1. 29 Jan, 2020 12 commits
    • Jouni Hogander's avatar
      net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject · 60e71546
      Jouni Hogander authored
      commit b8eb7183 upstream.
      
      kobject_init_and_add takes reference even when it fails. This has
      to be given up by the caller in error handling. Otherwise memory
      allocated by kobject_init_and_add is never freed. Originally found
      by Syzkaller:
      
      BUG: memory leak
      unreferenced object 0xffff8880679f8b08 (size 8):
        comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
        hex dump (first 8 bytes):
          72 78 2d 30 00 36 20 d4                          rx-0.6 .
        backtrace:
          [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
          [<000000001f2e4e49>] kvasprintf+0xb1/0x140
          [<000000007f313394>] kvasprintf_const+0x56/0x160
          [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
          [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
          [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
          [<000000006be5f104>] netdev_register_kobject+0x210/0x380
          [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
          [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
          [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
          [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
          [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
          [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
          [<0000000038d946e5>] do_syscall_64+0x16f/0x580
          [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<00000000285b3d1a>] 0xffffffffffffffff
      
      Cc: David Miller <davem@davemloft.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      60e71546
    • Cong Wang's avatar
      net_sched: fix datalen for ematch · 66ac8ee9
      Cong Wang authored
      [ Upstream commit 61678d28 ]
      
      syzbot reported an out-of-bound access in em_nbyte. As initially
      analyzed by Eric, this is because em_nbyte sets its own em->datalen
      in em_nbyte_change() other than the one specified by user, but this
      value gets overwritten later by its caller tcf_em_validate().
      We should leave em->datalen untouched to respect their choices.
      
      I audit all the in-tree ematch users, all of those implement
      ->change() set em->datalen, so we can just avoid setting it twice
      in this case.
      
      Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
      Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66ac8ee9
    • Eric Dumazet's avatar
      net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() · be1a2be7
      Eric Dumazet authored
      [ Upstream commit d836f5c6 ]
      
      rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu
      checks that we apply in do_setlink()
      
      Otherwise malicious users can crash the kernel, for example after
      an integer overflow :
      
      BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline]
      BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
      Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       check_memory_region_inline mm/kasan/generic.c:185 [inline]
       check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
       memset+0x24/0x40 mm/kasan/common.c:108
       memset include/linux/string.h:365 [inline]
       __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
       alloc_skb include/linux/skbuff.h:1049 [inline]
       alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664
       sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242
       sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259
       mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609
       add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713
       add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844
       mld_send_cr net/ipv6/mcast.c:1970 [inline]
       mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477
       call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
       expire_timers kernel/time/timer.c:1449 [inline]
       __run_timers kernel/time/timer.c:1773 [inline]
       __run_timers kernel/time/timer.c:1740 [inline]
       run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0x19b/0x1e0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
       </IRQ>
      RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
      Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 <c3> cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79
      RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
      RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000
      RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54
      RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
      R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000
       arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
       default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
       cpuidle_idle_call kernel/sched/idle.c:154 [inline]
       do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
       cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
       rest_init+0x23b/0x371 init/main.c:451
       arch_call_rest_init+0xe/0x1b
       start_kernel+0x904/0x943 init/main.c:784
       x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
       x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
      
      The buggy address belongs to the page:
      page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
      raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
       ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      
      Fixes: 61e84623 ("net: centralize net_device min/max MTU checking")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be1a2be7
    • William Dauchy's avatar
      net, ip_tunnel: fix namespaces move · 1d3b53f7
      William Dauchy authored
      [ Upstream commit d0f41851 ]
      
      in the same manner as commit 690afc16 ("net: ip6_gre: fix moving
      ip6gre between namespaces"), fix namespace moving as it was broken since
      commit 2e15ea39 ("ip_gre: Add support to collect tunnel metadata.").
      Indeed, the ip6_gre commit removed the local flag for collect_md
      condition, so there is no reason to keep it for ip_gre/ip_tunnel.
      
      this patch will fix both ip_tunnel and ip_gre modules.
      
      Fixes: 2e15ea39 ("ip_gre: Add support to collect tunnel metadata.")
      Signed-off-by: default avatarWilliam Dauchy <w.dauchy@criteo.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d3b53f7
    • William Dauchy's avatar
      net, ip6_tunnel: fix namespaces move · fddb6ea5
      William Dauchy authored
      [ Upstream commit 5311a69a ]
      
      in the same manner as commit d0f41851 ("net, ip_tunnel: fix
      namespaces move"), fix namespace moving as it was broken since commit
      8d79266b ("ip6_tunnel: add collect_md mode to IPv6 tunnel"), but for
      ipv6 this time; there is no reason to keep it for ip6_tunnel.
      
      Fixes: 8d79266b ("ip6_tunnel: add collect_md mode to IPv6 tunnel")
      Signed-off-by: default avatarWilliam Dauchy <w.dauchy@criteo.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fddb6ea5
    • Niko Kortstrom's avatar
      net: ip6_gre: fix moving ip6gre between namespaces · d0201d24
      Niko Kortstrom authored
      [ Upstream commit 690afc16 ]
      
      Support for moving IPv4 GRE tunnels between namespaces was added in
      commit b57708ad ("gre: add x-netns support"). The respective change
      for IPv6 tunnels, commit 22f08069 ("ip6gre: add x-netns support")
      did not drop NETIF_F_NETNS_LOCAL flag so moving them from one netns to
      another is still denied in IPv6 case. Drop NETIF_F_NETNS_LOCAL flag from
      ip6gre tunnels to allow moving ip6gre tunnel endpoints between network
      namespaces.
      Signed-off-by: default avatarNiko Kortstrom <niko.kortstrom@nokia.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0201d24
    • Michael Ellerman's avatar
      net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM · 404d333f
      Michael Ellerman authored
      [ Upstream commit 3546d8f1 =
      
      The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet
      adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in
      cxgb_extension_ioctl().
      
      One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears
      to read memory directly out of the adapter and return it to userspace.
      It's not entirely clear what the contents of the adapter memory
      contains, but the assumption is that it shouldn't be accessible to all
      users.
      
      So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after
      the is_offload() check, which matches two of the other subcommands in
      the same function which also check for is_offload() and CAP_NET_ADMIN.
      
      Found by Ilja by code inspection, not tested as I don't have the
      required hardware.
      Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      404d333f
    • Florian Fainelli's avatar
      net: bcmgenet: Use netif_tx_napi_add() for TX NAPI · 0705c8d7
      Florian Fainelli authored
      [ Upstream commit 148965df ]
      
      Before commit 7587935c ("net: bcmgenet: move NAPI initialization to
      ring initialization") moved the code, this used to be
      netif_tx_napi_add(), but we lost that small semantic change in the
      process, restore that.
      
      Fixes: 7587935c ("net: bcmgenet: move NAPI initialization to ring initialization")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarDoug Berger <opendmb@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0705c8d7
    • Yuki Taguchi's avatar
      ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions · d3c0a8be
      Yuki Taguchi authored
      [ Upstream commit 62ebaeae ]
      
      After LRO/GRO is applied, SRv6 encapsulated packets have
      SKB_GSO_IPXIP6 feature flag, and this flag must be removed right after
      decapulation procedure.
      
      Currently, SKB_GSO_IPXIP6 flag is not removed on End.D* actions, which
      creates inconsistent packet state, that is, a normal TCP/IP packets
      have the SKB_GSO_IPXIP6 flag. This behavior can cause unexpected
      fallback to GSO on routing to netdevices that do not support
      SKB_GSO_IPXIP6. For example, on inter-VRF forwarding, decapsulated
      packets separated into small packets by GSO because VRF devices do not
      support TSO for packets with SKB_GSO_IPXIP6 flag, and this degrades
      forwarding performance.
      
      This patch removes encapsulation related GSO flags from the skb right
      after the End.D* action is applied.
      
      Fixes: d7a669dd ("ipv6: sr: add helper functions for seg6local")
      Signed-off-by: default avatarYuki Taguchi <tagyounit@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3c0a8be
    • Eric Dumazet's avatar
      gtp: make sure only SOCK_DGRAM UDP sockets are accepted · d3b5ecce
      Eric Dumazet authored
      [ Upstream commit 940ba149 ]
      
      A malicious user could use RAW sockets and fool
      GTP using them as standard SOCK_DGRAM UDP sockets.
      
      BUG: KMSAN: uninit-value in udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
      BUG: KMSAN: uninit-value in setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
      CPU: 0 PID: 11262 Comm: syz-executor613 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
       setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
       gtp_encap_enable_socket+0x37f/0x5a0 drivers/net/gtp.c:827
       gtp_encap_enable drivers/net/gtp.c:844 [inline]
       gtp_newlink+0xfb/0x1e50 drivers/net/gtp.c:666
       __rtnl_newlink net/core/rtnetlink.c:3305 [inline]
       rtnl_newlink+0x2973/0x3920 net/core/rtnetlink.c:3363
       rtnetlink_rcv_msg+0x1153/0x1570 net/core/rtnetlink.c:5424
       netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x441359
      Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fff1cd0ac28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441359
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020d0
      R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
       kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline]
       kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336
       __alloc_pages_nodemask+0x57f2/0x5f60 mm/page_alloc.c:4800
       alloc_pages_current+0x67d/0x990 mm/mempolicy.c:2207
       alloc_pages include/linux/gfp.h:534 [inline]
       alloc_slab_page+0x111/0x12f0 mm/slub.c:1511
       allocate_slab mm/slub.c:1656 [inline]
       new_slab+0x2bc/0x1130 mm/slub.c:1722
       new_slab_objects mm/slub.c:2473 [inline]
       ___slab_alloc+0x1533/0x1f30 mm/slub.c:2624
       __slab_alloc mm/slub.c:2664 [inline]
       slab_alloc_node mm/slub.c:2738 [inline]
       slab_alloc mm/slub.c:2783 [inline]
       kmem_cache_alloc+0xb23/0xd70 mm/slub.c:2788
       sk_prot_alloc+0xf2/0x620 net/core/sock.c:1597
       sk_alloc+0xf0/0xbe0 net/core/sock.c:1657
       inet_create+0x7c7/0x1370 net/ipv4/af_inet.c:321
       __sock_create+0x8eb/0xf00 net/socket.c:1420
       sock_create net/socket.c:1471 [inline]
       __sys_socket+0x1a1/0x600 net/socket.c:1513
       __do_sys_socket net/socket.c:1522 [inline]
       __se_sys_socket+0x8d/0xb0 net/socket.c:1520
       __x64_sys_socket+0x4a/0x70 net/socket.c:1520
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Pablo Neira <pablo@netfilter.org>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3b5ecce
    • Wenwen Wang's avatar
      firestream: fix memory leaks · 8e360d7c
      Wenwen Wang authored
      [ Upstream commit fa865ba1 ]
      
      In fs_open(), 'vcc' is allocated through kmalloc() and assigned to
      'atm_vcc->dev_data.' In the following execution, if an error occurs, e.g.,
      there is no more free channel, an error code EBUSY or ENOMEM will be
      returned. However, 'vcc' is not deallocated, leading to memory leaks. Note
      that, in normal cases where fs_open() returns 0, 'vcc' will be deallocated
      in fs_close(). But, if fs_open() fails, there is no guarantee that
      fs_close() will be invoked.
      
      To fix this issue, deallocate 'vcc' before the error code is returned.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e360d7c
    • Richard Palethorpe's avatar
      can, slip: Protect tty->disc_data in write_wakeup and close with RCU · bd144845
      Richard Palethorpe authored
      [ Upstream commit 0ace17d5 ]
      
      write_wakeup can happen in parallel with close/hangup where tty->disc_data
      is set to NULL and the netdevice is freed thus also freeing
      disc_data. write_wakeup accesses disc_data so we must prevent close from
      freeing the netdev while write_wakeup has a non-NULL view of
      tty->disc_data.
      
      We also need to make sure that accesses to disc_data are atomic. Which can
      all be done with RCU.
      
      This problem was found by Syzkaller on SLCAN, but the same issue is
      reproducible with the SLIP line discipline using an LTP test based on the
      Syzkaller reproducer.
      
      A fix which didn't use RCU was posted by Hillf Danton.
      
      Fixes: 661f7fda ("slip: Fix deadlock in write_wakeup")
      Fixes: a8e83b17 ("slcan: Port write_wakeup deadlock fix from slip")
      Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
      Signed-off-by: default avatarRichard Palethorpe <rpalethorpe@suse.com>
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Tyler Hall <tylerwhall@gmail.com>
      Cc: linux-can@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: syzkaller@googlegroups.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd144845
  2. 27 Jan, 2020 28 commits