diff mbox series

net: gtp: Fix Use-After-Free in gtp_dellink

Message ID ZiYwUnZU+50fH0SN@v4bel-B760M-AORUS-ELITE-AX (mailing list archive)
State Accepted
Commit f2a904107ee2b647bb7794a1a82b67740d7c8a64
Delegated to: Netdev Maintainers
Headers show
Series net: gtp: Fix Use-After-Free in gtp_dellink | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 926 this patch: 926
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers fail 1 blamed authors not CCed: ap420073@gmail.com; 2 maintainers not CCed: ap420073@gmail.com pablo@netfilter.org
netdev/build_clang success Errors and warnings before: 937 this patch: 937
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 937 this patch: 937
netdev/checkpatch warning WARNING: line length of 83 exceeds 80 columns
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-04-24--00-00 (tests: 994)

Commit Message

Hyunwoo Kim April 22, 2024, 9:39 a.m. UTC 
Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
of gtp_dellink, is not part of the RCU read critical section, it
is possible that the RCU grace period will pass during the traversal and
the key will be free.

To prevent this, it should be changed to hlist_for_each_entry_safe.

Fixes: 94dc550a5062 ("gtp: fix an use-after-free in ipv4_pdp_find()")
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
---
 drivers/net/gtp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Eric Dumazet April 22, 2024, 10:41 a.m. UTC | #1 
On Mon, Apr 22, 2024 at 11:39 AM Hyunwoo Kim <v4bel@theori.io> wrote:
>
> Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
> of gtp_dellink, is not part of the RCU read critical section, it
> is possible that the RCU grace period will pass during the traversal and
> the key will be free.
>
> To prevent this, it should be changed to hlist_for_each_entry_safe.
>
> Fixes: 94dc550a5062 ("gtp: fix an use-after-free in ipv4_pdp_find()")
> Signed-off-by: Hyunwoo Kim <v4bel@theori.io>

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks !
patchwork-bot+netdevbpf@kernel.org April 24, 2024, 11:10 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Mon, 22 Apr 2024 05:39:30 -0400 you wrote:
> Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal
> of gtp_dellink, is not part of the RCU read critical section, it
> is possible that the RCU grace period will pass during the traversal and
> the key will be free.
> 
> To prevent this, it should be changed to hlist_for_each_entry_safe.
> 
> [...]

Here is the summary with links:
  - net: gtp: Fix Use-After-Free in gtp_dellink
    https://git.kernel.org/netdev/net/c/f2a904107ee2

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index ba4704c2c640..e62d6cbdf9bc 100644
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -1098,11 +1098,12 @@  static int gtp_newlink(struct net *src_net, struct net_device *dev,
 static void gtp_dellink(struct net_device *dev, struct list_head *head)
 {
 	struct gtp_dev *gtp = netdev_priv(dev);
+	struct hlist_node *next;
 	struct pdp_ctx *pctx;
 	int i;
 
 	for (i = 0; i < gtp->hash_size; i++)
-		hlist_for_each_entry_rcu(pctx, &gtp->tid_hash[i], hlist_tid)
+		hlist_for_each_entry_safe(pctx, next, &gtp->tid_hash[i], hlist_tid)
 			pdp_context_delete(pctx);
 
 	list_del_rcu(&gtp->list);