Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10423236ybi; Wed, 24 Jul 2019 22:58:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqzKBgkIfD9He2xJIcgLBKNqn0w8HrXfPmHlvph2OR2WzVieGEzGsoIVvYEbFVqSfrdUvoqM X-Received: by 2002:a17:902:2b8a:: with SMTP id l10mr89081493plb.283.1564034291646; Wed, 24 Jul 2019 22:58:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564034291; cv=none; d=google.com; s=arc-20160816; b=A3GjlixWKmmUwsX1HSTcNjz2oaKmH/w10oIGCoBEvHLb3gw+a7Edh17nJ/0ha1QOqw 1w0ZfFnV/HouxFly6SpT3PDgh6Nssv43hjk56lRVNmraQ3FhlZ4AfTLVdc3OckzllShx HLXeKL0+xJC72k7ruhqWJflT1uumGc9NIDG9RkuZMXZQdXDduEBr0g212bUoO1YYUpVJ ssXE3gOBfDxjOWK5fhJTrc/QeQc3VDfsq9z0C3WY53LafAJ9cojPM0NwQEQYGt9rZZkZ L2e/XV91GuxmijVWheEv+9eBs//jZ5qbbBL0f82dG9r0KpvA7DJ6iHzoXgklZXwzizzk 0GDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vujGcrm+EPJNA8XoPIXj/ztHt/uNnrYRikZEs+CcHQw=; b=n9Qrxpx0nN537LfodOf9uGIB88TWZq5EyqQV9aiWaeqZep8JqFrUXK200kAD1jyYny 9u4AywX8ligzY1+OIOGkYjXUlkYR7w+OHLLcsMmK39+3gFoqRRlOJ9/xekQOWY0QZn9Q pxTemram/RQ1s6cU078p8f20tpO0uzj9VkVxAsY5jsz0pyHGr4EKS3ywvKAdyyba8Oj4 s2NKKgoQmTiafjjgY241fvNLztNdd+NSRHaFe/qGHyvr2JZkMdoAGc6u4yiBnM2SGW3z vQwLrkfpM8a2X+Bz+aGbdRib1g/314IJsoDxxGXOC9yU/uuFXYy+R4GQdy/ODL22dUha lfzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=K4XLDiEN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p11si17951572plk.67.2019.07.24.22.57.56; Wed, 24 Jul 2019 22:58:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=K4XLDiEN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404682AbfGYFlf (ORCPT + 99 others); Thu, 25 Jul 2019 01:41:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:56356 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404663AbfGYFld (ORCPT ); Thu, 25 Jul 2019 01:41:33 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 76A3D21850; Thu, 25 Jul 2019 05:41:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564033292; bh=Om+RSEnBVIqEC2Wx/zm23Bmv7u5IaK1MazPo8HgHmHU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K4XLDiENtlN8Hw9Zde8mXZ7DI26239QRtruvikVlAS2Gxeb+9zCHqWZ1QhwJ2+vOG rMbPuE/+Cg0UvVYDiUz4MlKQwX4lXYV+3AsjYY/E5lvVtYtpAKs90IgTqyefQZEQyC O0kv/pNgTQXaLGOc0WeCftqSU7AehirgYXFVG18w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Taehee Yoo , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 157/271] gtp: fix use-after-free in gtp_newlink() Date: Wed, 24 Jul 2019 21:20:26 +0200 Message-Id: <20190724191708.660363470@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191655.268628197@linuxfoundation.org> References: <20190724191655.268628197@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ] Current gtp_newlink() could be called after unregister_pernet_subsys(). gtp_newlink() uses gtp_net but it can be destroyed by unregister_pernet_subsys(). So unregister_pernet_subsys() should be called after rtnl_link_unregister(). Test commands: #SHELL 1 while : do for i in {1..5} do ./gtp-link add gtp$i & done killall gtp-link done #SHELL 2 while : do modprobe -rv gtp done Splat looks like: [ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp] [ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126 [ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50 [ 753.185801] Call Trace: [ 753.186264] dump_stack+0x7c/0xbb [ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.187583] print_address_description+0xc7/0x240 [ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.189846] __kasan_report+0x12a/0x16f [ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.191298] kasan_report+0xe/0x20 [ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp] [ 753.192580] ? __netlink_ns_capable+0xc3/0xf0 [ 753.193370] __rtnl_newlink+0xb9f/0x11b0 [ ... ] [ 753.241201] Allocated by task 7186: [ 753.241844] save_stack+0x19/0x80 [ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0 [ 753.243192] __kmalloc+0x13e/0x300 [ 753.243764] ops_init+0xd6/0x350 [ 753.244314] register_pernet_operations+0x249/0x6f0 [ ... ] [ 753.251770] Freed by task 7178: [ 753.252288] save_stack+0x19/0x80 [ 753.252833] __kasan_slab_free+0x111/0x150 [ 753.253962] kfree+0xc7/0x280 [ 753.254509] ops_free_list.part.11+0x1c4/0x2d0 [ 753.255241] unregister_pernet_operations+0x262/0x390 [ ... ] [ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next. [ 753.287241] ------------[ cut here ]------------ [ 753.287794] kernel BUG at lib/list_debug.c:25! [ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50 [ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0 [ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b [ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286 [ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000 [ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69 [ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21 [ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878 [ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458 [ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000 [ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0 [ 753.302183] Call Trace: [ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp] [ 753.303037] ? __netlink_ns_capable+0xc3/0xf0 [ 753.303576] __rtnl_newlink+0xb9f/0x11b0 [ 753.304092] ? rtnl_link_unregister+0x230/0x230 Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/gtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 61e9b288d2dc..d178d5bad7e4 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -1385,9 +1385,9 @@ late_initcall(gtp_init); static void __exit gtp_fini(void) { - unregister_pernet_subsys(>p_net_ops); genl_unregister_family(>p_genl_family); rtnl_link_unregister(>p_link_ops); + unregister_pernet_subsys(>p_net_ops); pr_info("GTP module unloaded\n"); } -- 2.20.1