From patchwork Sat Mar 23 16:48:22 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xin Long <lucien.xin@gmail.com>
X-Patchwork-Id: 1062354
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="kq1E7SGf"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 44RRLB3JpBz9sSR
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sun, 24 Mar 2019 03:48:34 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1727822AbfCWQsc (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Sat, 23 Mar 2019 12:48:32 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:45458 "EHLO
	mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1727298AbfCWQsc (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sat, 23 Mar 2019 12:48:32 -0400
Received: by mail-pf1-f193.google.com with SMTP id e24so2701195pfi.12
	for <netdev@vger.kernel.org>; Sat, 23 Mar 2019 09:48:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=pYLtES9MS4SIfTyvW8o4SWKk7GTeKprf61OfvXw5Sp4=;
	b=kq1E7SGfc+TKt1Fd3CQjUw7Wx/KNzyP0M3S5Fbp44m2jYbsYqwDZ0RwwFGKDSdmUKN
	QigQgQN2/jSIerFKeAnYjBeR0zQ9197OgZ4+InhxWRJui93ks2ZjxanwKhjvw0aODzNj
	A1kvKUiNhVmbiQ4+wUV7BdSBy05z6/d2awL2KKcRjLvxF4hGUoRtlUg9K6+O7kGxsmrJ
	7knwWdojKsPbc2f9FZKmgRfFL8pTFjs+SsxDC5b8jyjMYTTVj8FJEpbof4FOIbYoM6yr
	8OsZ9zryeOpSMEpWqfZVnrUkCVNTXZKU+uDnbMc2Vgwahwg5kBSvBufUdiWsxa8ZhMqi
	EU0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=pYLtES9MS4SIfTyvW8o4SWKk7GTeKprf61OfvXw5Sp4=;
	b=OBbUQd1s6fOZQ3cADS6sh/Bfxac3OSgMvBbpqt4KIMGPE9jwOGZj9g1I0Ho+e/VKlq
	88tCi5oe4hV2Co37p9yBfzSxRcXWfnzB49mnxI1v3CRdP0ZzkU36v1UwnDUBk5gRXznJ
	FF+sreGNpKyAFkkjNpa508oMPpnQYp97b2cYvnw9pRasf7CxE18lZYFWrCJob1zFPI0W
	TXKmuwBmVVny6JW8uvKSsQNbE2oYdQ9mJjZoq3eu4m5i8scA6GE9CLdsTJ1JpwgLxeAE
	uh/52WSW6O5lmeWPHVQxvbLn8fm4X5PQL/nxPZ+Dyk0dnnFuChPIzuAz8YgrLvAiho7f
	hLXA==
X-Gm-Message-State: APjAAAX16vbx6hKmTesLyUK5WZWzshdbT03/1XpqiZk8bRwJsexl1d+t
	6vE2+oCcVcYBfzrgv1BQzw9mdHP8MnE=
X-Google-Smtp-Source: 
 APXvYqxZd/eyrIvcoqYjUXm6r8uH8xMNtidcytN76dDfeu6BAnsdiStfg/pcmdbE/vUmFkVQ0JT0vg==
X-Received: by 2002:a63:4612:: with SMTP id
	t18mr14807521pga.56.1553359711045;
	Sat, 23 Mar 2019 09:48:31 -0700 (PDT)
Received: from localhost ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id
	v188sm47347pgb.7.2019.03.23.09.48.29
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sat, 23 Mar 2019 09:48:30 -0700 (PDT)
From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>
Cc: davem@davemloft.net, Jon Maloy <jon.maloy@ericsson.com>,
	Ying Xue <ying.xue@windriver.com>,
	tipc-discussion@lists.sourceforge.net, syzkaller@googlegroups.com
Subject: [PATCH net] tipc: change to check tipc_own_id to return in
	tipc_net_stop
Date: Sun, 24 Mar 2019 00:48:22 +0800
Message-Id: 
 <81fb8639e3850b5daa1c6300c618299929d493d6.1553359702.git.lucien.xin@gmail.com>
X-Mailer: git-send-email 2.1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

When running a syz script, a panic occurred:

[  156.088228] BUG: KASAN: use-after-free in tipc_disc_timeout+0x9c9/0xb20 [tipc]
[  156.094315] Call Trace:
[  156.094844]  <IRQ>
[  156.095306]  dump_stack+0x7c/0xc0
[  156.097346]  print_address_description+0x65/0x22e
[  156.100445]  kasan_report.cold.3+0x37/0x7a
[  156.102402]  tipc_disc_timeout+0x9c9/0xb20 [tipc]
[  156.106517]  call_timer_fn+0x19a/0x610
[  156.112749]  run_timer_softirq+0xb51/0x1090

It was caused by the netns freed without deleting the discoverer timer,
while later on the netns would be accessed in the timer handler.

The timer should have been deleted by tipc_net_stop() when cleaning up a
netns. However, tipc has been able to enable a bearer and start d->timer
without the local node_addr set since Commit 52dfae5c85a4 ("tipc: obtain
node identity from interface by default"), which caused the timer not to
be deleted in tipc_net_stop() then.

So fix it in tipc_net_stop() by changing to check local node_id instead
of local node_addr, as Jon suggested.

While at it, remove the calling of tipc_nametbl_withdraw() there, since
tipc_nametbl_stop() will take of the nametbl's freeing after.

Fixes: 52dfae5c85a4 ("tipc: obtain node identity from interface by default")
Reported-by: syzbot+a25307ad099309f1c2b9@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
---
 net/tipc/net.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/tipc/net.c b/net/tipc/net.c
index f076edb..7ce1e86 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -163,12 +163,9 @@ void tipc_sched_net_finalize(struct net *net, u32 addr)
 
 void tipc_net_stop(struct net *net)
 {
-	u32 self = tipc_own_addr(net);
-
-	if (!self)
+	if (!tipc_own_id(net))
 		return;
 
-	tipc_nametbl_withdraw(net, TIPC_CFG_SRV, self, self, self);
 	rtnl_lock();
 	tipc_bearer_stop(net);
 	tipc_node_stop(net);