From patchwork Tue Jul 2 15:20:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 1126300 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="GmIKtRK6"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45dScY0Chjz9sNC for ; Wed, 3 Jul 2019 01:21:01 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726825AbfGBPVA (ORCPT ); Tue, 2 Jul 2019 11:21:00 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:43647 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726413AbfGBPU7 (ORCPT ); Tue, 2 Jul 2019 11:20:59 -0400 Received: by mail-pl1-f193.google.com with SMTP id cl9so533843plb.10 for ; Tue, 02 Jul 2019 08:20:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=DKzdEoM6Lmp9JUgVQf/KSYmgH23uDbw/uvQ6/6yRYvE=; b=GmIKtRK6eBgpW5N6NyYg5FQ7yd4ziypLbZ19nbjkIC/TlCkSwMh48b5t2KcNwX+0rF v3bVNYU7zWO8qSuZXKajUO6fXaFM1qJGnpYK0kMkXc9ef00sfHd9ZNs3MyRYVvxku8GV HLfPtbCzApNK+XFkSp+iK+jKCxlo3etsWIiOBBRtOsL568M9yzaQPp7il1nI4Gb7jSOO JFV52hVcu/Jyo0oLeQ4NWaYUuJW7R9kJF9mdfE08FWRmJO2wXlIKcVtw2LeaaqkFGUw2 FYiwdOuglOymndWBooZbskwof6ET/SjwgR8zm3pgRk4StJUi7IudT/1vazp/f2FQDMnt OsmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=DKzdEoM6Lmp9JUgVQf/KSYmgH23uDbw/uvQ6/6yRYvE=; b=ICmeTXXJ7Fd9ok9hvhBSRazKLF449p1OLtXVLUF2Pf4bXMnJgsTB6uKI2fXCJNXo3o nw/z3k4M+NNa96gKui6twxn+3wvfFHhyD6ePqdVY2a+22ICd384BVhXa5pGB4JIrnWIF 1fJ3fQmzinLU0u7r4uZ88ZGmB0CcGGa/UGqeeQM7MwuqeGDKn7oS2ftu3LbND67sF1h5 L0/TKMCd0FXroZwJPqnq4YMmWbE0jNEukk2sqwzblX9XD9ytv6eV2VcswYNr2ZEfxm2j H9S9TFyUm8bH03kqmquKYh7/kBomYHiYJz93KWWjcfA0f9rTOeKKWGNqCu18K7O/EhaN QZmw== X-Gm-Message-State: APjAAAXAQnybIm7FM2gvkp2PSB1KhhzZupxlprXF3/nEScWcyOHY1WBT ykPZ0WIIThUTIeOSXhFCCSI= X-Google-Smtp-Source: APXvYqzF0cQ+/VJDorqycm3dfNF/lUqKXl/HB8dDHfxrLrzA/xgiZGFxu9LQhnzDpZ2b94QWbbUYow== X-Received: by 2002:a17:902:9a49:: with SMTP id x9mr24556514plv.282.1562080859248; Tue, 02 Jul 2019 08:20:59 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([14.33.120.60]) by smtp.gmail.com with ESMTPSA id e10sm14683769pfi.173.2019.07.02.08.20.57 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 08:20:58 -0700 (PDT) From: Taehee Yoo To: davem@davemloft.net, pablo@netfilter.org, laforge@gnumonks.org, osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH net 1/6] gtp: fix suspicious RCU usage Date: Wed, 3 Jul 2019 00:20:51 +0900 Message-Id: <20190702152051.22513-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org gtp_encap_enable_socket() and gtp_encap_destroy() are not protected by rcu_read_lock(). and it's not safe to write sk->sk_user_data. This patch make these functions to use lock_sock() instead of rcu_dereference_sk_user_data(). Test commands: gtp-link add gtp1 Splat looks like: [ 83.238315] ============================= [ 83.239127] WARNING: suspicious RCU usage [ 83.239702] 5.2.0-rc6+ #49 Not tainted [ 83.240268] ----------------------------- [ 83.241205] drivers/net/gtp.c:799 suspicious rcu_dereference_check() usage! [ 83.243828] [ 83.243828] other info that might help us debug this: [ 83.243828] [ 83.246325] [ 83.246325] rcu_scheduler_active = 2, debug_locks = 1 [ 83.247314] 1 lock held by gtp-link/1008: [ 83.248523] #0: 0000000017772c7f (rtnl_mutex){+.+.}, at: __rtnl_newlink+0x5f5/0x11b0 [ 83.251503] [ 83.251503] stack backtrace: [ 83.252173] CPU: 0 PID: 1008 Comm: gtp-link Not tainted 5.2.0-rc6+ #49 [ 83.253271] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 83.254562] Call Trace: [ 83.254995] dump_stack+0x7c/0xbb [ 83.255567] gtp_encap_enable_socket+0x2df/0x360 [gtp] [ 83.256415] ? gtp_find_dev+0x1a0/0x1a0 [gtp] [ 83.257161] ? memset+0x1f/0x40 [ 83.257843] gtp_newlink+0x90/0xa21 [gtp] [ 83.258497] ? __netlink_ns_capable+0xc3/0xf0 [ 83.259260] __rtnl_newlink+0xb9f/0x11b0 [ 83.260022] ? rtnl_link_unregister+0x230/0x230 [ ... ] Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") Signed-off-by: Taehee Yoo --- drivers/net/gtp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index fc45b749db46..939da5442f65 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -289,12 +289,14 @@ static void gtp_encap_destroy(struct sock *sk) { struct gtp_dev *gtp; - gtp = rcu_dereference_sk_user_data(sk); + lock_sock(sk); + gtp = sk->sk_user_data; if (gtp) { udp_sk(sk)->encap_type = 0; rcu_assign_sk_user_data(sk, NULL); sock_put(sk); } + release_sock(sk); } static void gtp_encap_disable_sock(struct sock *sk) @@ -796,7 +798,8 @@ static struct sock *gtp_encap_enable_socket(int fd, int type, goto out_sock; } - if (rcu_dereference_sk_user_data(sock->sk)) { + lock_sock(sock->sk); + if (sock->sk->sk_user_data) { sk = ERR_PTR(-EBUSY); goto out_sock; } @@ -812,6 +815,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type, setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg); out_sock: + release_sock(sock->sk); sockfd_put(sock); return sk; } From patchwork Tue Jul 2 15:22:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 1126303 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="jCpX9ldF"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45dSfL56p7z9s00 for ; Wed, 3 Jul 2019 01:22:34 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726483AbfGBPWd (ORCPT ); Tue, 2 Jul 2019 11:22:33 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:43380 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725835AbfGBPWd (ORCPT ); Tue, 2 Jul 2019 11:22:33 -0400 Received: by mail-pg1-f193.google.com with SMTP id f25so7838644pgv.10 for ; Tue, 02 Jul 2019 08:22:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=OTooTgEhQAK4FduwMrWljdVsJmNV8yuHFVRNMLNKIZs=; b=jCpX9ldFN/30zujBAlYrruVmZH5LVz9b+ppsnrDn1xydJsxJ8U2nowOdxKe8N7ZXbk l1r6vPkGQ0isTm1b/JTsQ8HDvG6KMBgeK9LQ4ZQ+eIb0P62cF89vK9yqcS2cEP55IuTm d+5EVuvEuX5vObFwsN5Lbmnx1gZEGWrOsXm806VwQefYa7HfAzHWdhdQrZglVndw2qaA CHEnMLX2RTuJsy7VtH49N2MRSwxh23Z6mljsXIeeiJgkQoGANO6Xl7LIsdDdLZ0I3IiF s5swiZkqcfFuehRKTsdnCoZR3HDDKWIpzs6nuaaUGQd5glBo7qJ7lPdxfXLT29BYAEA/ fvSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=OTooTgEhQAK4FduwMrWljdVsJmNV8yuHFVRNMLNKIZs=; b=ZsJHz67GzYsWLcsaviABFc+eZamFMU5wNYhiSizbyS2nsRJ460r7+d1/jDuuRLUi5i 7H3+1lYUREJgrSGfz1WGeNeZzeB4Livu91Cv+QwYV2kx4zHM3VrhhEzIYyWtRnASbyWD wECFqXz5H/T4qHMe4qbmVExHzuEjbe/GWxt8uUVQoNyXgdDnZAou2oKIylfI1EE743/T mUIVkRmeC7RKJrNh3yQL4+aR5wZ0R1Y+6smEhlnJl/g/wCs5nJzz1MTsHfkmhoSITpL1 hGOjxYvX9adn07nAKPwiZNQatIPhtn6iCmRJbL7BRU+LnaayoGL0ZgtsEv87ZGsiZNN7 OBBg== X-Gm-Message-State: APjAAAU/5Y+oSaDO8fdnmXqpSfAXm6oFSB1i6zR0jilMPJkXN79chx46 aOIy48VN4fqjdxNEMG1oR1Ru8b8LYNw= X-Google-Smtp-Source: APXvYqxBfXDOhSil+lRxZWfQg1fbCbWO3ONCk3Xarl7SkYcAcNxx7SMTU7pGGO3WvAEPqGTp7/Y49w== X-Received: by 2002:a17:90a:9a83:: with SMTP id e3mr6098537pjp.105.1562080952404; Tue, 02 Jul 2019 08:22:32 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([14.33.120.60]) by smtp.gmail.com with ESMTPSA id q19sm17486968pfc.62.2019.07.02.08.22.30 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 08:22:31 -0700 (PDT) From: Taehee Yoo To: davem@davemloft.net, pablo@netfilter.org, laforge@gnumonks.org, osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH net 2/6] gtp: fix use-after-free in gtp_encap_destroy() Date: Wed, 3 Jul 2019 00:22:25 +0900 Message-Id: <20190702152225.22764-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org gtp_encap_destroy() is called twice. 1. When interface is deleted. 2. When udp socket is destroyed. either gtp->sk0 or gtp->sk1u could be freed by sock_put() in gtp_encap_destroy(). so, when gtp_encap_destroy() is called again, it would uses freed sk pointer. patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected by rtnl_lock. so, rtnl_lock() is added. Test command: gtp-link add gtp1 & killall gtp-link ip link del gtp1 Splat looks like: [ 83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0 [ 83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008 [ 83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50 [ 83.188469] Call Trace: [ ... ] [ 83.200126] lock_acquire+0x141/0x380 [ 83.200575] ? lock_sock_nested+0x3a/0xf0 [ 83.201069] _raw_spin_lock_bh+0x38/0x70 [ 83.201551] ? lock_sock_nested+0x3a/0xf0 [ 83.202044] lock_sock_nested+0x3a/0xf0 [ 83.202520] gtp_encap_destroy+0x18/0xe0 [gtp] [ 83.203065] gtp_encap_disable.isra.14+0x13/0x50 [gtp] [ 83.203687] gtp_dellink+0x56/0x170 [gtp] [ 83.204190] rtnl_delete_link+0xb4/0x100 [ ... ] [ 83.236513] Allocated by task 976: [ 83.236925] save_stack+0x19/0x80 [ 83.237332] __kasan_kmalloc.constprop.3+0xa0/0xd0 [ 83.237894] kmem_cache_alloc+0xd8/0x280 [ 83.238360] sk_prot_alloc.isra.42+0x50/0x200 [ 83.238874] sk_alloc+0x32/0x940 [ 83.239264] inet_create+0x283/0xc20 [ 83.239684] __sock_create+0x2dd/0x540 [ 83.240136] __sys_socket+0xca/0x1a0 [ 83.240550] __x64_sys_socket+0x6f/0xb0 [ 83.240998] do_syscall_64+0x9c/0x450 [ 83.241466] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.242061] [ 83.242249] Freed by task 0: [ 83.242616] save_stack+0x19/0x80 [ 83.243013] __kasan_slab_free+0x111/0x150 [ 83.243498] kmem_cache_free+0x89/0x250 [ 83.244444] __sk_destruct+0x38f/0x5a0 [ 83.245366] rcu_core+0x7e9/0x1c20 [ 83.245766] __do_softirq+0x213/0x8fa Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") Signed-off-by: Taehee Yoo --- drivers/net/gtp.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 939da5442f65..5101f8c3c99c 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -285,13 +285,17 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb) return gtp_rx(pctx, skb, hdrlen, gtp->role); } -static void gtp_encap_destroy(struct sock *sk) +static void __gtp_encap_destroy(struct sock *sk) { struct gtp_dev *gtp; lock_sock(sk); gtp = sk->sk_user_data; if (gtp) { + if (gtp->sk0 == sk) + gtp->sk0 = NULL; + else + gtp->sk1u = NULL; udp_sk(sk)->encap_type = 0; rcu_assign_sk_user_data(sk, NULL); sock_put(sk); @@ -299,12 +303,19 @@ static void gtp_encap_destroy(struct sock *sk) release_sock(sk); } +static void gtp_encap_destroy(struct sock *sk) +{ + rtnl_lock(); + __gtp_encap_destroy(sk); + rtnl_unlock(); +} + static void gtp_encap_disable_sock(struct sock *sk) { if (!sk) return; - gtp_encap_destroy(sk); + __gtp_encap_destroy(sk); } static void gtp_encap_disable(struct gtp_dev *gtp) @@ -1038,6 +1049,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) return -EINVAL; } + rtnl_lock(); rcu_read_lock(); gtp = gtp_find_dev(sock_net(skb->sk), info->attrs); @@ -1062,6 +1074,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) out_unlock: rcu_read_unlock(); + rtnl_unlock(); return err; } From patchwork Tue Jul 2 15:22:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 1126306 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="VJ0eKcay"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45dSfx5z5tz9s00 for ; Wed, 3 Jul 2019 01:23:05 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726382AbfGBPXE (ORCPT ); Tue, 2 Jul 2019 11:23:04 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:36822 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725835AbfGBPXE (ORCPT ); Tue, 2 Jul 2019 11:23:04 -0400 Received: by mail-pf1-f193.google.com with SMTP id r7so8413749pfl.3 for ; Tue, 02 Jul 2019 08:23:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=0MmGjm5aumHgJf27PbMfUiuiPOO/2bFmzO1fqEnb01c=; b=VJ0eKcaydfHmRk91mx1FclRPUU73P/ojbpeAVz8OXOWiivp90t41ZKw1tG9anVx3Nh nsrXrZC77oJpd6jFq9fIq53Y8wt8aCXQ/X+1InhaMn9exsMqHNc4ik7xn+ckiOGtXIMg KYemVQPBgmzqjjC0vDGDknuZkCgh3nWv+j1A+dr9SIaUnm3Y+a/Ro7UV/i9ioDi4weD9 Xg120qey8n0eLsAQdvfnigFjKZfcAdY8jXK7eHgMka4RxbGemz47mrlYBjKF7OhbZurQ G4+dfCZCu96hcI5If1wZfhcNLipM6vcz1FWi4F6DqJ1iTua+olkywPIEvgJcnV7dIlV5 kucg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=0MmGjm5aumHgJf27PbMfUiuiPOO/2bFmzO1fqEnb01c=; b=sEe7bZBbNTUPMYxvU5ktcbrK8XhzSHfiGSNdHTiZJasBbGfPVWXdhcNHteMfnujjD7 iNqD2kihVwi9qDD5QQnQ3cd2BnaLNR9/RMqgsbb27yM8eUQToLOHFjg1b9JQsLzb0tFh gejf9MwLmVcf7JbqFUlk8PNnxHjqzCI5aMgts0hNK7D7L7rSXujqPmxNO9mUeTh0bhGX KnVQus+dllXKR2wFWlHE8FJoK46ZJ4nC9JMV2qk46vwMFgzeVZxSdP1Apv+UBWATDdfG w5AI6dnfDmH7XadyUZI7mkpZb98Yju/RvuLS5uMeYtyEsbjPk+AWsW8YE3uyaTByHsYq HKag== X-Gm-Message-State: APjAAAWrL3HLVLDl88jknHvNq/gHz7Ex9aaxT6r2pdAQh2zA8Gl2GHS/ AMOaiBF+QQYpkJc0EAMbN0A= X-Google-Smtp-Source: APXvYqy2WYsnA8Uf1zXzmprJT/J6XXBJBGBdbI2FQcj/AY436m4ECgTwnL15vNsytDkrHrTsxEwaPg== X-Received: by 2002:a17:90a:35e5:: with SMTP id r92mr6344233pjb.34.1562080983611; Tue, 02 Jul 2019 08:23:03 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([14.33.120.60]) by smtp.gmail.com with ESMTPSA id g18sm5245136pgm.9.2019.07.02.08.23.01 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 08:23:03 -0700 (PDT) From: Taehee Yoo To: davem@davemloft.net, pablo@netfilter.org, laforge@gnumonks.org, osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH net 3/6] gtp: remove duplicate code in gtp_dellink() Date: Wed, 3 Jul 2019 00:22:56 +0900 Message-Id: <20190702152256.22884-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org gtp_encap_disable() in gtp_dellink() is unnecessary because it will be called by unregister_netdevice(). unregister_netdevice() internally calls gtp_dev_uninit() by ->ndo_uninit(). And gtp_dev_uninit() calls gtp_encap_disable(). Signed-off-by: Taehee Yoo --- drivers/net/gtp.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 5101f8c3c99c..92ef777a757f 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -694,7 +694,6 @@ static void gtp_dellink(struct net_device *dev, struct list_head *head) { struct gtp_dev *gtp = netdev_priv(dev); - gtp_encap_disable(gtp); gtp_hashtable_free(gtp); list_del_rcu(>p->list); unregister_netdevice_queue(dev, head); From patchwork Tue Jul 2 15:23:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 1126308 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MLSKKna/"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45dSgH3VL4z9s00 for ; Wed, 3 Jul 2019 01:23:23 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726966AbfGBPXW (ORCPT ); Tue, 2 Jul 2019 11:23:22 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:38421 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726457AbfGBPXV (ORCPT ); Tue, 2 Jul 2019 11:23:21 -0400 Received: by mail-pl1-f195.google.com with SMTP id 9so553256ple.5 for ; Tue, 02 Jul 2019 08:23:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=CU7BGsZXNgazwEEiVe1gYY76OcBMUw+lUvNAfAOPgNY=; b=MLSKKna/xrK1VaVXFuvoDbVuBTMAy6NOIW2/YQTnHtLkwYhK0Fhr4AdqXiE0HkyVpB IvDEK5S+zlwne29XdSK5NHuukYf7E1CSZKKA9n0Fztpv46c8vHmEXndU4/gDYuodFhX2 Xa1sfiFbQWlJfprNemaZeMfDtof8T2F0tyxMtSmHyUpwSNx/I9sVGzOoIs4ZH75/VAVl GNH4nA5GjLlmDKjUjdaEvtmEx8CDawZucoA6Jtqyfxl8xRcgynTx3QDzWXnm5B9EDgEN vhGwLYhYEmP0bY7MR3v0aaY41rrHc/DBGMVBlpY8/YHBWNPg+SgPpmqFdGwLOI/AcxJj UMRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CU7BGsZXNgazwEEiVe1gYY76OcBMUw+lUvNAfAOPgNY=; b=h+4dZ/344upgbP33KJnhGbI8RBHBsNrdjwBTW+9zHsqAI4hU6Dk/yFkvAK6vILZqu/ 33O0D8kdA6fN+TnsLUjlWCcn6DKU/XlxwHjOLO848BOgIAgz6QiMcXGfeNMUO0OCu6At HkexzRpFD5kXTV1v8E8gDHheKItbTbCMzYQ0rd/20Wa/AH+LdKyKAqoQGgEmbJCL2slu 0YIegKcZbzCkkAnz2bO163EaUnUfrrFaom48cmHsY+t6eMW6zlbz2rqk7RIQVlUmPqr8 pGkDKHmrJTxf0JHdtu4GAvnGnoO5s3GibN8LTXVCoyrgDTA5k7Xsp3JoMdM3tw9nz9vg KhaA== X-Gm-Message-State: APjAAAX1jn1OeWsJVPlJb4baqI5WAD8jQgwyPOAuKcR6tEYs4WdmQEkd iBShoAaLpnjof/CrWzEab+q1GwC+UNY= X-Google-Smtp-Source: APXvYqwtPnEfrC5Nq6Gt1QCf9xYk9SaYQGkcfaXa03gBpwwIWsMtqrqnd0JjMn+TC2zxOBbtZtyiZw== X-Received: by 2002:a17:902:e65:: with SMTP id 92mr34373719plw.13.1562081000553; Tue, 02 Jul 2019 08:23:20 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([14.33.120.60]) by smtp.gmail.com with ESMTPSA id v3sm13882706pfm.188.2019.07.02.08.23.18 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 08:23:19 -0700 (PDT) From: Taehee Yoo To: davem@davemloft.net, pablo@netfilter.org, laforge@gnumonks.org, osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH net 4/6] gtp: fix Illegal context switch in RCU read-side critical section. Date: Wed, 3 Jul 2019 00:23:13 +0900 Message-Id: <20190702152313.22970-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org ipv4_pdp_add() is called in RCU read-side critical section. So GFP_KERNEL should not be used in the function. This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL. Test commands: gtp-link add gtp1 & gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2 Splat looks like: [ 130.618881] ============================= [ 130.626382] WARNING: suspicious RCU usage [ 130.626994] 5.2.0-rc6+ #50 Not tainted [ 130.627622] ----------------------------- [ 130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section! [ 130.629684] [ 130.629684] other info that might help us debug this: [ 130.629684] [ 130.631022] [ 130.631022] rcu_scheduler_active = 2, debug_locks = 1 [ 130.632136] 4 locks held by gtp-tunnel/1025: [ 130.632925] #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40 [ 130.634159] #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130 [ 130.635487] #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp] [ 130.636936] #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp] [ 130.638348] [ 130.638348] stack backtrace: [ 130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50 [ 130.641318] Call Trace: [ 130.641707] dump_stack+0x7c/0xbb [ 130.642252] ___might_sleep+0x2c0/0x3b0 [ 130.642862] kmem_cache_alloc_trace+0x1cd/0x2b0 [ 130.643591] gtp_genl_new_pdp+0x6c5/0x1150 [gtp] [ 130.644371] genl_family_rcv_msg+0x63a/0x1030 [ 130.645074] ? mutex_lock_io_nested+0x1090/0x1090 [ 130.645845] ? genl_unregister_family+0x630/0x630 [ 130.646592] ? debug_show_all_locks+0x2d0/0x2d0 [ 130.647293] ? check_flags.part.40+0x440/0x440 [ 130.648099] genl_rcv_msg+0xa3/0x130 [ ... ] Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Taehee Yoo --- drivers/net/gtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 92ef777a757f..52f35cbeb1dc 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -959,7 +959,7 @@ static int ipv4_pdp_add(struct gtp_dev *gtp, struct sock *sk, } - pctx = kmalloc(sizeof(struct pdp_ctx), GFP_KERNEL); + pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC); if (pctx == NULL) return -ENOMEM; From patchwork Tue Jul 2 15:23:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 1126309 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="PPSmaLlR"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45dSgs17byz9s00 for ; Wed, 3 Jul 2019 01:23:52 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726457AbfGBPXv (ORCPT ); Tue, 2 Jul 2019 11:23:51 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:35115 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725868AbfGBPXv (ORCPT ); Tue, 2 Jul 2019 11:23:51 -0400 Received: by mail-pl1-f196.google.com with SMTP id w24so560081plp.2 for ; Tue, 02 Jul 2019 08:23:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=X9SDYFp5Naacs2SwDBiTXVoaA0ayqjfZ49wY2trQA3s=; b=PPSmaLlRrA5JCjIoZCOLqJ4vCPsMcPIwggpcrEcoG31Bh/MpYIvWuY7TfOu58a2hKh zWrmGOjRZImPFciT11GZy+8GlMvzCzUacin6gaJqONjAEUQM5OPa8W0N9StUbtElWfi8 85lh46vWC+5l7sHa9fuEEYuPNmeKcNDynYtEng5srUPae6MgHqqTIK0ExBKbIg/7tB0B Xoa1NbmjlYS2Bboivj5U3+dpgjlIEo1sQIoNt+ktvZfCuZeyplUXC6Be+M6FEu93Cf1e 9btYhnlH0ssGXyeE7gdE1hh5wGkkbOxcEMqU2sXF4zqFCnD1LSKrRi9tF2I2c1EtXK3x QYfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=X9SDYFp5Naacs2SwDBiTXVoaA0ayqjfZ49wY2trQA3s=; b=hKRe8XfxgwTU+YgvEHvH3ylvfmtPUmcn181YBaHFy9/30u2PQZpXld/vbMU7LLznVW QQPu4aAtbL241OCUuccizKaL7g9mFIyybcKBZCcnSThGeKUXCe9uTlC9gvT1QKo70Nes Ah5v3/kHA32+3gXz/1jY/TO2pbLmmE7FfRd9MvqNmXe39F1kfU3F5Kh2ncX9lZQfpD6f 5uS0PQPTVSRC3KK2yO0f1M2Lq467eP8RUqymsjGcSDDT5ClXYrlNfe1+eIvUnod8Di81 oAWZ04gLpizshLIutBsQg1n1gjBs1o9Q6Ykke4U4JgyYMLuMLJTbZ/xg/USpXuGzFsAh 3ToQ== X-Gm-Message-State: APjAAAUC5MAHY1b1vLXpozTs6Ijl4p2cK1EJL6P4vnbTiqBocKn1Ehk/ I96V1nSp4udYvjoKmzgdNKI= X-Google-Smtp-Source: APXvYqz7X1KDisFaIpxdxy8MuLoiV//sMk7hdhtvfGdVAbQlLLjEt3R5BZ4Wo+JguK/ezAf+psQfQA== X-Received: by 2002:a17:902:b093:: with SMTP id p19mr34755421plr.141.1562081030644; Tue, 02 Jul 2019 08:23:50 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([14.33.120.60]) by smtp.gmail.com with ESMTPSA id 85sm18600914pfv.130.2019.07.02.08.23.48 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 08:23:50 -0700 (PDT) From: Taehee Yoo To: davem@davemloft.net, pablo@netfilter.org, laforge@gnumonks.org, osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH net 5/6] gtp: fix use-after-free in gtp_newlink() Date: Wed, 3 Jul 2019 00:23:42 +0900 Message-Id: <20190702152342.23099-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Current gtp_newlink() could be called after unregister_pernet_subsys(). gtp_newlink() uses gtp_net but it can be destroyed by unregister_pernet_subsys(). So unregister_pernet_subsys() should be called after rtnl_link_unregister(). Test commands: #SHELL 1 while : do for i in {1..5} do ./gtp-link add gtp$i & done killall gtp-link done #SHELL 2 while : do modprobe -rv gtp done Splat looks like: [ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp] [ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126 [ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50 [ 753.185801] Call Trace: [ 753.186264] dump_stack+0x7c/0xbb [ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.187583] print_address_description+0xc7/0x240 [ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.189846] __kasan_report+0x12a/0x16f [ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp] [ 753.191298] kasan_report+0xe/0x20 [ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp] [ 753.192580] ? __netlink_ns_capable+0xc3/0xf0 [ 753.193370] __rtnl_newlink+0xb9f/0x11b0 [ ... ] [ 753.241201] Allocated by task 7186: [ 753.241844] save_stack+0x19/0x80 [ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0 [ 753.243192] __kmalloc+0x13e/0x300 [ 753.243764] ops_init+0xd6/0x350 [ 753.244314] register_pernet_operations+0x249/0x6f0 [ ... ] [ 753.251770] Freed by task 7178: [ 753.252288] save_stack+0x19/0x80 [ 753.252833] __kasan_slab_free+0x111/0x150 [ 753.253962] kfree+0xc7/0x280 [ 753.254509] ops_free_list.part.11+0x1c4/0x2d0 [ 753.255241] unregister_pernet_operations+0x262/0x390 [ ... ] [ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next. [ 753.287241] ------------[ cut here ]------------ [ 753.287794] kernel BUG at lib/list_debug.c:25! [ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50 [ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0 [ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b [ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286 [ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000 [ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69 [ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21 [ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878 [ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458 [ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000 [ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0 [ 753.302183] Call Trace: [ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp] [ 753.303037] ? __netlink_ns_capable+0xc3/0xf0 [ 753.303576] __rtnl_newlink+0xb9f/0x11b0 [ 753.304092] ? rtnl_link_unregister+0x230/0x230 Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Taehee Yoo --- drivers/net/gtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index 52f35cbeb1dc..b3ccac54e204 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -1376,9 +1376,9 @@ late_initcall(gtp_init); static void __exit gtp_fini(void) { - unregister_pernet_subsys(>p_net_ops); genl_unregister_family(>p_genl_family); rtnl_link_unregister(>p_link_ops); + unregister_pernet_subsys(>p_net_ops); pr_info("GTP module unloaded\n"); } From patchwork Tue Jul 2 15:24:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 1126310 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="uP9+GkbB"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45dShF41pmz9sND for ; Wed, 3 Jul 2019 01:24:13 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727060AbfGBPYM (ORCPT ); Tue, 2 Jul 2019 11:24:12 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:35179 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725780AbfGBPYL (ORCPT ); Tue, 2 Jul 2019 11:24:11 -0400 Received: by mail-pg1-f194.google.com with SMTP id s27so7853195pgl.2 for ; Tue, 02 Jul 2019 08:24:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=H5YVno4WCiXQA9eWbK1LzW9cfzXvcKQqHrSxyIbLeis=; b=uP9+GkbBlZ/FeAN0XdLlB89EUUqPpQ5JfsU9U2xLGHnnBo4HJRly73sA/RWzKMFItO Wxpnk62o4W1nKWps/ww7LI+G32Je3hhTIZ+EmgTUh4dRnCnFcXpJq90XN3MKnFi46t8r dcxxiXIDSim794fObnad9P7H41erD5Tk+TKc6F3zpGLRdlAr5muFPwN//p4obVaDgoXc r5mHKsHL2DYXeuUjLYuTcI25wkSrrB+uJUnZ5ZtUMjB5eqlKYy8nxsiSEyehpvUQsTDA ixMLWULl8qyLgF9VxIYvCuXfkBDIFUMe6xNP9BKIkh/3JlMnNYGYtV4vW3+xMa8fchSQ r/rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=H5YVno4WCiXQA9eWbK1LzW9cfzXvcKQqHrSxyIbLeis=; b=qaWtAATbBzCYtvIfu6++dl8/Yhs8y8rZoDSqMCCyMq/odKLen/pOApDcc7P9ZgsVvv WCZtx1/vrGUahfRbcwHm/LQkk+5NtFC5G2aAmxzZhogjrcT81kDLas2MB+0RgHM9/Y0R QPiSV3ksVIpeqUAujm52Fxfm5h5wPorG5A12jQ7S7gJjzwWZWJcL89p8fiD7jpKo2Wcf 3lqXbrVWbB3EVhOMk4v3OLq83ospMaSSXEk8XFioCsrtZZE6tbu4KdU9oeOJYDRFGBQ7 cY96XPm0dbWN+1dVMqzyZPubbJtW2tIIgJ0R9+QeiA4RSMpKp8AT5kuVH5G4FPVmYVLq QCGg== X-Gm-Message-State: APjAAAVByfK2drNblLH7JvGvxpwr9jmBDoQKGZO1SqzoiypzCrY6X7CI hAI42civMmkAMA8IR9tvxh8= X-Google-Smtp-Source: APXvYqyylfXXBNTXrVGLKG2VV7I1hXPpSWCUk5AeP8svx2I4AaA2XJTxuHzhC8yPUX+4GuFLCixNNg== X-Received: by 2002:a63:6986:: with SMTP id e128mr32602107pgc.220.1562081050733; Tue, 02 Jul 2019 08:24:10 -0700 (PDT) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([14.33.120.60]) by smtp.gmail.com with ESMTPSA id d2sm15133462pgo.0.2019.07.02.08.24.08 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 08:24:10 -0700 (PDT) From: Taehee Yoo To: davem@davemloft.net, pablo@netfilter.org, laforge@gnumonks.org, osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH net 6/6] gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() Date: Wed, 3 Jul 2019 00:24:04 +0900 Message-Id: <20190702152404.23210-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If an invalid role is sent from user space, gtp_encap_enable() will fail. Then, it should call gtp_encap_disable_sock() but current code doesn't. It makes memory leak. Fixes: 91ed81f9abc7 ("gtp: support SGSN-side tunnels") Signed-off-by: Taehee Yoo --- drivers/net/gtp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index b3ccac54e204..ecfe26215935 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -857,8 +857,13 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) if (data[IFLA_GTP_ROLE]) { role = nla_get_u32(data[IFLA_GTP_ROLE]); - if (role > GTP_ROLE_SGSN) + if (role > GTP_ROLE_SGSN) { + if (sk0) + gtp_encap_disable_sock(sk0); + if (sk1u) + gtp_encap_disable_sock(sk1u); return -EINVAL; + } } gtp->sk0 = sk0;