--- /dev/null
+From 2d327a79ee176930dc72c131a970c891d367c1dc Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 24 Mar 2022 20:58:27 -0700
+Subject: llc: only change llc->dev when bind() succeeds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 2d327a79ee176930dc72c131a970c891d367c1dc upstream.
+
+My latest patch, attempting to fix the refcount leak in a minimal
+way turned out to add a new bug.
+
+Whenever the bind operation fails before we attempt to grab
+a reference count on a device, we might release the device refcount
+of a prior successful bind() operation.
+
+syzbot was not happy about this [1].
+
+Note to stable teams:
+
+Make sure commit b37a46683739 ("netdevice: add the case if dev is NULL")
+is already present in your trees.
+
+[1]
+general protection fault, probably for non-canonical address 0xdffffc0000000070: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]
+CPU: 1 PID: 3590 Comm: syz-executor361 Tainted: G W 5.17.0-syzkaller-04796-g169e77764adc #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:llc_ui_connect+0x400/0xcb0 net/llc/af_llc.c:500
+Code: 80 3c 02 00 0f 85 fc 07 00 00 4c 8b a5 38 05 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a9 07 00 00 49 8b b4 24 80 03 00 00 4c 89 f2 48
+RSP: 0018:ffffc900038cfcc0 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff8880756eb600 RCX: 0000000000000000
+RDX: 0000000000000070 RSI: ffffc900038cfe3e RDI: 0000000000000380
+RBP: ffff888015ee5000 R08: 0000000000000001 R09: ffff888015ee5535
+R10: ffffed1002bdcaa6 R11: 0000000000000000 R12: 0000000000000000
+R13: ffffc900038cfe37 R14: ffffc900038cfe38 R15: ffff888015ee5012
+FS: 0000555555acd300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000280 CR3: 0000000077db6000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __sys_connect_file+0x155/0x1a0 net/socket.c:1900
+ __sys_connect+0x161/0x190 net/socket.c:1917
+ __do_sys_connect net/socket.c:1927 [inline]
+ __se_sys_connect net/socket.c:1924 [inline]
+ __x64_sys_connect+0x6f/0xb0 net/socket.c:1924
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f016acb90b9
+Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffd417947f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f016acb90b9
+RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
+RBP: 00007f016ac7d0a0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f016ac7d130
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+Modules linked in:
+---[ end trace 0000000000000000 ]---
+RIP: 0010:llc_ui_connect+0x400/0xcb0 net/llc/af_llc.c:500
+
+Fixes: 764f4eb6846f ("llc: fix netdevice reference leaks in llc_ui_bind()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: 赵子轩 <beraphin@gmail.com>
+Cc: Stoyan Manolov <smanolov@suse.de>
+Link: https://lore.kernel.org/r/20220325035827.360418-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 57 ++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 32 insertions(+), 25 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -276,6 +276,7 @@ static int llc_ui_autobind(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
++ struct net_device *dev = NULL;
+ struct llc_sap *sap;
+ int rc = -EINVAL;
+
+@@ -287,14 +288,14 @@ static int llc_ui_autobind(struct socket
+ goto out;
+ rc = -ENODEV;
+ if (sk->sk_bound_dev_if) {
+- llc->dev = dev_get_by_index(&init_net, sk->sk_bound_dev_if);
+- if (llc->dev && addr->sllc_arphrd != llc->dev->type) {
+- dev_put(llc->dev);
+- llc->dev = NULL;
++ dev = dev_get_by_index(&init_net, sk->sk_bound_dev_if);
++ if (dev && addr->sllc_arphrd != dev->type) {
++ dev_put(dev);
++ dev = NULL;
+ }
+ } else
+- llc->dev = dev_getfirstbyhwtype(&init_net, addr->sllc_arphrd);
+- if (!llc->dev)
++ dev = dev_getfirstbyhwtype(&init_net, addr->sllc_arphrd);
++ if (!dev)
+ goto out;
+ rc = -EUSERS;
+ llc->laddr.lsap = llc_ui_autoport();
+@@ -304,6 +305,11 @@ static int llc_ui_autobind(struct socket
+ sap = llc_sap_open(llc->laddr.lsap, NULL);
+ if (!sap)
+ goto out;
++
++ /* Note: We do not expect errors from this point. */
++ llc->dev = dev;
++ dev = NULL;
++
+ memcpy(llc->laddr.mac, llc->dev->dev_addr, IFHWADDRLEN);
+ memcpy(&llc->addr, addr, sizeof(llc->addr));
+ /* assign new connection to its SAP */
+@@ -311,10 +317,7 @@ static int llc_ui_autobind(struct socket
+ sock_reset_flag(sk, SOCK_ZAPPED);
+ rc = 0;
+ out:
+- if (rc) {
+- dev_put(llc->dev);
+- llc->dev = NULL;
+- }
++ dev_put(dev);
+ return rc;
+ }
+
+@@ -337,6 +340,7 @@ static int llc_ui_bind(struct socket *so
+ struct sockaddr_llc *addr = (struct sockaddr_llc *)uaddr;
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
++ struct net_device *dev = NULL;
+ struct llc_sap *sap;
+ int rc = -EINVAL;
+
+@@ -353,25 +357,26 @@ static int llc_ui_bind(struct socket *so
+ rc = -ENODEV;
+ rcu_read_lock();
+ if (sk->sk_bound_dev_if) {
+- llc->dev = dev_get_by_index_rcu(&init_net, sk->sk_bound_dev_if);
+- if (llc->dev) {
++ dev = dev_get_by_index_rcu(&init_net, sk->sk_bound_dev_if);
++ if (dev) {
+ if (is_zero_ether_addr(addr->sllc_mac))
+- memcpy(addr->sllc_mac, llc->dev->dev_addr,
++ memcpy(addr->sllc_mac, dev->dev_addr,
+ IFHWADDRLEN);
+- if (addr->sllc_arphrd != llc->dev->type ||
++ if (addr->sllc_arphrd != dev->type ||
+ !ether_addr_equal(addr->sllc_mac,
+- llc->dev->dev_addr)) {
++ dev->dev_addr)) {
+ rc = -EINVAL;
+- llc->dev = NULL;
++ dev = NULL;
+ }
+ }
+- } else
+- llc->dev = dev_getbyhwaddr_rcu(&init_net, addr->sllc_arphrd,
++ } else {
++ dev = dev_getbyhwaddr_rcu(&init_net, addr->sllc_arphrd,
+ addr->sllc_mac);
+- if (llc->dev)
+- dev_hold(llc->dev);
++ }
++ if (dev)
++ dev_hold(dev);
+ rcu_read_unlock();
+- if (!llc->dev)
++ if (!dev)
+ goto out;
+ if (!addr->sllc_sap) {
+ rc = -EUSERS;
+@@ -404,6 +409,11 @@ static int llc_ui_bind(struct socket *so
+ goto out_put;
+ }
+ }
++
++ /* Note: We do not expect errors from this point. */
++ llc->dev = dev;
++ dev = NULL;
++
+ llc->laddr.lsap = addr->sllc_sap;
+ memcpy(llc->laddr.mac, addr->sllc_mac, IFHWADDRLEN);
+ memcpy(&llc->addr, addr, sizeof(llc->addr));
+@@ -414,10 +424,7 @@ static int llc_ui_bind(struct socket *so
+ out_put:
+ llc_sap_put(sap);
+ out:
+- if (rc) {
+- dev_put(llc->dev);
+- llc->dev = NULL;
+- }
++ dev_put(dev);
+ release_sock(sk);
+ return rc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
