--- /dev/null
+From c285a2f01d692ef48d7243cf1072897bbd237407 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Wed, 19 Jun 2019 13:34:44 +0300
+Subject: fanotify: update connector fsid cache on add mark
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit c285a2f01d692ef48d7243cf1072897bbd237407 upstream.
+
+When implementing connector fsid cache, we only initialized the cache
+when the first mark added to object was added by FAN_REPORT_FID group.
+We forgot to update conn->fsid when the second mark is added by
+FAN_REPORT_FID group to an already attached connector without fsid
+cache.
+
+Reported-and-tested-by: syzbot+c277e8e2f46414645508@syzkaller.appspotmail.com
+Fixes: 77115225acc6 ("fanotify: cache fsid in fsnotify_mark_connector")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/notify/fanotify/fanotify.c | 4 ++++
+ fs/notify/mark.c | 14 +++++++++++---
+ include/linux/fsnotify_backend.h | 4 +++-
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -355,6 +355,10 @@ static __kernel_fsid_t fanotify_get_fsid
+ /* Mark is just getting destroyed or created? */
+ if (!conn)
+ continue;
++ if (!(conn->flags & FSNOTIFY_CONN_FLAG_HAS_FSID))
++ continue;
++ /* Pairs with smp_wmb() in fsnotify_add_mark_list() */
++ smp_rmb();
+ fsid = conn->fsid;
+ if (WARN_ON_ONCE(!fsid.val[0] && !fsid.val[1]))
+ continue;
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -495,10 +495,13 @@ static int fsnotify_attach_connector_to_
+ conn->type = type;
+ conn->obj = connp;
+ /* Cache fsid of filesystem containing the object */
+- if (fsid)
++ if (fsid) {
+ conn->fsid = *fsid;
+- else
++ conn->flags = FSNOTIFY_CONN_FLAG_HAS_FSID;
++ } else {
+ conn->fsid.val[0] = conn->fsid.val[1] = 0;
++ conn->flags = 0;
++ }
+ if (conn->type == FSNOTIFY_OBJ_TYPE_INODE)
+ inode = igrab(fsnotify_conn_inode(conn));
+ /*
+@@ -573,7 +576,12 @@ restart:
+ if (err)
+ return err;
+ goto restart;
+- } else if (fsid && (conn->fsid.val[0] || conn->fsid.val[1]) &&
++ } else if (fsid && !(conn->flags & FSNOTIFY_CONN_FLAG_HAS_FSID)) {
++ conn->fsid = *fsid;
++ /* Pairs with smp_rmb() in fanotify_get_fsid() */
++ smp_wmb();
++ conn->flags |= FSNOTIFY_CONN_FLAG_HAS_FSID;
++ } else if (fsid && (conn->flags & FSNOTIFY_CONN_FLAG_HAS_FSID) &&
+ (fsid->val[0] != conn->fsid.val[0] ||
+ fsid->val[1] != conn->fsid.val[1])) {
+ /*
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -292,7 +292,9 @@ typedef struct fsnotify_mark_connector _
+ */
+ struct fsnotify_mark_connector {
+ spinlock_t lock;
+- unsigned int type; /* Type of object [lock] */
++ unsigned short type; /* Type of object [lock] */
++#define FSNOTIFY_CONN_FLAG_HAS_FSID 0x01
++ unsigned short flags; /* flags [lock] */
+ __kernel_fsid_t fsid; /* fsid of filesystem containing object */
+ union {
+ /* Object pointer [lock] */
--- /dev/null
+From c3bcde026684c62d7a2b6f626dc7cf763833875c Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 17 Jun 2019 21:34:15 +0800
+Subject: tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit c3bcde026684c62d7a2b6f626dc7cf763833875c upstream.
+
+udp_tunnel(6)_xmit_skb() called by tipc_udp_xmit() expects a tunnel device
+to count packets on dev->tstats, a perpcu variable. However, TIPC is using
+udp tunnel with no tunnel device, and pass the lower dev, like veth device
+that only initializes dev->lstats(a perpcu variable) when creating it.
+
+Later iptunnel_xmit_stats() called by ip(6)tunnel_xmit() thinks the dev as
+a tunnel device, and uses dev->tstats instead of dev->lstats. tstats' each
+pointer points to a bigger struct than lstats, so when tstats->tx_bytes is
+increased, other percpu variable's members could be overwritten.
+
+syzbot has reported quite a few crashes due to fib_nh_common percpu member
+'nhc_pcpu_rth_output' overwritten, call traces are like:
+
+ BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190
+ net/ipv4/route.c:1556
+ rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556
+ __mkroute_output net/ipv4/route.c:2332 [inline]
+ ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564
+ ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393
+ __ip_route_output_key include/net/route.h:125 [inline]
+ ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651
+ ip_route_output_key include/net/route.h:135 [inline]
+ ...
+
+or:
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168
+ <IRQ>
+ rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline]
+ free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217
+ __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2437 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline]
+ rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697
+ ...
+
+The issue exists since tunnel stats update is moved to iptunnel_xmit by
+Commit 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()"),
+and here to fix it by passing a NULL tunnel dev to udp_tunnel(6)_xmit_skb
+so that the packets counting won't happen on dev->tstats.
+
+Reported-by: syzbot+9d4c12bfd45a58738d0a@syzkaller.appspotmail.com
+Reported-by: syzbot+a9e23ea2aa21044c2798@syzkaller.appspotmail.com
+Reported-by: syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com
+Reported-by: syzbot+0290d2290a607e035ba1@syzkaller.appspotmail.com
+Reported-by: syzbot+a43d8d4e7e8a7a9e149e@syzkaller.appspotmail.com
+Reported-by: syzbot+a47c5f4c6c00fc1ed16e@syzkaller.appspotmail.com
+Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/udp_media.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -176,7 +176,6 @@ static int tipc_udp_xmit(struct net *net
+ goto tx_error;
+ }
+
+- skb->dev = rt->dst.dev;
+ ttl = ip4_dst_hoplimit(&rt->dst);
+ udp_tunnel_xmit_skb(rt, ub->ubsock->sk, skb, src->ipv4.s_addr,
+ dst->ipv4.s_addr, 0, ttl, 0, src->port,
+@@ -195,10 +194,9 @@ static int tipc_udp_xmit(struct net *net
+ if (err)
+ goto tx_error;
+ ttl = ip6_dst_hoplimit(ndst);
+- err = udp_tunnel6_xmit_skb(ndst, ub->ubsock->sk, skb,
+- ndst->dev, &src->ipv6,
+- &dst->ipv6, 0, ttl, 0, src->port,
+- dst->port, false);
++ err = udp_tunnel6_xmit_skb(ndst, ub->ubsock->sk, skb, NULL,
++ &src->ipv6, &dst->ipv6, 0, ttl, 0,
++ src->port, dst->port, false);
+ #endif
+ }
+ return err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
