mbox series

[net,0/6] gtp: fix several bugs

Message ID 20190702152034.22412-1-ap420073@gmail.com
Headers show
Series gtp: fix several bugs | expand

Message

Taehee Yoo July 2, 2019, 3:20 p.m. UTC 
This patch series fixes several bugs in the gtp module.

First patch fixes suspicious RCU usage.
The problem is to use rcu_dereference_sk_user_data() outside of
RCU read critical section.

Second patch fixes use-after-free.
gtp_encap_destroy() is called twice.
gtp_encap_destroy() use both gtp->sk0 and gtp->sk1u.
these pointers can be freed in gtp_encap_destroy().
So, gtp_encap_destroy() should avoid using freed sk pointer.

Third patch removes duplicate code in gtp_dellink().
gtp_dellink() calls gtp_encap_disable() twice.
So, remove one of them.

Fourth patch fixes usage of GFP_KERNEL.
GFP_KERNEL can not be used in RCU read critical section.
This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL.

Fifth patch fixes use-after-free in gtp_newlink().
gtp_newlink() uses gtp_net which would be destroyed by the __exit_net
routine.
So, gtp_newlink should not be called after the __exit_net routine.

Sixth patch adds missing error handling routine in gtp_encap_enable().
gtp_encap_enable() will fail, if invalid role value is sent from
user-space. if so, gtp_encap_enable() should execute error handling
routine.

Taehee Yoo (6):
  gtp: fix suspicious RCU usage
  gtp: fix use-after-free in gtp_encap_destroy()
  gtp: remove duplicate code in gtp_dellink()
  gtp: fix Illegal context switch in RCU read-side critical section.
  gtp: fix use-after-free in gtp_newlink()
  gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()

 drivers/net/gtp.c | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

Comments

Harald Welte July 3, 2019, 1:08 a.m. UTC | #1 
Hi Taehee,

On Wed, Jul 03, 2019 at 12:20:34AM +0900, Taehee Yoo wrote:
> This patch series fixes several bugs in the gtp module.

thanks a lot for your patches, they are much appreciated.

They look valid to me after a brief initial review.

However, I'm currently on holidays and don't have the ability to test
any patches until my return on July 17.  Maybe Pablo and/or Pau can have
a look meanwhile?  Thanks in advance.

Regards,
	Harald
Taehee Yoo July 3, 2019, 1:31 a.m. UTC | #2 
Hi Harald,

On Wed, 3 Jul 2019 at 09:10, Harald Welte <laforge@gnumonks.org> wrote:
>
> Hi Taehee,
>
> On Wed, Jul 03, 2019 at 12:20:34AM +0900, Taehee Yoo wrote:
> > This patch series fixes several bugs in the gtp module.
>
> thanks a lot for your patches, they are much appreciated.
>
> They look valid to me after a brief initial review.
>
> However, I'm currently on holidays and don't have the ability to test
> any patches until my return on July 17.  Maybe Pablo and/or Pau can have
> a look meanwhile?  Thanks in advance.
>

Thank you for letting me know.

Thanks a lot!

> Regards,
>         Harald
> --
> - Harald Welte <laforge@gnumonks.org>           http://laforge.gnumonks.org/
> ============================================================================
> "Privacy in residential applications is a desirable marketing option."
>                                                   (ETSI EN 300 175-7 Ch. A6)
David Miller July 8, 2019, 1:55 a.m. UTC | #3 
From: Taehee Yoo <ap420073@gmail.com>
Date: Wed,  3 Jul 2019 00:20:34 +0900

> This patch series fixes several bugs in the gtp module.

I reviewed these carefully by hand and decided to apply these now.

Thanks Taehee.