Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2348262imm;
        Mon, 28 May 2018 06:30:16 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpY1+0nwW6rDXU81jfNJgDrO3cXY5GPZgzo5LSd3J3FCvKA+7w804ZEa5t0jwdfpXhIjU8N
X-Received: by 2002:a63:9612:: with SMTP id c18-v6mr10630529pge.361.1527514216771;
        Mon, 28 May 2018 06:30:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527514216; cv=none;
        d=google.com; s=arc-20160816;
        b=Nf0nEmndW5chy6UeWcMaDFe+mlDfyEcVmtnjWoQENl/Qc0KpfGyQXdEp5Raf98JA72
         +lO2WjD7J8pwsNRGOSpprztCdYpJ0SoqNcwlM5B7rnS9hcGxH5zqTbgiJBEjQ3ou11i3
         l/Bykn9HgOPyF0xyfqpzK7IfvHypYkwDeqYI+t3oecaaYYCRMzczlFxrDk4ytQf2OPRl
         V4BL6/lkW3D7clZNu1e6CYI7P0dX5/yG5Kgp3AyUWzEn2wmIew1hqg7eIXKoHxzZ6UC3
         Xhj/bAQVuiMe8bNHq5rwv4m2xuEgwF3PqOQ0NmMwyAGzyXVMqdlSe58Hy5LHtye7YJj6
         8yTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=2GY45PbidOO20NuPzkqILdbpLpel6z8nlkMVti6/16E=;
        b=OcfiaGZMA0HtQA+SzatHXE+3jUHudTTIM+IUX9RNgdFKY++eb0v7Ii2EmdCQum5RDj
         5iV/IzryGSUAjZpniqSXjVS7yrVeRchg6rGlCxSHeA8v4SRaw7+mUXD7PNEk81e81b5W
         hzyyjS/AWH3c18o5LF8qBaOH+wzqqbV/RZ5wNGxWYNsYEWJZ8JUpZRgvcl/gPK/QsSka
         pTKM1hocpE3KyaVG1RiemH8fZki9Y9VVaZFSJrEQAMpOcob/T7g6v/qhN/x3yKcW3tlp
         zH0K3vpAvZFxSRstwrPPRcelrogv+0RSvdQKHeejBeb7i0esWR59H8TICEYCW7lQaO9r
         qGjw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=o21sPwBZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f19-v6si30772277plj.89.2018.05.28.06.30.01;
        Mon, 28 May 2018 06:30:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=o21sPwBZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S939132AbeE1N3L (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Mon, 28 May 2018 09:29:11 -0400
Received: from mail.kernel.org ([198.145.29.99]:37366 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1034180AbeE1KrM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 May 2018 06:47:12 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 4DA412086D;
        Mon, 28 May 2018 10:47:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527504431;
        bh=YIUXx4yUhiHYG0Ni4f8Te7cSwGKOiB01tZNUY9a/Zic=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=o21sPwBZXnmx8V6hZrpS8I+voMjzOf5a5mBTkQACANzBbII2b0ch0KUXV5O9oF8lG
         2CCgRlndash7g5KMwQcLYAh0meGZsb75QsYtCMzow2nSjcRgezmHyHqa4emBo4jtyG
         D/WVLTDd5SXJQC5Ux4F3qAdTxEDObWAcUvrZbsIs=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Alexey Kodanev <alexey.kodanev@oracle.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 134/496] macvlan: fix use-after-free in macvlan_common_newlink()
Date:   Mon, 28 May 2018 11:58:39 +0200
Message-Id: <20180528100325.585248818@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180528100319.498712256@linuxfoundation.org>
References: <20180528100319.498712256@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kodanev <alexey.kodanev@oracle.com>

[ Upstream commit 4e14bf4236490306004782813b8b4494b18f5e60 ]

The following use-after-free was reported by KASan when running
LTP macvtap01 test on 4.16-rc2:

[10642.528443] BUG: KASAN: use-after-free in
               macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
[10642.626607] Read of size 8 at addr ffff880ba49f2100 by task ip/18450
...
[10642.963873] Call Trace:
[10642.994352]  dump_stack+0x5c/0x7c
[10643.035325]  print_address_description+0x75/0x290
[10643.092938]  kasan_report+0x28d/0x390
[10643.137971]  ? macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
[10643.207963]  macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
[10643.275978]  macvtap_newlink+0x171/0x260 [macvtap]
[10643.334532]  rtnl_newlink+0xd4f/0x1300
...
[10646.256176] Allocated by task 18450:
[10646.299964]  kasan_kmalloc+0xa6/0xd0
[10646.343746]  kmem_cache_alloc_trace+0xf1/0x210
[10646.397826]  macvlan_common_newlink+0x6de/0x14a0 [macvlan]
[10646.464386]  macvtap_newlink+0x171/0x260 [macvtap]
[10646.522728]  rtnl_newlink+0xd4f/0x1300
...
[10647.022028] Freed by task 18450:
[10647.061549]  __kasan_slab_free+0x138/0x180
[10647.111468]  kfree+0x9e/0x1c0
[10647.147869]  macvlan_port_destroy+0x3db/0x650 [macvlan]
[10647.211411]  rollback_registered_many+0x5b9/0xb10
[10647.268715]  rollback_registered+0xd9/0x190
[10647.319675]  register_netdevice+0x8eb/0xc70
[10647.370635]  macvlan_common_newlink+0xe58/0x14a0 [macvlan]
[10647.437195]  macvtap_newlink+0x171/0x260 [macvtap]

Commit d02fd6e7d293 ("macvlan: Fix one possible double free") handles
the case when register_netdevice() invokes ndo_uninit() on error and
as a result free the port. But 'macvlan_port_get_rtnl(dev))' check
(returns dev->rx_handler_data), which was added by this commit in order
to prevent double free, is not quite correct:

* for macvlan it always returns NULL because 'lowerdev' is the one that
  was used to register rx handler (port) in macvlan_port_create() as
  well as to unregister it in macvlan_port_destroy().
* for macvtap it always returns a valid pointer because macvtap registers
  its own rx handler before macvlan_common_newlink().

Fixes: d02fd6e7d293 ("macvlan: Fix one possible double free")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/macvlan.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1448,7 +1448,7 @@ destroy_macvlan_port:
 	/* the macvlan port may be freed by macvlan_uninit when fail to register.
 	 * so we destroy the macvlan port only when it's valid.
 	 */
-	if (create && macvlan_port_get_rtnl(dev))
+	if (create && macvlan_port_get_rtnl(lowerdev))
 		macvlan_port_destroy(port->dev);
 	return err;
 }