geneve: Fix races between socket add and release.

[ Upstream commit 12069401d895ff84076a50189ca842c0696b84b2 ] Currently, searching for a socket to add a reference to is not synchronized with deletion of sockets. This can result in use after free if there is another operation that is removing a socket at the same time. Solving this requires both holding the appropriate lock and checking the refcount to ensure that it has not already hit zero. Inspired by a related (but not exactly the same) issue in the VXLAN driver. Fixes: 0b5e8b8e ("net: Add Geneve tunneling protocol driver") CC: Andy Zhou <azhou@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

geneve: Fix races between socket add and release.
[ Upstream commit 12069401d895ff84076a50189ca842c0696b84b2 ] Currently, searching for a socket to add a reference to is not synchronized with deletion of sockets. This can result in use after free if there is another operation that is removing a socket at the same time. Solving this requires both holding the appropriate lock and checking the refcount to ensure that it has not already hit zero. Inspired by a related (but not exactly the same) issue in the VXLAN driver. Fixes: 0b5e8b8e ("net: Add Geneve tunneling protocol driver") CC: Andy Zhou <azhou@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jesse Gross · Greg Kroah-Hartman
1 parent 4378fe7d79
Showing 1 changed file with 7 additions and 6 deletions Side-by-side Diff
net/ipv4/geneve.c
@@ -302,6 +302,7 @@
 				    geneve_rcv_t *rcv, void *data,
 				    bool no_share, bool ipv6)
 {
+	struct geneve_net *gn = net_generic(net, geneve_net_id);
 	struct geneve_sock *gs;
  
 	gs = geneve_socket_create(net, port, rcv, data, ipv6);
  
  
  
@@ -311,15 +312,15 @@
 	if (no_share)	/* Return error if sharing is not allowed. */
 		return ERR_PTR(-EINVAL);
  
+	spin_lock(&gn->sock_lock);
 	gs = geneve_find_sock(net, port);
-	if (gs) {
-		if (gs->rcv == rcv)
-			atomic_inc(&gs->refcnt);
-		else
+	if (gs && ((gs->rcv != rcv) ||
+		   !atomic_add_unless(&gs->refcnt, 1, 0)))
 			gs = ERR_PTR(-EBUSY);
-	} else {
+	spin_unlock(&gn->sock_lock);
+
+	if (!gs)
 		gs = ERR_PTR(-EINVAL);
-	}
  
 	return gs;
 }
...	...	@@ -302,6 +302,7 @@
302	302	geneve_rcv_t rcv, void data,
303	303	bool no_share, bool ipv6)
304	304	{
	305	+ struct geneve_net *gn = net_generic(net, geneve_net_id);
305	306	struct geneve_sock *gs;
306	307
307	308	gs = geneve_socket_create(net, port, rcv, data, ipv6);
308	309
309	310
310	311
...	...	@@ -311,15 +312,15 @@
311	312	if (no_share) /* Return error if sharing is not allowed. */
312	313	return ERR_PTR(-EINVAL);
313	314
	315	+ spin_lock(&gn->sock_lock);
314	316	gs = geneve_find_sock(net, port);
315		- if (gs) {
316		- if (gs->rcv == rcv)
317		- atomic_inc(&gs->refcnt);
318		- else
	317	+ if (gs && ((gs->rcv != rcv) \|\|
	318	+ !atomic_add_unless(&gs->refcnt, 1, 0)))
319	319	gs = ERR_PTR(-EBUSY);
320		- } else {
	320	+ spin_unlock(&gn->sock_lock);
	321	+
	322	+ if (!gs)
321	323	gs = ERR_PTR(-EINVAL);
322		- }
323	324
324	325	return gs;
325	326	}