Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1187450ybn; Wed, 2 Oct 2019 12:08:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqy/YjIA12EYt4JLRTU400bMycCt9Y4NGoOnhzZgG/V/r57rRoWCShePaCFHhJNugFsLLjjY X-Received: by 2002:a17:906:ccd6:: with SMTP id ot22mr4550984ejb.1.1570043339526; Wed, 02 Oct 2019 12:08:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570043339; cv=none; d=google.com; s=arc-20160816; b=lKTb4SwoxWDsCt/LOATvjoPkGJIcMs8d2hYR+Muo6L7qGpTTuAHU04d7kSS3fGtvHf B436PyP465wx/R97Up3zIaFcjevBvB3YGSFATDG3SLYUQCt3/W43zwcFwCUt71mN0jWp B1s1i8FdE1iC/5mSuyRp9oWz+bsCgteXnN+vy4L8zZ1UxZzVMrZLxsoWD5o4fFKTHb57 wgkokYLmBZxV/IadKkHEpo6/5voSXSeqBuaUTKQq31UJbTEHtQAWFTod4BXZBumf22oX WPeJDsk+ippBy6TVTmR1nx2i/OGzp8BN2Pg2OZ02LBm9x97v8J0lJRwTFf9upF+0Z2d1 k92A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=7m3rvNiB01Z0cLkKdI7yHJEcDu0apCdnWqo04WvHWIE=; b=UF9uRWcollrcFNCuKHYINOOsAu9ydpcay0ejF+k/vzT+7ysSGKHkZudITKo+W39Tyi ze+tJyxeJnGbQe9tA9qndfXKHNOxuJSGw2RaAMpH71RkgnWTnNtiEMSo9jola2Dk4XvE BnPIVbWYuT2pVhn/YPbFzwzQY4NK+jU/379ExdS03T6P2hh7Lw62DOAL1o74GjBmn7ju IvYa+QCa4h2pu4QY7Bqvy7rF37et3KOwwJNv4Q1gfG9Lc0k6ClTpsxFtXoFEJPL9UfXV 6WCDwd0jXoA0Xn2VXRh4Vdp0O+fYJna985YKO8LMwyYrsGexnV+mHKc57i7Zei6EdAue OCoA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z14si10977208ejw.396.2019.10.02.12.08.34; Wed, 02 Oct 2019 12:08:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729354AbfJBTIS (ORCPT + 99 others); Wed, 2 Oct 2019 15:08:18 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35282 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729059AbfJBTIJ (ORCPT ); Wed, 2 Oct 2019 15:08:09 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iFjyn-00035e-RL; Wed, 02 Oct 2019 20:08:05 +0100 Received: from ben by deadeye with local (Exim 4.92.1) (envelope-from ) id 1iFjyn-0003bG-EA; Wed, 02 Oct 2019 20:08:05 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Eric Dumazet" , "Xin Long" , "Andrey Konovalov" , "David S. Miller" , "WANG Cong" Date: Wed, 02 Oct 2019 20:06:51 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 18/87] igmp: acquire pmc lock for ip_mc_clear_src() In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.75-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: WANG Cong commit c38b7d327aafd1e3ad7ff53eefac990673b65667 upstream. Andrey reported a use-after-free in add_grec(): for (psf = *psf_list; psf; psf = psf_next) { ... psf_next = psf->sf_next; where the struct ip_sf_list's were already freed by: kfree+0xe8/0x2b0 mm/slub.c:3882 ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078 ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618 ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609 inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411 sock_release+0x8d/0x1e0 net/socket.c:597 sock_close+0x16/0x20 net/socket.c:1072 This happens because we don't hold pmc->lock in ip_mc_clear_src() and a parallel mr_ifc_timer timer could jump in and access them. The RCU lock is there but it is merely for pmc itself, this spinlock could actually ensure we don't access them in parallel. Thanks to Eric and Long for discussion on this bug. Reported-by: Andrey Konovalov Cc: Eric Dumazet Cc: Xin Long Signed-off-by: Cong Wang Reviewed-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/ipv4/igmp.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -1880,21 +1880,26 @@ static int ip_mc_add_src(struct in_devic static void ip_mc_clear_src(struct ip_mc_list *pmc) { - struct ip_sf_list *psf, *nextpsf; + struct ip_sf_list *psf, *nextpsf, *tomb, *sources; - for (psf = pmc->tomb; psf; psf = nextpsf) { + spin_lock_bh(&pmc->lock); + tomb = pmc->tomb; + pmc->tomb = NULL; + sources = pmc->sources; + pmc->sources = NULL; + pmc->sfmode = MCAST_EXCLUDE; + pmc->sfcount[MCAST_INCLUDE] = 0; + pmc->sfcount[MCAST_EXCLUDE] = 1; + spin_unlock_bh(&pmc->lock); + + for (psf = tomb; psf; psf = nextpsf) { nextpsf = psf->sf_next; kfree(psf); } - pmc->tomb = NULL; - for (psf = pmc->sources; psf; psf = nextpsf) { + for (psf = sources; psf; psf = nextpsf) { nextpsf = psf->sf_next; kfree(psf); } - pmc->sources = NULL; - pmc->sfmode = MCAST_EXCLUDE; - pmc->sfcount[MCAST_INCLUDE] = 0; - pmc->sfcount[MCAST_EXCLUDE] = 1; }