From patchwork Tue Jul 25 20:07:09 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 108683
Delivered-To: patch@linaro.org
Received: by 10.182.45.195 with SMTP id p3csp14054obm;
 Tue, 25 Jul 2017 13:07:36 -0700 (PDT)
X-Received: by 10.98.61.93 with SMTP id k90mr20549747pfa.174.1501013256463; 
 Tue, 25 Jul 2017 13:07:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1501013256; cv=none;
 d=google.com; s=arc-20160816;
 b=JUvAa+bjSAzYfQYY7S53XofrFWM60e6nVsXMpuXrmVT4ANjYUT37TsUwg4Tw4kubJ+
 8Fn/aRMLzqhFqU3M988G9W4JLEQzr//3Xp6WyE+LUR23XX+Wvww4eNCo+qqtUplcmPEA
 l6kSHNFiVHyUIkhI4V03/WXKNKw/Ly4GTuI7JHYVtUzVH6Xqr6jBVAmW2RZvg0yt0pLO
 4CcTVB7pRSW7/Wr238yavRt8qq/SNxzg2LlBdnblfz19SxVDvutrP5azKMmi7tTvcuXo
 uJqR5GtyKaRDzx8C57MPZ3IM0zflM/YOf38lHu7Lg++09MRHYpNsHudq2BsImRcerEHd
 h7qg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature:arc-authentication-results;
 bh=Hjj3aeDs44/iGRTGup4jew0X0M0jFOVa3W0EfP70AWs=;
 b=Z6iZnqY/IjSMLzPdoCRvVZHjOmSLaj/Au9YaWJGSkic4tDE5R70OvF0Pywp5HuTvRp
 irj+M7OWTQAYforHzeqONwB7JgW0K7FkhGs+FuRgUbCN6Pbc+jNyoRldLcaHyc36c6pn
 u0i2fGB0EFpKpORd+59OkHIZilNJNuRGKZdRkyjcxJvr+PB+ImlaWxKHoPtlI/tuhQtu
 E2ExZa51MEJQmpdsWD/Ik2j8dSnWTHls+ql4f1EAaul0bRzRT2Eu1IwjM4+LkcteFFR5
 ft/qsCHughdEKW2+8w0TMIHh+OM6PLagxIAQxo3x3th16yH0LV+T0EgeMSoQrZdvi7kE
 lKDA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.b=VHA0ENuA;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 h10si8970990plk.237.2017.07.25.13.07.36; 
 Tue, 25 Jul 2017 13:07:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.b=VHA0ENuA;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1753613AbdGYUHd (ORCPT <rfc822;sumit.semwal@linaro.org>
 + 6 others); Tue, 25 Jul 2017 16:07:33 -0400
Received: from mail-pg0-f53.google.com ([74.125.83.53]:35772 "EHLO
 mail-pg0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1753039AbdGYUHb (ORCPT
 <rfc822;stable@vger.kernel.org>); Tue, 25 Jul 2017 16:07:31 -0400
Received: by mail-pg0-f53.google.com with SMTP id v190so74469466pgv.2
 for <stable@vger.kernel.org>; Tue, 25 Jul 2017 13:07:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=Hjj3aeDs44/iGRTGup4jew0X0M0jFOVa3W0EfP70AWs=;
 b=VHA0ENuAmdfngVvkG2RCg2SlIfS5wUwcCzDXJe/CJnY3UcW9LCVV8HlxQtxC6Ilx0i
 pHlZyx0kgH9QkO1m1/9UxXRJphiH5sHcFlO4pFNmrkJT74df9mHJCv04sYnlwO+tZ0Mf
 lorjncL3H7CDPkWnQyOnm5Dzj49To7VZVThWA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=Hjj3aeDs44/iGRTGup4jew0X0M0jFOVa3W0EfP70AWs=;
 b=HhID234Mkq+obG4PJiYoGzE9aCdeGQw1Ri7z1um12aIu0tVhaNOw9rQnRn3Qt8y/Z3
 jofTc3u2vnyBEmtb152bNP6rd/f6kkiqw4nnDeSRXUjRDLpMtHALahBPmgpXGaTzBNaq
 BjK2+634fvvVquRchbTdn4+p7kJ5/rBo2SS1S7+CYciX2mL365r3+PkZH2cyvLUK1zDF
 CEtyTXVCvWxk7UZqBuLq38T0pwg6S1LmYxpzcqnkR7Wnt2AQVRB3xzrBYOqpX/TgLmuv
 4HJa7D/OR7x/zzRM/vQrUI7a0JQ3/vvSYgSAuaIIK2v8CT1WL0Wmkw2ASWWjNiFtJGEi
 NvFQ==
X-Gm-Message-State: AIVw1131qnim4sjsH530ZlQOosISvl78qVrRyJ5m4re39nafodOBcLM0
 nJSkBaIgJrk2GXto
X-Received: by 10.84.151.99 with SMTP id i90mr22426593pli.188.1501013250435; 
 Tue, 25 Jul 2017 13:07:30 -0700 (PDT)
Received: from localhost.localdomain ([106.51.135.235])
 by smtp.gmail.com with ESMTPSA id
 c76sm27684356pfj.91.2017.07.25.13.07.26
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Tue, 25 Jul 2017 13:07:29 -0700 (PDT)
From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>, Guillaume Nault <g.nault@alphalink.fr>,
 "David S . Miller" <davem@davemloft.net>
Subject: [PATCH for-4.4 01/13] ppp: take reference on channels netns
Date: Wed, 26 Jul 2017 01:37:09 +0530
Message-Id: <1501013241-31961-2-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1501013241-31961-1-git-send-email-amit.pundir@linaro.org>
References: <1501013241-31961-1-git-send-email-amit.pundir@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Guillaume Nault <g.nault@alphalink.fr>

commit 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 upstream.

Let channels hold a reference on their network namespace.
Some channel types, like ppp_async and ppp_synctty, can have their
userspace controller running in a different namespace. Therefore they
can't rely on them to preclude their netns from being removed from
under them.

-- 
2.7.4

==================================================================
BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
addr ffff880064e217e0
Read of size 8 by task syz-executor/11581
=============================================================================
BUG net_namespace (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
[<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
[<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
[<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
[<     inline     >] slab_alloc kernel/mm/slub.c:2574
[<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
[<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
[<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
[<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
[<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
[<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
[<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
[<     inline     >] copy_process kernel/kernel/fork.c:1274
[<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
[<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
[<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185

INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
[<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
[<     inline     >] slab_free kernel/mm/slub.c:2805
[<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
[<     inline     >] net_free kernel/net/core/net_namespace.c:341
[<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
[<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
[<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
[<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
[<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
[<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
flags=0x5fffc0000004080
INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200

CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
 ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
 ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
Call Trace:
 [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
 [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
 [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
 [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
 [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
 [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
 [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
 [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
 [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
 [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
 [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
 [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
 [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
 [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
 [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
 [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
 [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
 [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
 [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
 [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
 [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
 [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
 [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
 [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
 [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
 [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
 [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
 [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
 [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
 [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
 [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
 [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
 [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
 [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
 [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
 [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
 [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
 [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
 [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
 [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
 [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
 [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
 [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
Memory state around the buggy address:
 ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/net/ppp/ppp_generic.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index e5bb870b5461..fa76ca128e1b 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2390,6 +2390,8 @@ ppp_unregister_channel(struct ppp_channel *chan)
 	spin_lock_bh(&pn->all_channels_lock);
 	list_del(&pch->list);
 	spin_unlock_bh(&pn->all_channels_lock);
+	put_net(pch->chan_net);
+	pch->chan_net = NULL;
 
 	pch->file.dead = 1;
 	wake_up_interruptible(&pch->file.rwait);