Received: by 10.223.185.116 with SMTP id b49csp5480075wrg; Wed, 7 Mar 2018 12:30:07 -0800 (PST) X-Google-Smtp-Source: AG47ELujGnU+HGHj8YYnT1vC+EdfK02bbIopFZGCuXpsKYrkhQZd4QicgOtYTtoZW895nJZv4eT2 X-Received: by 2002:a17:902:34e:: with SMTP id 72-v6mr21738798pld.277.1520454607042; Wed, 07 Mar 2018 12:30:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520454607; cv=none; d=google.com; s=arc-20160816; b=ktjBsE3Ytn8cQbIaH2M8KK5qPVC59jwoNX/fLhqSadmOPPdEPNYp+RTATgs2/oFXeQ lzsWufbucz7vooKNuZtzVeOFIiyxHU82y+1s8R1YP5tcevtAuGCYb3IfyZXrnKdD2Ibx VQBdjVi6t8z0Y9GaLrdTyCWrkfU9647e6vEGx2oD38iZhVsA23ulHhaceRStS1v5huYt OhG7XMRfcssVKvpW8v4Hr9lP8lTVG4IXxqfFDwhsDdt0LPk+SKzytzQS4oirRTb6Bimi tAF6ubmaWpVUY3OLK+nx9KcBbVpOFzbU5QZzTAqtNRum3dsWJsYwqoKpvN77bKlpH2bZ 14Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=jFcHiMDwl/HFrRtMbedipEYs28T5T2YKUrpZwgKFlQg=; b=Jk+Zr6CZ+kg/qwCYuTAuM6fZ6R2g0OPOLrSHs9oC2JwvdN18njZzGCLpSp20XHL3K4 fg6/rrMIftjEs804TzAjx1bye4vx4euo0JkIOEwPDoO8azBPSXxURixc8Mrb1LmRtP/a dOrGC+iat5bhYrCJdcCI1qY+e69QB3XapEs3QVXobnPIVZY45lRto7RLQIZL5WeCUxDg gFHA5brO/PhUMEStms9937lCMp5CfzzcdEL7tOtsZ7cdvE9OUuX3Tm1npwIpoSR6HjW/ jIPHS85rmZ04m3EqVWj6iqhBcXHPyEebO2JlyzPKVrrMtZ155x0lWvhBZRdaTroPbiIA gcOg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u24si8134198pfh.326.2018.03.07.12.29.51; Wed, 07 Mar 2018 12:30:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934892AbeCGTmh (ORCPT + 99 others); Wed, 7 Mar 2018 14:42:37 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:42480 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933981AbeCGTme (ORCPT ); Wed, 7 Mar 2018 14:42:34 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 15004107C; Wed, 7 Mar 2018 19:42:33 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Chapman , "David S. Miller" Subject: [PATCH 4.15 084/122] l2tp: dont use inet_shutdown on ppp session destroy Date: Wed, 7 Mar 2018 11:38:16 -0800 Message-Id: <20180307191741.438364863@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180307191729.190879024@linuxfoundation.org> References: <20180307191729.190879024@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: James Chapman [ Upstream commit 225eb26489d05c679a4c4197ffcb81c81e9dcaf4 ] Previously, if a ppp session was closed, we called inet_shutdown to mark the socket as unconnected such that userspace would get errors and then close the socket. This could race with userspace closing the socket. Instead, leave userspace to close the socket in its own time (our session will be detached anyway). BUG: KASAN: use-after-free in inet_shutdown+0x5d/0x1c0 Read of size 4 at addr ffff880010ea3ac0 by task syzbot_347bd5ac/8296 CPU: 3 PID: 8296 Comm: syzbot_347bd5ac Not tainted 4.16.0-rc1+ #91 Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Call Trace: dump_stack+0x101/0x157 ? inet_shutdown+0x5d/0x1c0 print_address_description+0x78/0x260 ? inet_shutdown+0x5d/0x1c0 kasan_report+0x240/0x360 __asan_load4+0x78/0x80 inet_shutdown+0x5d/0x1c0 ? pppol2tp_show+0x80/0x80 pppol2tp_session_close+0x68/0xb0 l2tp_tunnel_closeall+0x199/0x210 ? udp_v6_flush_pending_frames+0x90/0x90 l2tp_udp_encap_destroy+0x6b/0xc0 ? l2tp_tunnel_del_work+0x2e0/0x2e0 udpv6_destroy_sock+0x8c/0x90 sk_common_release+0x47/0x190 udp_lib_close+0x15/0x20 inet_release+0x85/0xd0 inet6_release+0x43/0x60 sock_release+0x53/0x100 ? sock_alloc_file+0x260/0x260 sock_close+0x1b/0x20 __fput+0x19f/0x380 ____fput+0x1a/0x20 task_work_run+0xd2/0x110 exit_to_usermode_loop+0x18d/0x190 do_syscall_64+0x389/0x3b0 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x7fe240a45259 RSP: 002b:00007fe241132df8 EFLAGS: 00000297 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe240a45259 RDX: 00007fe240a45259 RSI: 0000000000000000 RDI: 00000000000000a5 RBP: 00007fe241132e20 R08: 00007fe241133700 R09: 0000000000000000 R10: 00007fe241133700 R11: 0000000000000297 R12: 0000000000000000 R13: 00007ffc49aff84f R14: 0000000000000000 R15: 00007fe241141040 Allocated by task 8331: save_stack+0x43/0xd0 kasan_kmalloc+0xad/0xe0 kasan_slab_alloc+0x12/0x20 kmem_cache_alloc+0x144/0x3e0 sock_alloc_inode+0x22/0x130 alloc_inode+0x3d/0xf0 new_inode_pseudo+0x1c/0x90 sock_alloc+0x30/0x110 __sock_create+0xaa/0x4c0 SyS_socket+0xbe/0x130 do_syscall_64+0x128/0x3b0 entry_SYSCALL_64_after_hwframe+0x26/0x9b Freed by task 8314: save_stack+0x43/0xd0 __kasan_slab_free+0x11a/0x170 kasan_slab_free+0xe/0x10 kmem_cache_free+0x88/0x2b0 sock_destroy_inode+0x49/0x50 destroy_inode+0x77/0xb0 evict+0x285/0x340 iput+0x429/0x530 dentry_unlink_inode+0x28c/0x2c0 __dentry_kill+0x1e3/0x2f0 dput.part.21+0x500/0x560 dput+0x24/0x30 __fput+0x2aa/0x380 ____fput+0x1a/0x20 task_work_run+0xd2/0x110 exit_to_usermode_loop+0x18d/0x190 do_syscall_64+0x389/0x3b0 entry_SYSCALL_64_after_hwframe+0x26/0x9b Fixes: fd558d186df2c ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/l2tp/l2tp_ppp.c | 10 ---------- 1 file changed, 10 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -420,16 +420,6 @@ abort: */ static void pppol2tp_session_close(struct l2tp_session *session) { - struct sock *sk; - - BUG_ON(session->magic != L2TP_SESSION_MAGIC); - - sk = pppol2tp_session_get_sock(session); - if (sk) { - if (sk->sk_socket) - inet_shutdown(sk->sk_socket, SEND_SHUTDOWN); - sock_put(sk); - } } /* Really kill the session socket. (Called from sock_put() if