diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2019-09-16 11:05:48 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2019-09-16 11:05:48 -0400 |
| commit | 743a5387e928f4a9ffb40855e9b1edf9c19f01c5 (patch) | |
| tree | 577f6fc25df67406fc917910d8e5d705832962d9 | |
| parent | 1afc14af96e09fda4661bdf090177c6743d7f6aa (diff) | |
| download | longterm-queue-4.18-743a5387e928f4a9ffb40855e9b1edf9c19f01c5.tar.gz | |
ipvs: add fix of previous fix
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
| -rw-r--r-- | queue/ipvs-defer-hook-registration-to-avoid-leaks.patch | 114 | ||||
| -rw-r--r-- | queue/series | 1 |
2 files changed, 115 insertions, 0 deletions
diff --git a/queue/ipvs-defer-hook-registration-to-avoid-leaks.patch b/queue/ipvs-defer-hook-registration-to-avoid-leaks.patch new file mode 100644 index 0000000..3cce0e7 --- /dev/null +++ b/queue/ipvs-defer-hook-registration-to-avoid-leaks.patch @@ -0,0 +1,114 @@ +From cf47a0b882a4e5f6b34c7949d7b293e9287f1972 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov <ja@ssi.bg> +Date: Tue, 4 Jun 2019 21:56:35 +0300 +Subject: [PATCH] ipvs: defer hook registration to avoid leaks + +commit cf47a0b882a4e5f6b34c7949d7b293e9287f1972 upstream. + +syzkaller reports for memory leak when registering hooks [1] + +As we moved the nf_unregister_net_hooks() call into +__ip_vs_dev_cleanup(), defer the nf_register_net_hooks() +call, so that hooks are allocated and freed from same +pernet_operations (ipvs_core_dev_ops). + +[1] +BUG: memory leak +unreferenced object 0xffff88810acd8a80 (size 96): + comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s) + hex dump (first 32 bytes): + 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P....... + 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w...... + backtrace: + [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline] + [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597 + [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline] + [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627 + [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline] + [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431 + [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline] + [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline] + [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60 net/netfilter/core.c:61 + [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270 net/netfilter/core.c:128 + [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170 net/netfilter/core.c:337 + [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0 net/netfilter/core.c:464 + [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0 net/netfilter/core.c:480 + [<000000002ea868e0>] __ip_vs_init+0xe8/0x170 net/netfilter/ipvs/ip_vs_core.c:2280 + [<000000002eb2d451>] ops_init+0x4c/0x140 net/core/net_namespace.c:130 + [<000000000284ec48>] setup_net+0xde/0x230 net/core/net_namespace.c:316 + [<00000000a70600fa>] copy_net_ns+0xf0/0x1e0 net/core/net_namespace.c:439 + [<00000000ff26c15e>] create_new_namespaces+0x141/0x2a0 kernel/nsproxy.c:107 + [<00000000b103dc79>] copy_namespaces+0xa1/0xe0 kernel/nsproxy.c:165 + [<000000007cc008a2>] copy_process.part.0+0x11fd/0x2150 kernel/fork.c:2035 + [<00000000c344af7c>] copy_process kernel/fork.c:1800 [inline] + [<00000000c344af7c>] _do_fork+0x121/0x4f0 kernel/fork.c:2369 + +Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com +Fixes: 719c7d563c17 ("ipvs: Fix use-after-free in ip_vs_in") +Signed-off-by: Julian Anastasov <ja@ssi.bg> +Acked-by: Simon Horman <horms@verge.net.au> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 7138556b206b..d5103a9eb302 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -2245,7 +2245,6 @@ static const struct nf_hook_ops ip_vs_ops[] = { + static int __net_init __ip_vs_init(struct net *net) + { + struct netns_ipvs *ipvs; +- int ret; + + ipvs = net_generic(net, ip_vs_net_id); + if (ipvs == NULL) +@@ -2277,17 +2276,11 @@ static int __net_init __ip_vs_init(struct net *net) + if (ip_vs_sync_net_init(ipvs) < 0) + goto sync_fail; + +- ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); +- if (ret < 0) +- goto hook_fail; +- + return 0; + /* + * Error handling + */ + +-hook_fail: +- ip_vs_sync_net_cleanup(ipvs); + sync_fail: + ip_vs_conn_net_cleanup(ipvs); + conn_fail: +@@ -2317,6 +2310,19 @@ static void __net_exit __ip_vs_cleanup(struct net *net) + net->ipvs = NULL; + } + ++static int __net_init __ip_vs_dev_init(struct net *net) ++{ ++ int ret; ++ ++ ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); ++ if (ret < 0) ++ goto hook_fail; ++ return 0; ++ ++hook_fail: ++ return ret; ++} ++ + static void __net_exit __ip_vs_dev_cleanup(struct net *net) + { + struct netns_ipvs *ipvs = net_ipvs(net); +@@ -2336,6 +2342,7 @@ static struct pernet_operations ipvs_core_ops = { + }; + + static struct pernet_operations ipvs_core_dev_ops = { ++ .init = __ip_vs_dev_init, + .exit = __ip_vs_dev_cleanup, + }; + +-- +2.7.4 + diff --git a/queue/series b/queue/series index 5ed20ea..8811090 100644 --- a/queue/series +++ b/queue/series @@ -229,3 +229,4 @@ MIPS-Fix-bounds-check-virt_addr_valid.patch x86-ftrace-Fix-warning-and-considate-ftrace_jmp_repl.patch blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch initramfs-don-t-free-a-non-existent-initrd.patch +ipvs-defer-hook-registration-to-avoid-leaks.patch |