linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00

History

Guillaume Nault 046ea8180e ppp: take reference on channels netns [ Upstream commit `1f461dcdd2` ] Let channels hold a reference on their network namespace. Some channel types, like ppp_async and ppp_synctty, can have their userspace controller running in a different namespace. Therefore they can't rely on them to preclude their netns from being removed from under them. ================================================================== BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at addr ffff880064e217e0 Read of size 8 by task syz-executor/11581 ============================================================================= BUG net_namespace (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906 [< none >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440 [< none >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469 [< inline >] slab_alloc_node kernel/mm/slub.c:2532 [< inline >] slab_alloc kernel/mm/slub.c:2574 [< none >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579 [< inline >] kmem_cache_zalloc kernel/include/linux/slab.h:597 [< inline >] net_alloc kernel/net/core/net_namespace.c:325 [< none >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360 [< none >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95 [< none >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150 [< none >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451 [< inline >] copy_process kernel/kernel/fork.c:1274 [< none >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723 [< inline >] SYSC_clone kernel/kernel/fork.c:1832 [< none >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826 [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185 INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631 [< none >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650 [< inline >] slab_free kernel/mm/slub.c:2805 [< none >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814 [< inline >] net_free kernel/net/core/net_namespace.c:341 [< none >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348 [< none >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448 [< none >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036 [< none >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170 [< none >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303 [< none >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000 flags=0x5fffc0000004080 INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200 CPU: 1 PID: 11581 Comm: syz-executor Tainted: G B 4.4.0+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300 ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054 ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000 Call Trace: [< inline >] __dump_stack kernel/lib/dump_stack.c:15 [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50 [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654 [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661 [< inline >] print_address_description kernel/mm/kasan/report.c:138 [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236 [< inline >] kasan_report kernel/mm/kasan/report.c:259 [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280 [< inline >] ? ppp_pernet kernel/include/linux/compiler.h:218 [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392 [< inline >] ppp_pernet kernel/include/linux/compiler.h:218 [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392 [< inline >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293 [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392 [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241 [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000 [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478 [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744 [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772 [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901 [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688 [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208 [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244 [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115 [< inline >] exit_task_work kernel/include/linux/task_work.h:21 [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750 [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357 [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550 [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145 [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880 [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307 [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113 [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158 [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712 [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655 [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165 [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692 [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099 [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247 [< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282 [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344 [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281 Memory state around the buggy address: ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fixes: `273ec51dd7` ("net: ppp_generic - introduce net-namespace functionality v2") Reported-by: Baozeng Ding <sploving1@gmail.com> Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2016-04-20 15:42:05 +09:00
..
accessibility
acpi	ACPI / PM: Runtime resume devices when waking from hibernate	2016-04-12 09:09:03 -07:00
amba
android	drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE	2016-03-03 15:07:10 -08:00
ata	pata-rb532-cf: get rid of the irq_to_gpio() call	2016-03-09 15:34:53 -08:00
atm
auxdisplay
base	base/platform: Fix platform drivers with no probe callback	2016-02-17 12:30:55 -08:00
bcma
block	brd: Fix discard request processing	2016-04-12 09:08:53 -07:00
bluetooth	Bluetooth: Add new AR3012 ID 0489:e095	2016-04-12 09:08:54 -07:00
bus	bus: sunxi-rsb: Fix peripheral IC mapping runtime address	2015-12-22 11:42:30 -08:00
cdrom
char	tpm: fix the cleanup of struct tpm_chip	2016-04-12 09:08:47 -07:00
clk	clk: bcm2835: Fix setting of PLL divider clock rates	2016-04-12 09:09:02 -07:00
clocksource	clockevents/tcb_clksrc: Prevent disabling an already disabled clock	2016-03-03 15:07:15 -08:00
connector	connector: bump skb->users before callback invocation	2016-01-04 21:46:45 -05:00
cpufreq	cpufreq: Fix NULL reference crash while accessing policy->governor_data	2016-03-03 15:07:25 -08:00
cpuidle
crypto	crypto: marvell/cesa - forward devm_ioremap_resource() error code	2016-04-12 09:08:46 -07:00
dca
devfreq
dio
dma	dmaengine: at_xdmac: fix residue computation	2016-03-16 08:42:58 -07:00
dma-buf
edac	EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()	2016-04-12 09:08:36 -07:00
eisa
extcon
firewire
firmware	efi: Add pstore variables to the deletion whitelist	2016-03-03 15:07:09 -08:00
fmc
fpga	fpga manager: Fix firmware resource leak on error	2015-11-24 15:25:46 -08:00
gpio	gpio: revert get() to non-errorprogating behaviour	2015-12-17 15:48:29 +01:00
gpu	drm/amdgpu/gmc: use proper register for vram type on Fiji	2016-04-20 15:41:56 +09:00
hid	HID: fix hid_ignore_special_drivers module parameter	2016-04-12 09:08:48 -07:00
hsi
hv	Drivers: hv: vmbus: Fix a Host signaling bug	2016-03-03 15:07:16 -08:00
hwmon	hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated	2016-04-20 15:41:52 +09:00
hwspinlock	drivers/hwspinlock: fix race between radix tree insertion and lookup	2016-02-25 12:01:23 -08:00
hwtracing	coresight: checking for NULL string in coresight_name_match()	2016-03-03 15:07:14 -08:00
i2c	i2c: brcmstb: allocate correct amount of memory for regmap	2016-03-09 15:34:56 -08:00
ide
idle	intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled	2016-04-12 09:09:05 -07:00
iio	iio: inkern: fix a NULL dereference on error	2016-02-25 12:01:17 -08:00
infiniband	iser-target: Rework connection termination	2016-04-12 09:09:03 -07:00
input	Input: ati_remote2 - fix crashes on detecting device with invalid descriptor	2016-04-12 09:09:04 -07:00
iommu	iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path	2016-03-09 15:34:51 -08:00
ipack
irqchip	irqchip/gic-v3-its: Fix double ICC_EOIR write for LPI in EOImode==1	2016-03-03 15:07:14 -08:00
isdn	ser_gigaset: remove unnecessary kfree() calls from release method	2015-12-15 13:24:21 -05:00
leds
lguest
lightnvm	lightnvm: wrong offset in bad blk lun calculation	2015-12-29 08:28:32 -07:00
macintosh
mailbox
mcb
md	md: multipath: don't hardcopy bio in .make_request path	2016-04-12 09:08:57 -07:00
media	media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32	2016-04-12 09:08:50 -07:00
memory	fsl-ifc: add missing include on ARM64	2015-12-16 00:16:58 +01:00
memstick
message
mfd
misc	mei: bus: check if the device is enabled before data transfer	2016-04-12 09:08:46 -07:00
mmc	mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout	2016-04-12 09:09:02 -07:00
mtd	mtd: onenand: fix deadlock in onenand_block_markbad	2016-04-12 09:09:05 -07:00
net	ppp: take reference on channels netns	2016-04-20 15:42:05 +09:00
nfc
ntb
nubus
nvdimm	libnvdimm, pfn: fix uuid validation	2016-04-20 15:41:54 +09:00
nvme	NVMe: IO ending fixes on surprise removal	2015-12-22 10:12:04 -07:00
nvmem
of	of: alloc anywhere from memblock if range not specified	2016-04-12 09:08:55 -07:00
oprofile
parisc	parisc iommu: fix panic due to trying to allocate too large region	2015-12-12 16:07:25 +01:00
parport
pci	PCI: Disable IO/MEM decoding for devices with non-compliant BARs	2016-04-12 09:08:37 -07:00
pcmcia
perf
phy	phy: core: fix wrong err handle for phy_power_on	2016-03-03 15:07:28 -08:00
pinctrl	pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing	2016-04-12 09:08:37 -07:00
platform	ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list	2016-04-12 09:09:01 -07:00
pnp
power
powercap	powercap / RAPL: fix BIOS lock check	2015-12-12 02:31:11 +01:00
pps
ps3
ptp
pwm
rapidio
ras
regulator	regulator: core: Fix nested locking of supplies	2016-04-12 09:08:31 -07:00
remoteproc	remoteproc: fix memory leak of remoteproc ida cache layers	2015-11-26 17:44:28 +02:00
reset
rpmsg
rtc	rtc: da9063: fix access ordering error during RTC interrupt at system power on	2015-12-20 13:39:29 +01:00
s390	s390/dasd: fix diag 0x250 inline assembly	2016-03-16 08:42:58 -07:00
sbus
scsi	scsi_common: do not clobber fixed sense information	2016-04-12 09:09:05 -07:00
sfi
sh	drivers: sh: Restore legacy clock domain on SuperH platforms	2016-03-09 15:34:49 -08:00
sn
soc	Few Keystone fixes for 4.4-rcx	2015-11-25 23:48:12 +01:00
spi	spi: atmel: fix gpio chip-select in case of non-DT platform	2016-03-03 15:07:27 -08:00
spmi
ssb
staging	staging: comedi: ni_mio_common: fix the ni_write[blw]() functions	2016-04-12 09:08:49 -07:00
target	target: Fix target_release_cmd_kref shutdown comp leak	2016-04-12 09:09:02 -07:00
tc
thermal	Thermal: Ignore invalid trip points	2016-04-12 09:08:35 -07:00
thunderbolt
tty	8250: use callbacks to access UART_DLL/UART_DLM	2016-04-12 09:08:49 -07:00
uio
usb	USB: option: add "D-Link DWM-221 B1" device id	2016-04-12 09:08:42 -07:00
uwb
vfio	vfio: fix ioctl error handling	2016-03-09 15:34:50 -08:00
vhost	vhost: replace % with & on data path	2015-12-07 17:28:10 +02:00
video	fbcon: set a default value to blink interval	2016-03-09 15:34:50 -08:00
virt
virtio	virtio_pci: fix use after free on release	2016-03-03 15:07:18 -08:00
vlynq
vme
w1
watchdog	watchdog: rc32434_wdt: fix ioctl error handling	2016-04-12 09:08:54 -07:00
xen	xen/events: Mask a moving irq	2016-04-20 15:41:56 +09:00
zorro
Kconfig
Makefile