• WANG Cong's avatar
    igmp: acquire pmc lock for ip_mc_clear_src() · c38b7d32
    WANG Cong authored
    Andrey reported a use-after-free in add_grec():
    
            for (psf = *psf_list; psf; psf = psf_next) {
    		...
                    psf_next = psf->sf_next;
    
    where the struct ip_sf_list's were already freed by:
    
     kfree+0xe8/0x2b0 mm/slub.c:3882
     ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078
     ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618
     ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609
     inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411
     sock_release+0x8d/0x1e0 net/socket.c:597
     sock_close+0x16/0x20 net/socket.c:1072
    
    This happens because we don't hold pmc->lock in ip_mc_clear_src()
    and a parallel mr_ifc_timer timer could jump in and access them.
    
    The RCU lock is there but it is merely for pmc itself, this
    spinlock could actually ensure we don't access them in parallel.
    
    Thanks to Eric and Long for discussion on this bug.
    Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    c38b7d32
igmp.c 72.4 KB