xw7zTJ1RUGcr74EsSlriFDg4eBaswSkux8eIhQ6RlRKASt
ccse9t1a+Lax2FJORMcYg5E1ZIJMFH5XZDrLWjUUdl+CWjNvqE6rjEeTc5WEjfUr
kEQViWMTF3UMkAkzbMxemhm+FMtaNbCiiOX6qhN9uvED9JyPd3beuVyJK/VZu5ww
fCyucOjAG8CUMOYQ0bDlQN0REhWR7xHi1DgWiUcAIarUYpnUWmAjMhRihs/JmCZ2
j3CaUXAuavgenemT+MbB8rakocig1jd+i9dUTkM0FDGgiHYdFHY01tC6ZI62gkjd
rFyEsPtfYx8H7pbDrRWKIVl7c5v4HDS0scw/kmDqTaLG6lClBeY7a/EfVqoy4N1j
Vw3XAScLuNzn2pi4EWfDjmOsR4PV6APgrBuuBn/+bJPEfxxC14ss0fYwMZkJ8D7l
XP+2Fo3vDZErzu573e9wV2UzJYcYhgkaq/Ey6H9y0YlpXFPAZtaPhb/CPl31ITx0
jBNnsme5Rec=
=R7wf
-----END PGP SIGNATURE-----

--=-2lzElq3L3mh3D6Qs/BZ3--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/