mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-06 00:39:48 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
YueHaibing cbd028fdf2 l2tp: Fix possible NULL pointer dereference 
[ Upstream commit 638a3a1e34 ]

BUG: unable to handle kernel NULL pointer dereference at 0000000000000128
PGD 0 P4D 0
Oops: 0000 [#1
CPU: 0 PID: 5697 Comm: modprobe Tainted: G        W         5.1.0-rc7+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
RIP: 0010:__lock_acquire+0x53/0x10b0
Code: 8b 1c 25 40 5e 01 00 4c 8b 6d 10 45 85 e4 0f 84 bd 06 00 00 44 8b 1d 7c d2 09 02 49 89 fe 41 89 d2 45 85 db 0f 84 47 02 00 00 <48> 81 3f a0 05 70 83 b8 00 00 00 00 44 0f 44 c0 83 fe 01 0f 86 3a
RSP: 0018:ffffc90001c07a28 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88822f038440 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000128
RBP: ffffc90001c07a88 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000128 R15: 0000000000000000
FS:  00007fead0811540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000128 CR3: 00000002310da000 CR4: 00000000000006f0
Call Trace:
 ? __lock_acquire+0x24e/0x10b0
 lock_acquire+0xdf/0x230
 ? flush_workqueue+0x71/0x530
 flush_workqueue+0x97/0x530
 ? flush_workqueue+0x71/0x530
 l2tp_exit_net+0x170/0x2b0 [l2tp_core
 ? l2tp_exit_net+0x93/0x2b0 [l2tp_core
 ops_exit_list.isra.6+0x36/0x60
 unregister_pernet_operations+0xb8/0x110
 unregister_pernet_device+0x25/0x40
 l2tp_init+0x55/0x1000 [l2tp_core
 ? 0xffffffffa018d000
 do_one_initcall+0x6c/0x3cc
 ? do_init_module+0x22/0x1f1
 ? rcu_read_lock_sched_held+0x97/0xb0
 ? kmem_cache_alloc_trace+0x325/0x3b0
 do_init_module+0x5b/0x1f1
 load_module+0x1db1/0x2690
 ? m_show+0x1d0/0x1d0
 __do_sys_finit_module+0xc5/0xd0
 __x64_sys_finit_module+0x15/0x20
 do_syscall_64+0x6b/0x1d0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fead031a839
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe8d9acca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 0000560078398b80 RCX: 00007fead031a839
RDX: 0000000000000000 RSI: 000056007659dc2e RDI: 0000000000000003
RBP: 000056007659dc2e R08: 0000000000000000 R09: 0000560078398b80
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 00005600783a04a0 R14: 0000000000040000 R15: 0000560078398b80
Modules linked in: l2tp_core(+) e1000 ip_tables ipv6 [last unloaded: l2tp_core
CR2: 0000000000000128
---[ end trace 8322b2b8bf83f8e1

If alloc_workqueue fails in l2tp_init, l2tp_net_ops
is unregistered on failure path. Then l2tp_exit_net
is called which will flush NULL workqueue, this patch
add a NULL check to fix it.

Fixes: 67e04c29ec ("l2tp: unregister l2tp_net_ops on failure path")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-27 14:46:33 +01:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2020-01-27 14:46:30 +01:00
9p 9p/virtio: Add cleanup path in p9_virtio_init 2019-07-31 07:28:39 +02:00
802
8021q vlan: fix memory leak in vlan_dev_set_egress_priority 2020-01-12 12:12:09 +01:00
appletalk appletalk: Set error code if register_snap_client failed 2019-12-17 20:38:59 +01:00
atm net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
ax25 ax25: enforce CAP_NET_RAW for raw sockets 2019-10-05 12:47:43 +02:00
batman-adv batman-adv: Fix DAT candidate selection on little endian systems 2020-01-23 08:20:34 +01:00
bluetooth Bluetooth: Fix memory leak in hci_connect_le_scan 2020-01-09 10:17:57 +01:00
bpf
bridge net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 14:00:14 +01:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
can can: af_can: Fix error path of can_init() 2019-07-21 09:04:22 +02:00
ceph libceph: fix PG split vs OSD (re)connect race 2019-08-29 08:26:42 +02:00
core ethtool: reduce stack usage with clang 2020-01-17 19:45:40 +01:00
dcb net: dcb: For wild-card lookups, use priority -1, not 0 2018-09-19 22:43:43 +02:00
dccp dccp: Fix memleak in __feat_register_sp 2020-01-17 19:45:43 +01:00
decnet net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 14:00:14 +01:00
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:28:49 +02:00
dsa net: dsa: tag_qca: fix doubled Tx statistics 2020-01-23 08:20:34 +01:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:17:59 +01:00
hsr hsr: reset network header when supervision frame is created 2020-01-17 19:45:45 +01:00
ieee802154 ieee802154: enforce CAP_NET_RAW for raw sockets 2019-10-05 12:47:44 +02:00
ife net: sched: ife: check on metadata length 2018-04-29 11:33:13 +02:00
ipv4 tcp: fix marked lost packets not being retransmitted 2020-01-23 08:20:35 +01:00
ipv6 tcp/dccp: fix possible race __inet_lookup_established() 2020-01-04 14:00:19 +01:00
ipx
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:10:41 +02:00
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:37:45 +02:00
key xfrm: clean up xfrm protocol checks 2019-09-16 08:20:44 +02:00
l2tp l2tp: Fix possible NULL pointer dereference 2020-01-27 14:46:33 +01:00
l3mdev
lapb lapb: fixed leak of control-blocks. 2019-06-22 08:16:14 +02:00
llc llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) 2020-01-12 12:12:01 +01:00
mac80211 mac80211: Do not send Layer 2 Update frame before authorization 2020-01-17 19:45:42 +01:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-09-09 19:55:52 +02:00
mpls mpls: Return error for RTA_GATEWAY attribute 2019-03-13 14:03:09 -07:00
ncsi
netfilter netfilter: nft_set_hash: fix lookups with fixed size hash on big endian 2020-01-27 14:46:23 +01:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-03-13 14:03:08 -07:00
netlink genetlink: Fix a memory leak on error path 2019-04-03 06:25:08 +02:00
netrom netrom: hold sock when setting skb->destructor 2019-07-31 07:28:46 +02:00
nfc net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() 2019-12-31 12:36:41 +01:00
nsh nsh: set mac len based on inner packet 2018-07-22 14:28:49 +02:00
openvswitch openvswitch: support asymmetric conntrack 2019-12-21 10:47:34 +01:00
packet packet: in recvmsg msg_name return at least sizeof sockaddr_ll 2020-01-27 14:46:31 +01:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:25:34 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 15:38:15 +01:00
qrtr net: qrtr: Stop rx_worker before freeing node 2019-10-05 12:47:40 +02:00
rds net/rds: Fix error handling in rds_ib_add_one() 2019-10-07 18:55:20 +02:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:11:57 +01:00
rose net/rose: fix unbound loop in rose_loopback_timer() 2019-05-02 09:40:34 +02:00
rxrpc rxrpc: Fix possible NULL pointer access in ICMP handling 2020-01-09 10:17:59 +01:00
sched net: sch_prio: When ungrafting, replace with FIFO 2020-01-12 12:12:08 +01:00
sctp sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY 2020-01-12 12:12:07 +01:00
smc net/smc: use after free fix in smc_wr_tx_put_slot() 2019-12-17 20:38:01 +01:00
strparser strparser: Remove early eaten to fix full tcp receive buffer stall 2018-07-22 14:28:47 +02:00
sunrpc xprtrdma: Fix completion wait during device removal 2020-01-17 19:45:47 +01:00
switchdev
tipc tipc: set sysctl_tipc_rmem and named_timeout right range 2020-01-27 14:46:29 +01:00
tls net/tls: Fixed return value when tls_complete_pending_work() fails 2018-12-05 19:41:11 +01:00
unix af_unix: add compat_ioctl support 2020-01-17 19:45:49 +01:00
vmw_vsock VSOCK: bind to random port for VMADDR_PORT_ANY 2019-12-05 15:37:24 +01:00
wimax
wireless cfg80211: check for set_wiphy_params 2020-01-23 08:20:35 +01:00
x25 net/x25: fix null_x25_address handling 2019-12-17 20:38:25 +01:00
xfrm xfrm: release device reference for invalid state 2019-12-17 20:37:28 +01:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-09 17:14:46 +01:00
Kconfig
Makefile
socket.c compat_ioctl: handle SIOCOUTQNSD 2020-01-17 19:45:49 +01:00
sysctl_net.c