Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp478001yba; Mon, 1 Apr 2019 10:05:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqw0RktYwQY4VwBBB1php2vO4OdujmJeJP5MlTJYFNQM9bcqec+61lPK05xwUGRsj+esx/SY X-Received: by 2002:a17:902:e101:: with SMTP id cc1mr25268907plb.129.1554138359497; Mon, 01 Apr 2019 10:05:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554138359; cv=none; d=google.com; s=arc-20160816; b=oWQ+IwfLYLFpLP5DgPrr/QZtadEzUc/+WbYlmwTCAHx41oAWQhxsM6oHBwzz3RrfTj owQ169YVn357bYbPo8Kb/s9oF3Qqer9jp5MjDlHcMm2YB3/JGTSN2P/5vgNUW7R3JOuF DjbNq+YodiYxOxbeePe8NOJn3XuLf6/ONrD57bmnXEdmIE4Z/aBqHNcNEq1YLSlWy+6u cMB7uidZoO4OLgjMTXYsAMnFoybPpK5fpCJbKbgVGHJFWicms2n/avpYNrgaI6VK/LoZ Pd1g1nF8S5yGbadQWxsuNYs369Tpeuqy3gDAnGvf4dxu/y60NEJ42hBSoSEkDD0EZEx5 h4Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YQyy+74ppOeIzI284Bf77H9mEdVs/mV+NdyR5HAbTQs=; b=zGOnbr4sBb+vXpchy/SCYR8bNq9YoJxtZhhzfiqetQgzC/ZDHUw5uT0wBm3s1bcIzH g648exbNYlNi0/HUyWsu9kyTtbV8GOiF5x857YTMQmdy7qEozZqMoyG356NIDWe/nPgl GLzEGETBcY+rFAGcBMMDL/jQHzB2LqayYuUlWs2Qd/cAakrCeAkEx80m2lJcRMCOUXt9 6BT2LVEeyNsmPoc7vqQopB327cp4FOfmolxCcrye+pZenlC6UG/+2QrHzubJnj2kY6Ip GMdX26EmOYzdfpJa14u2WkPqVxFWXShIShs5OrXDvRMRGXwbC5jXpTotBj3us0/rhCYV ceKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KAUUINAz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g30si9433372plg.102.2019.04.01.10.05.43; Mon, 01 Apr 2019 10:05:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KAUUINAz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728821AbfDARE5 (ORCPT + 99 others); Mon, 1 Apr 2019 13:04:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:49656 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728019AbfDAREz (ORCPT ); Mon, 1 Apr 2019 13:04:55 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BFC4B21925; Mon, 1 Apr 2019 17:04:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554138295; bh=y/ntW6hMIHRQXTq3BRV5fNGg20zOMwwo0DzFXemQ160=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KAUUINAzp5YeamXvVXU+mVCV8qQ+eOmC47Xo6teZXTrD2CdjlHiBtMRrHhrn62HHK 4Vu0ubu20I15rt8/oLL9U6MOSsU8W+uq7r3qmg45enMkPW4YSt9ovFOljiSO8XTmWO KOr+ZX0rzrmixiWuNSWjPT96Yzg2zh1Ec+1IAy+c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a25307ad099309f1c2b9@syzkaller.appspotmail.com, Xin Long , Ying Xue , Jon Maloy , "David S. Miller" Subject: [PATCH 5.0 024/146] tipc: change to check tipc_own_id to return in tipc_net_stop Date: Mon, 1 Apr 2019 19:00:36 +0200 Message-Id: <20190401170050.596656476@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190401170048.449559024@linuxfoundation.org> References: <20190401170048.449559024@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xin Long [ Upstream commit 9926cb5f8b0f0aea535735185600d74db7608550 ] When running a syz script, a panic occurred: [ 156.088228] BUG: KASAN: use-after-free in tipc_disc_timeout+0x9c9/0xb20 [tipc] [ 156.094315] Call Trace: [ 156.094844] [ 156.095306] dump_stack+0x7c/0xc0 [ 156.097346] print_address_description+0x65/0x22e [ 156.100445] kasan_report.cold.3+0x37/0x7a [ 156.102402] tipc_disc_timeout+0x9c9/0xb20 [tipc] [ 156.106517] call_timer_fn+0x19a/0x610 [ 156.112749] run_timer_softirq+0xb51/0x1090 It was caused by the netns freed without deleting the discoverer timer, while later on the netns would be accessed in the timer handler. The timer should have been deleted by tipc_net_stop() when cleaning up a netns. However, tipc has been able to enable a bearer and start d->timer without the local node_addr set since Commit 52dfae5c85a4 ("tipc: obtain node identity from interface by default"), which caused the timer not to be deleted in tipc_net_stop() then. So fix it in tipc_net_stop() by changing to check local node_id instead of local node_addr, as Jon suggested. While at it, remove the calling of tipc_nametbl_withdraw() there, since tipc_nametbl_stop() will take of the nametbl's freeing after. Fixes: 52dfae5c85a4 ("tipc: obtain node identity from interface by default") Reported-by: syzbot+a25307ad099309f1c2b9@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Ying Xue Acked-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tipc/net.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) --- a/net/tipc/net.c +++ b/net/tipc/net.c @@ -163,12 +163,9 @@ void tipc_sched_net_finalize(struct net void tipc_net_stop(struct net *net) { - u32 self = tipc_own_addr(net); - - if (!self) + if (!tipc_own_id(net)) return; - tipc_nametbl_withdraw(net, TIPC_CFG_SRV, self, self, self); rtnl_lock(); tipc_bearer_stop(net); tipc_node_stop(net);