Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3787320ybi; Mon, 29 Jul 2019 12:37:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqw9vphFlcVCDDu4rQOtehVl5HcWDAG1sYDYWWXbaetxUzVkhBdGfYSUjypUinQccoQiRvoy X-Received: by 2002:aa7:956d:: with SMTP id x13mr38614440pfq.132.1564429020163; Mon, 29 Jul 2019 12:37:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564429020; cv=none; d=google.com; s=arc-20160816; b=pUIJIPb9qHRYS6oDkE8edOBhzhHbPvRZM54RUQckAkA/vAnRhG0FkBSFwgNwV/7qjv cf4SqrwZOZEMu+xh+8Klbqi6kpl/kghXA6mopVd0Qe9PxbJpf0zTZe4k3apgadJq3qHe aDaOMjK8scNzx16Y4sAVbmlGqDss0q/ntJZEYEBB0oOPU8vS9og0nLu+4eX6hMAYW+ZS U17qdac9PnSey0yTAX4D/8N3pt5smQE/9+vgm4NS7Z9wlQ8uPQSTnmvXL3Z/GZ34eBPV tzxc6ZOveDdQsSOw9VcgXmptV/yVBQ/5JSyVg0wP8xyQ7t7Y3liqbEL8QuBuBAZSVKLb 5nyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZzJNpFCqYpkZV4qYc2T1RulX7PUQeGzN5TmqHS2GhSo=; b=oqORYzkAfTasYE2QnKRQqjhRK5wSnwHRGgrl8SOkyh+5S8i5yK2fAXF22VRkvGvZaP 1I/UQpvpokPVT5RuWL+U3f5Zw86ohPVqM9tNe9Tp2iQk7lTSunZSSqyMbTClXntc0fCg uSn/C49+g6cqueOnAiVYTlKrUWxDKK5AykGV6yrkQjxwOTuzy4P4Dp0VCTIwyWwkem7N 5G7XExU4Pu+nqhpMeZ8bsRBKxMfC5UTZ/CzRFfMsewFnI/WG0KHCr+5n1abKdzmAyj/w 537NE0t3CQSyKc7xN1g9a2Bn5rkV6qnbDKeHUAlv9x8yW91cdZ6hzKirekW0oSzLeu+a UDng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=om4ayIri; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f98si8516484plb.256.2019.07.29.12.36.45; Mon, 29 Jul 2019 12:37:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=om4ayIri; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729061AbfG2TfP (ORCPT + 99 others); Mon, 29 Jul 2019 15:35:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:49586 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728937AbfG2TfM (ORCPT ); Mon, 29 Jul 2019 15:35:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2F01A2070B; Mon, 29 Jul 2019 19:35:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564428911; bh=D2WCJd4Aqphckks19+du8IV09Q6xitGJRQjjV3jPZrs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=om4ayIrimNhPuNzBQdotTNOn6f05t5lCMu4VwS7zd8PhCL9H/+KMIfBioCGRrGJiH hqDRojAlfA561rp9WvElq/d2y95MY1mzNzTbfOTVP8nQDv2Dj0BiwO3m7KnKL4rMPQ gemWUMsm+zbd5ixs71PkA5b5TFbmOTw26CeecXWs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marek Majkowski , Lorenzo Bianconi , David Ahern , "David S. Miller" Subject: [PATCH 4.14 188/293] net: neigh: fix multiple neigh timer scheduling Date: Mon, 29 Jul 2019 21:21:19 +0200 Message-Id: <20190729190838.901164448@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190820.321094988@linuxfoundation.org> References: <20190729190820.321094988@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lorenzo Bianconi [ Upstream commit 071c37983d99da07797294ea78e9da1a6e287144 ] Neigh timer can be scheduled multiple times from userspace adding multiple neigh entries and forcing the neigh timer scheduling passing NTF_USE in the netlink requests. This will result in a refcount leak and in the following dump stack: [ 32.465295] NEIGH: BUG, double timer add, state is 8 [ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ #65 [ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 [ 32.465313] Call Trace: [ 32.465318] dump_stack+0x7c/0xc0 [ 32.465323] __neigh_event_send+0x20c/0x880 [ 32.465326] ? ___neigh_create+0x846/0xfb0 [ 32.465329] ? neigh_lookup+0x2a9/0x410 [ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800 [ 32.465334] neigh_add+0x4f8/0x5e0 [ 32.465337] ? neigh_xmit+0x620/0x620 [ 32.465341] ? find_held_lock+0x85/0xa0 [ 32.465345] rtnetlink_rcv_msg+0x204/0x570 [ 32.465348] ? rtnl_dellink+0x450/0x450 [ 32.465351] ? mark_held_locks+0x90/0x90 [ 32.465354] ? match_held_lock+0x1b/0x230 [ 32.465357] netlink_rcv_skb+0xc4/0x1d0 [ 32.465360] ? rtnl_dellink+0x450/0x450 [ 32.465363] ? netlink_ack+0x420/0x420 [ 32.465366] ? netlink_deliver_tap+0x115/0x560 [ 32.465369] ? __alloc_skb+0xc9/0x2f0 [ 32.465372] netlink_unicast+0x270/0x330 [ 32.465375] ? netlink_attachskb+0x2f0/0x2f0 [ 32.465378] netlink_sendmsg+0x34f/0x5a0 [ 32.465381] ? netlink_unicast+0x330/0x330 [ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20 [ 32.465388] ? netlink_unicast+0x330/0x330 [ 32.465391] sock_sendmsg+0x91/0xa0 [ 32.465394] ___sys_sendmsg+0x407/0x480 [ 32.465397] ? copy_msghdr_from_user+0x200/0x200 [ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40 [ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250 [ 32.465407] ? __wake_up_common_lock+0xcb/0x110 [ 32.465410] ? __wake_up_common+0x230/0x230 [ 32.465413] ? netlink_bind+0x3e1/0x490 [ 32.465416] ? netlink_setsockopt+0x540/0x540 [ 32.465420] ? __fget_light+0x9c/0xf0 [ 32.465423] ? sockfd_lookup_light+0x8c/0xb0 [ 32.465426] __sys_sendmsg+0xa5/0x110 [ 32.465429] ? __ia32_sys_shutdown+0x30/0x30 [ 32.465432] ? __fd_install+0xe1/0x2c0 [ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100 [ 32.465438] ? mark_held_locks+0x24/0x90 [ 32.465441] ? do_syscall_64+0xf/0x270 [ 32.465444] do_syscall_64+0x63/0x270 [ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER' receiving a netlink request with NTF_USE flag set Reported-by: Marek Majkowski Fixes: 0c5c2d308906 ("neigh: Allow for user space users of the neighbour table") Signed-off-by: Lorenzo Bianconi Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/neighbour.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1018,6 +1018,7 @@ int __neigh_event_send(struct neighbour atomic_set(&neigh->probes, NEIGH_VAR(neigh->parms, UCAST_PROBES)); + neigh_del_timer(neigh); neigh->nud_state = NUD_INCOMPLETE; neigh->updated = now; next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME), @@ -1034,6 +1035,7 @@ int __neigh_event_send(struct neighbour } } else if (neigh->nud_state & NUD_STALE) { neigh_dbg(2, "neigh %p is delayed\n", neigh); + neigh_del_timer(neigh); neigh->nud_state = NUD_DELAY; neigh->updated = jiffies; neigh_add_timer(neigh, jiffies +