Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3993439ybi; Mon, 29 Jul 2019 17:04:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqw1bfWtHBdGvKXZxjAmCGy+VlKTQlBgWNm+V6Z5m5nz15tilxXbv2hu8Gu9e6mtLtnbHqhA X-Received: by 2002:a17:90b:8d8:: with SMTP id ds24mr38095917pjb.135.1564445082334; Mon, 29 Jul 2019 17:04:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564445082; cv=none; d=google.com; s=arc-20160816; b=KRMp3hagtlxZvUu6IRa8nPP1Pn4EA6YVc+oaPzLoSjAblFDT0Grc74ZVTeOCtz2ocy WFI5i6zLnjtoK+P9s5f8cWdBwYw8uZkQiRJqsWDgt8Oxnpn9ijY8dXn95Nmahy5crlo7 /mOC08S7iS/4oiCGYUS8CMHzaQu0lV/xN057ZZZWRvVxelATHDrlKDTuVAfIkMj374Bh VaTU4/6GtJ5vV82wna+JZKmdRX99UQMqNOAsouaiUbsUfiMIIA/v3ZXdFJjpb1e+70Ic OKwmU0LxMvNJ4KR6to/fhkIStD3H/mr0mxvgivPQIyz878SowC8ozoeRAYboPq7rJR+4 mv5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=79i84VK1VNzLB8PFLzGp/53bwaga8RLINSyHMMtUsmk=; b=qay9yiWY9sapiKo9XENV6aZw0l8KTOCjBrCkImTIa+gF0O7knbGWu27X8mWqn33p+6 w0KuM1QCWwJ7I7r+WmBVsUhw7YpIhIH0yfES6vqurMYXewO3gF4xD39tl9itJDiK7Aru q0qb7LR8qZGRzmkyyUHkBkQqTTbSVFzDuGOcKT9HJsrzxBhkDsdvFyaS07ssIL+hILTA +A/YD58Ad/xr3mGxZVwcKQ/0GadUUXd/mn2vOGigUd4o384pwnnJ6asbNGVqt4Ra0GKn R8WxpB+oSrrr7jh+3nJszWj6K/wCyk/BHPHBY6rjfx6DJGGbcXkUM0cGL9jnIHV+4fVe cg6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=H3ptF23V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c1si28803976pfc.80.2019.07.29.17.04.27; Mon, 29 Jul 2019 17:04:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=H3ptF23V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729345AbfG2TbF (ORCPT + 99 others); Mon, 29 Jul 2019 15:31:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:43602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387721AbfG2Tay (ORCPT ); Mon, 29 Jul 2019 15:30:54 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EEEC821773; Mon, 29 Jul 2019 19:30:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564428653; bh=YfrtAlTDMaGbD31avhiiyyz9XKuXeJiCuYsHTAbOCDA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H3ptF23VFfrl15hU2y9WlzlANIfRvhwee1Zn27G9ooh+qHYLPWtD1yFKktzsgStyp 4H5s3s/RYP9Iwe7Cvzt6FlMiyu+nFGPlRo7Gq+61CRp8pxgIhjeCBWulkT4PSonoj7 TvcSF4Bebv2n+QH4Jn4rPVhkWStlY7e1RY7y/Pww= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Taehee Yoo , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 104/293] gtp: fix use-after-free in gtp_newlink() Date: Mon, 29 Jul 2019 21:19:55 +0200 Message-Id: <20190729190832.623215940@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190729190820.321094988@linuxfoundation.org> References: <20190729190820.321094988@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ] Current gtp_newlink() could be called after unregister_pernet_subsys(). gtp_newlink() uses gtp_net but it can be destroyed by unregister_pernet_subsys(). So unregister_pernet_subsys() should be called after rtnl_link_unregister(). Test commands: #SHELL 1 while : do for i in {1..5} do ./gtp-link add gtp$i & done killall gtp-link done #SHELL 2 while : do modprobe -rv gtp done Splat looks like: [ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp] [ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126 [ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50 [ 753.185801] Call Trace: [ 753.186264] dump_stack+0x7c/0xbb [ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.187583] print_address_description+0xc7/0x240 [ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.189846] __kasan_report+0x12a/0x16f [ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.191298] kasan_report+0xe/0x20 [ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp] [ 753.192580] ? __netlink_ns_capable+0xc3/0xf0 [ 753.193370] __rtnl_newlink+0xb9f/0x11b0 [ ... ] [ 753.241201] Allocated by task 7186: [ 753.241844] save_stack+0x19/0x80 [ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0 [ 753.243192] __kmalloc+0x13e/0x300 [ 753.243764] ops_init+0xd6/0x350 [ 753.244314] register_pernet_operations+0x249/0x6f0 [ ... ] [ 753.251770] Freed by task 7178: [ 753.252288] save_stack+0x19/0x80 [ 753.252833] __kasan_slab_free+0x111/0x150 [ 753.253962] kfree+0xc7/0x280 [ 753.254509] ops_free_list.part.11+0x1c4/0x2d0 [ 753.255241] unregister_pernet_operations+0x262/0x390 [ ... ] [ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next. [ 753.287241] ------------[ cut here ]------------ [ 753.287794] kernel BUG at lib/list_debug.c:25! [ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50 [ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0 [ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b [ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286 [ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000 [ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69 [ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21 [ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878 [ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458 [ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000 [ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0 [ 753.302183] Call Trace: [ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp] [ 753.303037] ? __netlink_ns_capable+0xc3/0xf0 [ 753.303576] __rtnl_newlink+0xb9f/0x11b0 [ 753.304092] ? rtnl_link_unregister+0x230/0x230 Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/gtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 53fd66534e3a..5de4053774b8 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -1383,9 +1383,9 @@ late_initcall(gtp_init); static void __exit gtp_fini(void) { - unregister_pernet_subsys(>p_net_ops); genl_unregister_family(>p_genl_family); rtnl_link_unregister(>p_link_ops); + unregister_pernet_subsys(>p_net_ops); pr_info("GTP module unloaded\n"); } -- 2.20.1