Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1167103ybi; Fri, 2 Aug 2019 10:24:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQlTLGYH0L1L7tvg5FvhB08GDY18xgkbIEYnvzbZNssmg0k/fOVSMo3KvWYq4j8MmSytYh X-Received: by 2002:a63:5a4d:: with SMTP id k13mr121674434pgm.174.1564766656674; Fri, 02 Aug 2019 10:24:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564766656; cv=none; d=google.com; s=arc-20160816; b=YluRNFfz/JjJdZCay4NzTBQbhFa9lNhWqx2FGDdirIa/gK2MlkZssY8p0FmXL0UIkb 90eM6Z4Q93tTeljhFvhXe3ALJ//G6rCwfSz5K8jGL+StrYqWadnoAfXg3pwzjFdyMKj/ 1sPcP6eScMVCIRKXTBTZnJsLh2BXxIAiboqQOL0WGjJJurQ0csdNBB7SbKiBZtNU6i46 ztIPEVLK4WVYLKRdTLZCm8PBOzmPijw/v0vDjKvCMyF/kE2FBVpuclU1cGhHJbSPt3Tc +kK3YeqqjU9xHfO8eqR8+QNZsik6NtZYklhMEItYZjgpb7A8CRQURo6Lo1erCFkMFwvI WC1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aK3cXLsgPyw7J6/2S0WkTePPF675ULmZW0vRUp+quyY=; b=Jjtx5f0DK/pH3zERHp6Fj+iTNn8gb7XmtU8i+ZNMGU+mbYGysCWdRtSLcTXjDbIleM 4QbfUPUh8uaDZz49Zd2h0++nJkw+c2p++rf3WIy2bSPy/VfCNgeJ7h3cj4jRp7XzgPk2 XLFf5B7PVwS8PoDkOv1MsYAnhWyucfGcPHAXgYcQw7FBx7+X1wQnWIh95JUi1OExV6Jh joWhcN+noUfAMapO2EBtByysrfa2Wmcr97GjwhmdQn5QKDtHJx1orTZquKfgE4uTHFPQ OdT740m7vGyEpvDrvd13Lygai3MFpgUeDWsRGOyeMz8PFoo9A5SiWSCzssWCaRGTy/Sp er8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZwVUzVsw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p35si37951662pgb.484.2019.08.02.10.24.01; Fri, 02 Aug 2019 10:24:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZwVUzVsw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405592AbfHBJqj (ORCPT + 99 others); Fri, 2 Aug 2019 05:46:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:51028 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405581AbfHBJqh (ORCPT ); Fri, 2 Aug 2019 05:46:37 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 542A8206A2; Fri, 2 Aug 2019 09:46:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564739195; bh=+aGx93teK49sgP9s+2liXHxJDHCADvwjKFT2BB0hRfI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZwVUzVswKyg1TPXZi/iEOIPYXJUzzmf9NXFqYCk2zAgAjEv7mYkkzA9H0UvPl7SDy BtamfYMp0p4gmfQwl1gpMdAzCQJBvSRZH3msnEiPyK6Z+uBNG2P1fBdvtaFq39jZT3 XRo/yiEiPecjOFEFSZl1X+igy6OYlnXn5ypDHPKI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marek Majkowski , Lorenzo Bianconi , David Ahern , "David S. Miller" Subject: [PATCH 4.9 136/223] net: neigh: fix multiple neigh timer scheduling Date: Fri, 2 Aug 2019 11:36:01 +0200 Message-Id: <20190802092247.655489587@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092238.692035242@linuxfoundation.org> References: <20190802092238.692035242@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lorenzo Bianconi [ Upstream commit 071c37983d99da07797294ea78e9da1a6e287144 ] Neigh timer can be scheduled multiple times from userspace adding multiple neigh entries and forcing the neigh timer scheduling passing NTF_USE in the netlink requests. This will result in a refcount leak and in the following dump stack: [ 32.465295] NEIGH: BUG, double timer add, state is 8 [ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ #65 [ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 [ 32.465313] Call Trace: [ 32.465318] dump_stack+0x7c/0xc0 [ 32.465323] __neigh_event_send+0x20c/0x880 [ 32.465326] ? ___neigh_create+0x846/0xfb0 [ 32.465329] ? neigh_lookup+0x2a9/0x410 [ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800 [ 32.465334] neigh_add+0x4f8/0x5e0 [ 32.465337] ? neigh_xmit+0x620/0x620 [ 32.465341] ? find_held_lock+0x85/0xa0 [ 32.465345] rtnetlink_rcv_msg+0x204/0x570 [ 32.465348] ? rtnl_dellink+0x450/0x450 [ 32.465351] ? mark_held_locks+0x90/0x90 [ 32.465354] ? match_held_lock+0x1b/0x230 [ 32.465357] netlink_rcv_skb+0xc4/0x1d0 [ 32.465360] ? rtnl_dellink+0x450/0x450 [ 32.465363] ? netlink_ack+0x420/0x420 [ 32.465366] ? netlink_deliver_tap+0x115/0x560 [ 32.465369] ? __alloc_skb+0xc9/0x2f0 [ 32.465372] netlink_unicast+0x270/0x330 [ 32.465375] ? netlink_attachskb+0x2f0/0x2f0 [ 32.465378] netlink_sendmsg+0x34f/0x5a0 [ 32.465381] ? netlink_unicast+0x330/0x330 [ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20 [ 32.465388] ? netlink_unicast+0x330/0x330 [ 32.465391] sock_sendmsg+0x91/0xa0 [ 32.465394] ___sys_sendmsg+0x407/0x480 [ 32.465397] ? copy_msghdr_from_user+0x200/0x200 [ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40 [ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250 [ 32.465407] ? __wake_up_common_lock+0xcb/0x110 [ 32.465410] ? __wake_up_common+0x230/0x230 [ 32.465413] ? netlink_bind+0x3e1/0x490 [ 32.465416] ? netlink_setsockopt+0x540/0x540 [ 32.465420] ? __fget_light+0x9c/0xf0 [ 32.465423] ? sockfd_lookup_light+0x8c/0xb0 [ 32.465426] __sys_sendmsg+0xa5/0x110 [ 32.465429] ? __ia32_sys_shutdown+0x30/0x30 [ 32.465432] ? __fd_install+0xe1/0x2c0 [ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100 [ 32.465438] ? mark_held_locks+0x24/0x90 [ 32.465441] ? do_syscall_64+0xf/0x270 [ 32.465444] do_syscall_64+0x63/0x270 [ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER' receiving a netlink request with NTF_USE flag set Reported-by: Marek Majkowski Fixes: 0c5c2d308906 ("neigh: Allow for user space users of the neighbour table") Signed-off-by: Lorenzo Bianconi Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/neighbour.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -982,6 +982,7 @@ int __neigh_event_send(struct neighbour atomic_set(&neigh->probes, NEIGH_VAR(neigh->parms, UCAST_PROBES)); + neigh_del_timer(neigh); neigh->nud_state = NUD_INCOMPLETE; neigh->updated = now; next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME), @@ -998,6 +999,7 @@ int __neigh_event_send(struct neighbour } } else if (neigh->nud_state & NUD_STALE) { neigh_dbg(2, "neigh %p is delayed\n", neigh); + neigh_del_timer(neigh); neigh->nud_state = NUD_DELAY; neigh->updated = jiffies; neigh_add_timer(neigh, jiffies +