This is caused by net_cls and net_prio cgroups disabling cgroup BPF and
causing it to stop refcounting when allocating new sockets. Releasing those
sockets will cause the refcount to go negative, leading to the potential
use-after-free.
Though this revert won't prevent the issue from happening as it could still
theoretically be caused by setting net_cls.classid or net_prio.ifpriomap,
this will prevent it from happening on default system configurations. A
combination of systemd use of cgroup BPF and extensive cgroup use including
net_prio will cause this. Reports usually involve using lxd, libvirt,
docker or kubernetes and some systemd service with IPAddressDeny or
IPAddressAllow.
And though this patch has been introduced to avoid some potential memory
leaks, the cure is worse than the disease. We will need to revisit both
issues later on and reapply this patch when we have a real fix for the
crash.
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Marcelo Henrique Cerri <email address hidden>
Acked-by: Ian May <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>
kernel/relay.c: handle alloc_percpu returning NULL in relay_open
alloc_percpu() may return NULL, which means chan->buf may be set to NULL.
In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
invalid pointer:
BUG: Unable to handle kernel data access at 0x7dae0000
Faulting instruction address: 0xc0000000003f3fec
...
NIP relay_open+0x29c/0x600
LR relay_open+0x270/0x600
Call Trace:
relay_open+0x264/0x600 (unreliable)
__blk_trace_setup+0x254/0x600
blk_trace_setup+0x68/0xa0
sg_ioctl+0x7bc/0x2e80
do_vfs_ioctl+0x13c/0x1300
ksys_ioctl+0x94/0x130
sys_ioctl+0x48/0xb0
system_call+0x5c/0x68
Check if alloc_percpu returns NULL.
This was found by syzkaller both on x86 and powerpc, and the reproducer
it found on powerpc is capable of hitting the issue as an unprivileged
user.
Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Reported-by: <email address hidden>
Signed-off-by: Daniel Axtens <email address hidden>
Signed-off-by: Andrew Morton <email address hidden>
Reviewed-by: Michael Ellerman <email address hidden>
Reviewed-by: Andrew Donnellan <email address hidden>
Acked-by: David Rientjes <email address hidden>
Cc: Akash Goel <email address hidden>
Cc: Andrew Donnellan <email address hidden>
Cc: Guenter Roeck <email address hidden>
Cc: Salvatore Bonaccorso <email address hidden>
Cc: <email address hidden> [4.10+]
Link: http://<email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
(cherry picked from commit 54e200ab40fc14c863bcc80a51e20b7906608fce)
CVE-2019-19642
Signed-off-by: Benjamin M Romer <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>