linux/net/ipv6
Eric Dumazet 6c0afef5fb ipv6/flowlabel: wait rcu grace period before put_pid()
syzbot was able to catch a use-after-free read in pid_nr_ns() [1]

ip6fl_seq_show() seems to use RCU protection, dereferencing fl->owner.pid
but fl_free() releases fl->owner.pid before rcu grace period is started.

[1]

BUG: KASAN: use-after-free in pid_nr_ns+0x128/0x140 kernel/pid.c:407
Read of size 4 at addr ffff888094012a04 by task syz-executor.0/18087

CPU: 0 PID: 18087 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #89
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 pid_nr_ns+0x128/0x140 kernel/pid.c:407
 ip6fl_seq_show+0x2f8/0x4f0 net/ipv6/ip6_flowlabel.c:794
 seq_read+0xad3/0x1130 fs/seq_file.c:268
 proc_reg_read+0x1fe/0x2c0 fs/proc/inode.c:227
 do_loop_readv_writev fs/read_write.c:701 [inline]
 do_loop_readv_writev fs/read_write.c:688 [inline]
 do_iter_read+0x4a9/0x660 fs/read_write.c:922
 vfs_readv+0xf0/0x160 fs/read_write.c:984
 kernel_readv fs/splice.c:358 [inline]
 default_file_splice_read+0x475/0x890 fs/splice.c:413
 do_splice_to+0x12a/0x190 fs/splice.c:876
 splice_direct_to_actor+0x2d2/0x970 fs/splice.c:953
 do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
 do_sendfile+0x597/0xd00 fs/read_write.c:1443
 __do_sys_sendfile64 fs/read_write.c:1498 [inline]
 __se_sys_sendfile64 fs/read_write.c:1490 [inline]
 __x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1490
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458da9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f300d24bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9
RDX: 00000000200000c0 RSI: 0000000000000008 RDI: 0000000000000007
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000005a R11: 0000000000000246 R12: 00007f300d24c6d4
R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff

Allocated by task 17543:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc mm/kasan/common.c:497 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc mm/slab.c:3393 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555
 alloc_pid+0x55/0x8f0 kernel/pid.c:168
 copy_process.part.0+0x3b08/0x7980 kernel/fork.c:1932
 copy_process kernel/fork.c:1709 [inline]
 _do_fork+0x257/0xfd0 kernel/fork.c:2226
 __do_sys_clone kernel/fork.c:2333 [inline]
 __se_sys_clone kernel/fork.c:2327 [inline]
 __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7789:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3499 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3765
 put_pid.part.0+0x111/0x150 kernel/pid.c:111
 put_pid+0x20/0x30 kernel/pid.c:105
 fl_free+0xbe/0xe0 net/ipv6/ip6_flowlabel.c:102
 ip6_fl_gc+0x295/0x3e0 net/ipv6/ip6_flowlabel.c:152
 call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
 expire_timers kernel/time/timer.c:1362 [inline]
 __run_timers kernel/time/timer.c:1681 [inline]
 __run_timers kernel/time/timer.c:1649 [inline]
 run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
 __do_softirq+0x266/0x95a kernel/softirq.c:293

The buggy address belongs to the object at ffff888094012a00
 which belongs to the cache pid_2 of size 88
The buggy address is located 4 bytes inside of
 88-byte region [ffff888094012a00, ffff888094012a58)
The buggy address belongs to the page:
page:ffffea0002500480 count:1 mapcount:0 mapping:ffff88809a483080 index:0xffff888094012980
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00018a3508 ffffea0002524a88 ffff88809a483080
raw: ffff888094012980 ffff888094012000 000000010000001b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888094012900: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff888094012980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
>ffff888094012a00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
                   ^
 ffff888094012a80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff888094012b00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc

Fixes: 4f82f45730 ("net ip6 flowlabel: Make owner a union of struct pid * and kuid_t")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-29 23:30:13 -04:00
..
ila ila: Fix rhashtable walker list corruption 2019-03-27 22:46:16 -07:00
netfilter netfilter: ip6t_srh: fix NULL pointer dereferences 2019-03-18 16:22:48 +01:00
addrconf_core.c ipv6_stub: add ipv6_route_input stub/proxy. 2019-02-13 18:27:55 -08:00
addrconf.c net: ignore sysctl_devconf_inherit_init_net without SYSCTL 2019-03-04 13:14:34 -08:00
addrlabel.c net: ipv6: addrlabel: fix spelling mistake "requewst" -> "request" 2019-04-18 10:44:17 -07:00
af_inet6.c ipv6_stub: add ipv6_route_input stub/proxy. 2019-02-13 18:27:55 -08:00
ah6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
anycast.c net/ipv6: compute anycast address hash only if dev is null 2018-11-08 17:04:43 -08:00
calipso.c ipv6: make ipv6_renew_options() interrupt/kernel safe 2018-07-05 20:15:26 +09:00
datagram.c ipv6: fix kernel-infoleak in ipv6_local_error() 2019-01-10 09:36:41 -05:00
esp6_offload.c net: use skb_sec_path helper in more places 2018-12-19 11:21:37 -08:00
esp6.c esp: Skip TX bytes accounting when sending from a request socket 2019-01-28 11:20:58 +01:00
exthdrs_core.c net: ipv6: Fix typo in ipv6_find_hdr() documentation 2018-05-07 23:50:27 -04:00
exthdrs_offload.c
exthdrs.c ipv6: make ipv6_renew_options() interrupt/kernel safe 2018-07-05 20:15:26 +09:00
fib6_notifier.c
fib6_rules.c net/ipv6: Add fib6_lookup 2018-05-11 00:10:56 +02:00
fou6.c fou, fou6: avoid uninit-value in gue_err() and gue6_err() 2019-03-08 15:19:53 -08:00
icmp.c ipv6: icmp: use percpu allocation 2019-02-24 21:57:26 -08:00
inet6_connection_sock.c
inet6_hashtables.c net: tcp6: prefer listeners bound to an address 2018-12-14 15:55:20 -08:00
ip6_checksum.c net: udp: fix handling of CHECKSUM_COMPLETE packets 2018-10-24 14:18:16 -07:00
ip6_fib.c ipv6: Fix dump of specific table with strict checking 2019-01-02 20:15:43 -08:00
ip6_flowlabel.c ipv6/flowlabel: wait rcu grace period before put_pid() 2019-04-29 23:30:13 -04:00
ip6_gre.c net: ip6_gre: fix possible use-after-free in ip6erspan_rcv 2019-04-08 16:16:47 -07:00
ip6_icmp.c
ip6_input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-09 21:43:31 -08:00
ip6_offload.c gso: validate gso_type on ipip style tunnels 2019-02-20 11:24:27 -08:00
ip6_offload.h
ip6_output.c ipv6: Fix dangling pointer when ipv6 fragment 2019-04-03 21:42:20 -07:00
ip6_tunnel.c ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type 2019-04-02 13:19:34 -07:00
ip6_udp_tunnel.c net/ipv6/udp_tunnel: prefer SO_BINDTOIFINDEX over SO_BINDTODEVICE 2019-01-17 14:55:52 -08:00
ip6_vti.c ip: validate header length on virtual device xmit 2019-01-01 12:05:02 -08:00
ip6mr.c ip6mr: Do not call __IP6_INC_STATS() from preemptible context 2019-03-04 10:55:48 -08:00
ipcomp6.c
ipv6_sockglue.c net: ipv6: add socket option IPV6_ROUTER_ALERT_ISOLATE 2019-03-03 21:05:10 -08:00
Kconfig net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
Makefile
mcast_snoop.c net: remove unneeded switch fall-through 2019-02-21 13:48:00 -08:00
mcast.c bridge: join all-snoopers multicast address 2019-01-22 17:18:08 -08:00
mip6.c
ndisc.c ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called 2018-10-26 15:58:06 -07:00
netfilter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2019-02-18 11:38:30 -08:00
output_core.c net: accept UFO datagrams from tuntap and packet 2017-11-24 01:37:35 +09:00
ping.c ipv6: fold sockcm_cookie into ipcm6_cookie 2018-07-07 10:58:49 +09:00
proc.c proc: introduce proc_create_net_single 2018-05-16 07:24:30 +02:00
protocol.c
raw.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-20 11:53:36 -08:00
reassembly.c net: remove unused struct inet_frag_queue.fragments field 2019-02-26 08:27:05 -08:00
route.c vrf: Use orig netdev to count Ip6InNoRoutes and a fresh route lookup when sending dest unreach 2019-04-29 23:28:52 -04:00
seg6_hmac.c Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-07-03 10:29:26 +09:00
seg6_iptunnel.c ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation 2019-01-30 14:06:12 -08:00
seg6_local.c bpf: add End.DT6 action to bpf_lwt_seg6_action helper 2018-07-31 09:22:48 +02:00
seg6.c ipv6: propagate genlmsg_reply return code 2019-02-12 12:36:02 -05:00
sit.c ipv6: sit: reset ip header pointer in ipip6_rcv 2019-04-04 18:34:23 -07:00
syncookies.c net/ipv4: disable SMC TCP option with SYN Cookies 2018-03-25 20:53:54 -04:00
sysctl_net_ipv6.c ipv6: sr: Compute flowlabel for outer IPv6 header of seg6 encap mode 2018-04-25 13:02:15 -04:00
tcp_ipv6.c tcp: do not use ipv6 header for ipv4 flow 2019-03-19 14:00:27 -07:00
tcpv6_offload.c net: use indirect call wrappers at GRO transport layer 2018-12-15 13:23:02 -08:00
tunnel6.c net: Convert protocol error handlers from void to int 2018-11-08 17:13:08 -08:00
udp_impl.h udp6: add missing rehash callback to udplite 2019-01-17 15:01:08 -08:00
udp_offload.c net: use indirect call wrappers at GRO transport layer 2018-12-15 13:23:02 -08:00
udp.c udpv6: Check address length before reading address family 2019-04-12 10:25:03 -07:00
udplite.c udp6: add missing rehash callback to udplite 2019-01-17 15:01:08 -08:00
xfrm6_input.c net: use skb_sec_path helper in more places 2018-12-19 11:21:37 -08:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c ipv6: xfrm: use 64-bit timestamps 2018-07-11 15:26:35 +02:00
xfrm6_mode_transport.c xfrm: reset transport header back to network header after all input transforms ahave been applied 2018-09-04 10:26:30 +02:00
xfrm6_mode_tunnel.c xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto 2018-03-07 10:54:29 +01:00
xfrm6_output.c xfrm6: call kfree_skb when skb is toobig 2018-09-03 07:37:57 +02:00
xfrm6_policy.c xfrm6: remove BUG_ON from xfrm6_dst_ifdown 2018-11-22 07:55:48 +01:00
xfrm6_protocol.c net: Convert protocol error handlers from void to int 2018-11-08 17:13:08 -08:00
xfrm6_state.c xfrm: remove VLA usage in __xfrm6_sort() 2018-04-26 07:51:48 +02:00
xfrm6_tunnel.c xfrm: destroy xfrm_state synchronously on net exit path 2019-02-05 06:29:20 +01:00