Skip to content

Commit de3cbca

Browse files
congwangnikhil18
congwang
authored and
nikhil18
committed
igmp: acquire pmc lock for ip_mc_clear_src()
[ Upstream commit c38b7d3 ] Andrey reported a use-after-free in add_grec(): for (psf = *psf_list; psf; psf = psf_next) { ... psf_next = psf->sf_next; where the struct ip_sf_list's were already freed by: kfree+0xe8/0x2b0 mm/slub.c:3882 ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078 ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618 ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609 inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411 sock_release+0x8d/0x1e0 net/socket.c:597 sock_close+0x16/0x20 net/socket.c:1072 This happens because we don't hold pmc->lock in ip_mc_clear_src() and a parallel mr_ifc_timer timer could jump in and access them. The RCU lock is there but it is merely for pmc itself, this spinlock could actually ensure we don't access them in parallel. Thanks to Eric and Long for discussion on this bug. Reported-by: Andrey Konovalov <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: Xin Long <[email protected]> Signed-off-by: Cong Wang <[email protected]> Reviewed-by: Xin Long <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent f546245 commit de3cbca

File tree

1 file changed

+13
-8
lines changed

1 file changed

+13
-8
lines changed

net/ipv4/igmp.c

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2026,21 +2026,26 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
20262026

20272027
static void ip_mc_clear_src(struct ip_mc_list *pmc)
20282028
{
2029-
struct ip_sf_list *psf, *nextpsf;
2029+
struct ip_sf_list *psf, *nextpsf, *tomb, *sources;
20302030

2031-
for (psf = pmc->tomb; psf; psf = nextpsf) {
2031+
spin_lock_bh(&pmc->lock);
2032+
tomb = pmc->tomb;
2033+
pmc->tomb = NULL;
2034+
sources = pmc->sources;
2035+
pmc->sources = NULL;
2036+
pmc->sfmode = MCAST_EXCLUDE;
2037+
pmc->sfcount[MCAST_INCLUDE] = 0;
2038+
pmc->sfcount[MCAST_EXCLUDE] = 1;
2039+
spin_unlock_bh(&pmc->lock);
2040+
2041+
for (psf = tomb; psf; psf = nextpsf) {
20322042
nextpsf = psf->sf_next;
20332043
kfree(psf);
20342044
}
2035-
pmc->tomb = NULL;
2036-
for (psf = pmc->sources; psf; psf = nextpsf) {
2045+
for (psf = sources; psf; psf = nextpsf) {
20372046
nextpsf = psf->sf_next;
20382047
kfree(psf);
20392048
}
2040-
pmc->sources = NULL;
2041-
pmc->sfmode = MCAST_EXCLUDE;
2042-
pmc->sfcount[MCAST_INCLUDE] = 0;
2043-
pmc->sfcount[MCAST_EXCLUDE] = 1;
20442049
}
20452050

20462051
/* Join a multicast group

0 commit comments

Comments
 (0)