Revision 12d94a804946af291e24b80fc53ec86264765781 authored by Eric Dumazet on 15 August 2017, 11:09:51 UTC, committed by David S. Miller on 16 August 2017, 00:06:34 UTC
Based on a syzkaller report [1], I found that a per cpu allocation failure in snmp6_alloc_dev() would then lead to NULL dereference in ip6_route_dev_notify(). It seems this is a very old bug, thus no Fixes tag in this submission. Let's add in6_dev_put_clear() helper, as we will probably use it elsewhere (once available/present in net-next) [1] kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 17294 Comm: syz-executor6 Not tainted 4.13.0-rc2+ #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff88019f456680 task.stack: ffff8801c6e58000 RIP: 0010:__read_once_size include/linux/compiler.h:250 [inline] RIP: 0010:atomic_read arch/x86/include/asm/atomic.h:26 [inline] RIP: 0010:refcount_sub_and_test+0x7d/0x1b0 lib/refcount.c:178 RSP: 0018:ffff8801c6e5f1b0 EFLAGS: 00010202 RAX: 0000000000000037 RBX: dffffc0000000000 RCX: ffffc90005d25000 RDX: ffff8801c6e5f218 RSI: ffffffff82342bbf RDI: 0000000000000001 RBP: ffff8801c6e5f240 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff10038dcbe37 R13: 0000000000000006 R14: 0000000000000001 R15: 00000000000001b8 FS: 00007f21e0429700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001ddbc22000 CR3: 00000001d632b000 CR4: 00000000001426e0 DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: refcount_dec_and_test+0x1a/0x20 lib/refcount.c:211 in6_dev_put include/net/addrconf.h:335 [inline] ip6_route_dev_notify+0x1c9/0x4a0 net/ipv6/route.c:3732 notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1678 call_netdevice_notifiers net/core/dev.c:1694 [inline] rollback_registered_many+0x91c/0xe80 net/core/dev.c:7107 rollback_registered+0x1be/0x3c0 net/core/dev.c:7149 register_netdevice+0xbcd/0xee0 net/core/dev.c:7587 register_netdev+0x1a/0x30 net/core/dev.c:7669 loopback_net_init+0x76/0x160 drivers/net/loopback.c:214 ops_init+0x10a/0x570 net/core/net_namespace.c:118 setup_net+0x313/0x710 net/core/net_namespace.c:294 copy_net_ns+0x27c/0x580 net/core/net_namespace.c:418 create_new_namespaces+0x425/0x880 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:206 SYSC_unshare kernel/fork.c:2347 [inline] SyS_unshare+0x653/0xfa0 kernel/fork.c:2297 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4512c9 RSP: 002b:00007f21e0428c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 0000000000718150 RCX: 00000000004512c9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000062020200 RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004b973d R13: 00000000ffffffff R14: 000000002001d000 R15: 00000000000002dd Code: 50 2b 34 82 c7 00 f1 f1 f1 f1 c7 40 04 04 f2 f2 f2 c7 40 08 f3 f3 f3 f3 e8 a1 43 39 ff 4c 89 f8 48 8b 95 70 ff ff ff 48 c1 e8 03 <0f> b6 0c 18 4c 89 f8 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85 RIP: __read_once_size include/linux/compiler.h:250 [inline] RSP: ffff8801c6e5f1b0 RIP: atomic_read arch/x86/include/asm/atomic.h:26 [inline] RSP: ffff8801c6e5f1b0 RIP: refcount_sub_and_test+0x7d/0x1b0 lib/refcount.c:178 RSP: ffff8801c6e5f1b0 ---[ end trace e441d046c6410d31 ]--- Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 0a6f041
File | Mode | Size |
---|---|---|
Kconfig | -rw-r--r-- | 9.4 KB |
Makefile | -rw-r--r-- | 1.2 KB |
aes_ccm.c | -rw-r--r-- | 2.7 KB |
aes_ccm.h | -rw-r--r-- | 869 bytes |
aes_cmac.c | -rw-r--r-- | 1.7 KB |
aes_cmac.h | -rw-r--r-- | 738 bytes |
aes_gcm.c | -rw-r--r-- | 2.6 KB |
aes_gcm.h | -rw-r--r-- | 749 bytes |
aes_gmac.c | -rw-r--r-- | 2.0 KB |
aes_gmac.h | -rw-r--r-- | 680 bytes |
agg-rx.c | -rw-r--r-- | 14.7 KB |
agg-tx.c | -rw-r--r-- | 28.8 KB |
cfg.c | -rw-r--r-- | 99.1 KB |
chan.c | -rw-r--r-- | 44.8 KB |
debug.h | -rw-r--r-- | 4.9 KB |
debugfs.c | -rw-r--r-- | 10.7 KB |
debugfs.h | -rw-r--r-- | 401 bytes |
debugfs_key.c | -rw-r--r-- | 11.8 KB |
debugfs_key.h | -rw-r--r-- | 1.1 KB |
debugfs_netdev.c | -rw-r--r-- | 24.0 KB |
debugfs_netdev.h | -rw-r--r-- | 732 bytes |
debugfs_sta.c | -rw-r--r-- | 16.5 KB |
debugfs_sta.h | -rw-r--r-- | 427 bytes |
driver-ops.c | -rw-r--r-- | 7.4 KB |
driver-ops.h | -rw-r--r-- | 31.4 KB |
ethtool.c | -rw-r--r-- | 6.1 KB |
fils_aead.c | -rw-r--r-- | 8.4 KB |
fils_aead.h | -rw-r--r-- | 619 bytes |
ht.c | -rw-r--r-- | 16.1 KB |
ibss.c | -rw-r--r-- | 50.8 KB |
ieee80211_i.h | -rw-r--r-- | 68.1 KB |
iface.c | -rw-r--r-- | 52.5 KB |
key.c | -rw-r--r-- | 29.9 KB |
key.h | -rw-r--r-- | 4.6 KB |
led.c | -rw-r--r-- | 10.0 KB |
led.h | -rw-r--r-- | 2.6 KB |
main.c | -rw-r--r-- | 35.1 KB |
mesh.c | -rw-r--r-- | 40.7 KB |
mesh.h | -rw-r--r-- | 12.6 KB |
mesh_hwmp.c | -rw-r--r-- | 35.7 KB |
mesh_pathtbl.c | -rw-r--r-- | 22.7 KB |
mesh_plink.c | -rw-r--r-- | 31.2 KB |
mesh_ps.c | -rw-r--r-- | 16.3 KB |
mesh_sync.c | -rw-r--r-- | 6.5 KB |
michael.c | -rw-r--r-- | 2.2 KB |
michael.h | -rw-r--r-- | 602 bytes |
mlme.c | -rw-r--r-- | 146.1 KB |
ocb.c | -rw-r--r-- | 6.8 KB |
offchannel.c | -rw-r--r-- | 26.3 KB |
pm.c | -rw-r--r-- | 5.4 KB |
rate.c | -rw-r--r-- | 25.3 KB |
rate.h | -rw-r--r-- | 3.0 KB |
rc80211_minstrel.c | -rw-r--r-- | 20.9 KB |
rc80211_minstrel.h | -rw-r--r-- | 4.1 KB |
rc80211_minstrel_debugfs.c | -rw-r--r-- | 7.3 KB |
rc80211_minstrel_ht.c | -rw-r--r-- | 38.7 KB |
rc80211_minstrel_ht.h | -rw-r--r-- | 3.0 KB |
rc80211_minstrel_ht_debugfs.c | -rw-r--r-- | 8.9 KB |
rx.c | -rw-r--r-- | 120.8 KB |
scan.c | -rw-r--r-- | 33.9 KB |
spectmgmt.c | -rw-r--r-- | 7.5 KB |
sta_info.c | -rw-r--r-- | 61.7 KB |
sta_info.h | -rw-r--r-- | 26.1 KB |
status.c | -rw-r--r-- | 28.8 KB |
tdls.c | -rw-r--r-- | 54.8 KB |
tkip.c | -rw-r--r-- | 10.5 KB |
tkip.h | -rw-r--r-- | 853 bytes |
trace.c | -rw-r--r-- | 1.2 KB |
trace.h | -rw-r--r-- | 53.6 KB |
trace_msg.h | -rw-r--r-- | 1.2 KB |
tx.c | -rw-r--r-- | 124.0 KB |
util.c | -rw-r--r-- | 90.7 KB |
vht.c | -rw-r--r-- | 16.4 KB |
wep.c | -rw-r--r-- | 9.2 KB |
wep.h | -rw-r--r-- | 1.1 KB |
wme.c | -rw-r--r-- | 6.2 KB |
wme.h | -rw-r--r-- | 709 bytes |
wpa.c | -rw-r--r-- | 31.6 KB |
wpa.h | -rw-r--r-- | 1.7 KB |
![swh spinner](/static/img/swh-spinner.gif)
Computing file changes ...