gtp: fix use-after-free in gtp_encap_destroy()

[linux.git] / drivers / net / gtp.c

diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index fc45b749db4620fbd049dfe36035dc4633030bd7..5101f8c3c99cb1baf37cd6f0cc6bd69fafc2a15a 100644 (file)
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -285,16 +285,29 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb)
        return gtp_rx(pctx, skb, hdrlen, gtp->role);
 }
 
-static void gtp_encap_destroy(struct sock *sk)
+static void __gtp_encap_destroy(struct sock *sk)
 {
        struct gtp_dev *gtp;
 
-       gtp = rcu_dereference_sk_user_data(sk);
+       lock_sock(sk);
+       gtp = sk->sk_user_data;
        if (gtp) {
+               if (gtp->sk0 == sk)
+                       gtp->sk0 = NULL;
+               else
+                       gtp->sk1u = NULL;
                udp_sk(sk)->encap_type = 0;
                rcu_assign_sk_user_data(sk, NULL);
                sock_put(sk);
        }
+       release_sock(sk);
+}
+
+static void gtp_encap_destroy(struct sock *sk)
+{
+       rtnl_lock();
+       __gtp_encap_destroy(sk);
+       rtnl_unlock();
 }
 
 static void gtp_encap_disable_sock(struct sock *sk)
@@ -302,7 +315,7 @@ static void gtp_encap_disable_sock(struct sock *sk)
        if (!sk)
                return;
 
-       gtp_encap_destroy(sk);
+       __gtp_encap_destroy(sk);
 }
 
 static void gtp_encap_disable(struct gtp_dev *gtp)
@@ -796,7 +809,8 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
                goto out_sock;
        }
 
-       if (rcu_dereference_sk_user_data(sock->sk)) {
+       lock_sock(sock->sk);
+       if (sock->sk->sk_user_data) {
                sk = ERR_PTR(-EBUSY);
                goto out_sock;
        }
@@ -812,6 +826,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
        setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg);
 
 out_sock:
+       release_sock(sock->sk);
        sockfd_put(sock);
        return sk;
 }
@@ -1034,6 +1049,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info)
                return -EINVAL;
        }
 
+       rtnl_lock();
        rcu_read_lock();
 
        gtp = gtp_find_dev(sock_net(skb->sk), info->attrs);
@@ -1058,6 +1074,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info)
 
 out_unlock:
        rcu_read_unlock();
+       rtnl_unlock();
        return err;
 }