From patchwork Sat Oct 27 01:00:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jay Vosburgh <jay.vosburgh@canonical.com>
X-Patchwork-Id: 989807
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42hjGF1Sv8z9sB5;
	Sat, 27 Oct 2018 12:00:37 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gGCxj-0005fU-UQ; Sat, 27 Oct 2018 01:00:23 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <jay.vosburgh@canonical.com>)
	id 1gGCxi-0005fO-He
	for kernel-team@lists.ubuntu.com; Sat, 27 Oct 2018 01:00:22 +0000
Received: from 1.general.jvosburgh.us.vpn ([10.172.68.206]
	helo=famine.localdomain) by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.76) (envelope-from <jay.vosburgh@canonical.com>)
	id 1gGCxi-0000Zs-5K
	for kernel-team@lists.ubuntu.com; Sat, 27 Oct 2018 01:00:22 +0000
Received: by famine.localdomain (Postfix, from userid 1000)
	id 69043665DA; Fri, 26 Oct 2018 18:00:20 -0700 (PDT)
Received: from famine (localhost [127.0.0.1])
	by famine.localdomain (Postfix) with ESMTP id 61FDCA198A
	for <kernel-team@lists.ubuntu.com>;
	Fri, 26 Oct 2018 18:00:20 -0700 (PDT)
From: Jay Vosburgh <jay.vosburgh@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH][TRUSTY][SRU] UBUNTU: SAUCE: (no-up) net/packet: fix
	erroneous dev_add_pack usage in fanout
X-Mailer: MH-E 8.6+git; nmh 1.6; GNU Emacs 27.0.50
MIME-Version: 1.0
Content-ID: <7124.1540602020.1@famine>
Date: Fri, 26 Oct 2018 18:00:20 -0700
Message-ID: <7125.1540602020@famine>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: http://bugs.launchpad.net/bugs/1800254

Due to changes added as part of c108ac876c02 ("packet: hold bind lock when
rebinding to fanout hook"), it is possible for fanout_add to add a
packet_type handler via dev_add_pack and then kfree the memory backing the
packet_type.  This corrupts the ptype_all list, causing the system to
panic when network packet processing next traverses ptype_all.  The
erroneous path is taken when a PACKET_FANOUT setsockopt is performed on a
packet socket that is bound to an interface that is administratively down.

This is not due to any flaw of c108ac876c02, but rather than the packet
socket code base differs subtly in 3.13 as compared to 4.4.

The remedy for this is to include additional changes in the management
of the dev_add_pack calls from 4.4.  This moves the dev_add_pack and
dev_remove_pack calls from fanout_add and _release into __fanout_link
and _unlink.

These changes originate in 2bd624b4611f ("packet: Do not call
fanout_release from atomic contexts").  We do not include that patch in
its entirety as it has other dependencies, and this is the minimal
change set to resolve the issue.

Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 net/packet/af_packet.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index c0230c7458df..fa02443df232 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1267,6 +1267,8 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po)
 	f->arr[f->num_members] = sk;
 	smp_wmb();
 	f->num_members++;
+	if (f->num_members == 1)
+		dev_add_pack(&f->prot_hook);
 	spin_unlock(&f->lock);
 }
 
@@ -1283,6 +1285,8 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
 	BUG_ON(i >= f->num_members);
 	f->arr[i] = f->arr[f->num_members - 1];
 	f->num_members--;
+	if (f->num_members == 0)
+		__dev_remove_pack(&f->prot_hook);
 	spin_unlock(&f->lock);
 }
 
@@ -1350,7 +1354,6 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 		match->prot_hook.func = packet_rcv_fanout;
 		match->prot_hook.af_packet_priv = match;
 		match->prot_hook.id_match = match_fanout_group;
-		dev_add_pack(&match->prot_hook);
 		list_add(&match->list, &fanout_list);
 	}
 	err = -EINVAL;
@@ -1393,7 +1396,6 @@ static void fanout_release(struct sock *sk)
 
 		if (atomic_dec_and_test(&f->sk_ref)) {
 			list_del(&f->list);
-			dev_remove_pack(&f->prot_hook);
 			kfree(f);
 		}
 	}