From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+6ea1f7a8df64596ef4d7@syzkaller.appspotmail.com,
syzbot+e9cc557752ab126c1b99@syzkaller.appspotmail.com,
Jon Maloy <jmaloy@redhat.com>,
Hoang Huu Le <hoang.h.le@dektech.com.au>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 65/86] tipc: fix use-after-free in tipc_bcast_get_mode
Date: Mon, 9 Nov 2020 13:55:12 +0100 [thread overview]
Message-ID: <20201109125023.890801731@linuxfoundation.org> (raw)
In-Reply-To: <20201109125020.852643676@linuxfoundation.org>
From: Hoang Huu Le <hoang.h.le@dektech.com.au>
commit fdeba99b1e58ecd18c2940c453e19e4ef20ff591 upstream.
Syzbot has reported those issues as:
==================================================================
BUG: KASAN: use-after-free in tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759
Read of size 1 at addr ffff88805e6b3571 by task kworker/0:6/3850
CPU: 0 PID: 3850 Comm: kworker/0:6 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work
Thread 1's call trace:
[...]
kfree+0x103/0x2c0 mm/slab.c:3757 <- bcbase releasing
tipc_bcast_stop+0x1b0/0x2f0 net/tipc/bcast.c:721
tipc_exit_net+0x24/0x270 net/tipc/core.c:112
[...]
Thread 2's call trace:
[...]
tipc_bcast_get_mode+0x3ab/0x400 net/tipc/bcast.c:759 <- bcbase
has already been freed by Thread 1
tipc_node_broadcast+0x9e/0xcc0 net/tipc/node.c:1744
tipc_nametbl_publish+0x60b/0x970 net/tipc/name_table.c:752
tipc_net_finalize net/tipc/net.c:141 [inline]
tipc_net_finalize+0x1fa/0x310 net/tipc/net.c:131
tipc_net_finalize_work+0x55/0x80 net/tipc/net.c:150
[...]
==================================================================
BUG: KASAN: use-after-free in tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
Read of size 8 at addr ffff888052ab2000 by task kworker/0:13/30628
CPU: 0 PID: 30628 Comm: kworker/0:13 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1f0/0x31e lib/dump_stack.c:118
print_address_description+0x66/0x5a0 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report+0x132/0x1d0 mm/kasan/report.c:530
tipc_named_reinit+0xef/0x290 net/tipc/name_distr.c:344
tipc_net_finalize+0x85/0xe0 net/tipc/net.c:138
tipc_net_finalize_work+0x50/0x70 net/tipc/net.c:150
process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
[...]
Freed by task 14058:
save_stack mm/kasan/common.c:48 [inline]
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x220 mm/slab.c:3757
tipc_exit_net+0x29/0x50 net/tipc/core.c:113
ops_exit_list net/core/net_namespace.c:186 [inline]
cleanup_net+0x708/0xba0 net/core/net_namespace.c:603
process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Fix it by calling flush_scheduled_work() to make sure the
tipc_net_finalize_work() stopped before releasing bcbase object.
Reported-by: syzbot+6ea1f7a8df64596ef4d7@syzkaller.appspotmail.com
Reported-by: syzbot+e9cc557752ab126c1b99@syzkaller.appspotmail.com
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Hoang Huu Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/core.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -88,6 +88,11 @@ out_sk_rht:
static void __net_exit tipc_exit_net(struct net *net)
{
tipc_net_stop(net);
+
+ /* Make sure the tipc_net_finalize_work stopped
+ * before releasing the resources.
+ */
+ flush_scheduled_work();
tipc_bcast_stop(net);
tipc_nametbl_stop(net);
tipc_sk_rht_destroy(net);
next prev parent reply other threads:[~2020-11-09 12:59 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-09 12:54 [PATCH 4.4 00/86] 4.4.242-rc1 review Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 01/86] SUNRPC: ECONNREFUSED should cause a rebind Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 02/86] scripts/setlocalversion: make git describe output more reliable Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 03/86] powerpc/powernv/opal-dump : Use IRQ_HANDLED instead of numbers in interrupt handler Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 04/86] efivarfs: Replace invalid slashes with exclamation marks in dentries Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 05/86] ravb: Fix bit fields checking in ravb_hwtstamp_get() Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 06/86] tipc: fix memory leak caused by tipc_buf_append() Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 07/86] mtd: lpddr: Fix bad logic in print_drs_error Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 08/86] ata: sata_rcar: Fix DMA boundary mask Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 09/86] fscrypt: return -EXDEV for incompatible rename or link into encrypted dir Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 10/86] f2fs crypto: avoid unneeded memory allocation in ->readdir Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 11/86] powerpc/powernv/smp: Fix spurious DBG() warning Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 12/86] sparc64: remove mm_cpumask clearing to fix kthread_use_mm race Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 13/86] f2fs: fix to check segment boundary during SIT page readahead Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 14/86] um: change sigio_spinlock to a mutex Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 15/86] xfs: fix realtime bitmap/summary file truncation when growing rt volume Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 16/86] video: fbdev: pvr2fb: initialize variables Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 17/86] ath10k: fix VHT NSS calculation when STBC is enabled Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 18/86] mmc: via-sdmmc: Fix data race bug Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 19/86] printk: reduce LOG_BUF_SHIFT range for H8300 Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 20/86] kgdb: Make "kgdbcon" work properly with "kgdb_earlycon" Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 21/86] USB: adutux: fix debugging Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 22/86] drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 23/86] power: supply: test_power: add missing newlines when printing parameters by sysfs Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 24/86] md/bitmap: md_bitmap_get_counter returns wrong blocks Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 25/86] clk: ti: clockdomain: fix static checker warning Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 26/86] net: 9p: initialize sun_server.sun_path to have addrs value only when addr is valid Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 27/86] drivers: watchdog: rdc321x_wdt: Fix race condition bugs Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 28/86] ext4: Detect already used quota file early Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 29/86] gfs2: add validation checks for size of superblock Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 30/86] memory: emif: Remove bogus debugfs error handling Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 31/86] ARM: dts: s5pv210: move PMU node out of clock controller Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 32/86] ARM: dts: s5pv210: remove dedicated audio-subsystem node Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 33/86] md/raid5: fix oops during stripe resizing Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 34/86] leds: bcm6328, bcm6358: use devres LED registering function Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 35/86] NFS: fix nfs_path in case of a rename retry Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 36/86] ACPI / extlog: Check for RDMSR failure Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 37/86] ACPI: video: use ACPI backlight for HP 635 Notebook Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 38/86] acpi-cpufreq: Honor _PSD table setting on new AMD CPUs Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 39/86] w1: mxc_w1: Fix timeout resolution problem leading to bus error Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 40/86] scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 41/86] btrfs: reschedule if necessary when logging directory items Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 42/86] vt: keyboard, simplify vt_kdgkbsent Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 43/86] vt: keyboard, extend func_buf_lock to readers Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 44/86] dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 45/86] iio:gyro:itg3200: Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 46/86] powerpc/powernv/elog: Fix race while processing OPAL error log event Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 47/86] ubifs: dent: Fix some potential memory leaks while iterating entries Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 48/86] ubi: check kthread_should_stop() after the setting of task state Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 49/86] ia64: fix build error with !COREDUMP Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 50/86] ceph: promote to unsigned long long before shifting Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 51/86] libceph: clear con->out_msg on Policy::stateful_server faults Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 4.4 52/86] 9P: Cast to loff_t before multiplying Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 53/86] ring-buffer: Return 0 on success from ring_buffer_resize() Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 54/86] vringh: fix __vringh_iov() when riov and wiov are different Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 55/86] tty: make FONTX ioctl use the tty pointer they were actually passed Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 56/86] arm64: berlin: Select DW_APB_TIMER_OF Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 57/86] cachefiles: Handle readpage error correctly Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 58/86] hil/parisc: Disable HIL driver when it gets stuck Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 59/86] ARM: samsung: fix PM debug build with DEBUG_LL but !MMU Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 60/86] ARM: s3c24xx: fix missing system reset Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 61/86] device property: Keep secondary firmware node secondary by type Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 62/86] device property: Dont clear secondary pointer for shared primary firmware node Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 63/86] staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 64/86] xen/events: dont use chip_data for legacy IRQs Greg Kroah-Hartman
2020-11-09 12:55 ` Greg Kroah-Hartman [this message]
2020-11-09 12:55 ` [PATCH 4.4 66/86] gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 67/86] gianfar: Account for Tx PTP timestamp in the skb headroom Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 68/86] Fonts: Replace discarded const qualifier Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 69/86] ALSA: usb-audio: Add implicit feedback quirk for Qu-16 Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 70/86] ftrace: Fix recursion check for NMI test Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 71/86] ftrace: Handle tracing when switching between context Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 72/86] ARM: dts: sun4i-a10: fix cpu_alert temperature Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 73/86] x86/kexec: Use up-to-dated screen_info copy to fill boot params Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 74/86] of: Fix reserved-memory overlap detection Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 75/86] scsi: core: Dont start concurrent async scan on same host Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 76/86] vsock: use ns_capable_noaudit() on socket create Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 77/86] vt: Disable KD_FONT_OP_COPY Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 78/86] fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 79/86] serial: 8250_mtk: Fix uart_get_baud_rate warning Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 80/86] serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 81/86] USB: serial: cyberjack: fix write-URB completion race Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 82/86] USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 83/86] USB: serial: option: add Telit FN980 composition 0x1055 Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 84/86] USB: Add NO_LPM quirk for Kingston flash drive Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 85/86] ARC: stack unwinding: avoid indefinite looping Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 4.4 86/86] Revert "ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE" Greg Kroah-Hartman
2020-11-09 15:39 ` [PATCH 4.4 00/86] 4.4.242-rc1 review Jon Hunter
2020-11-09 18:51 ` Pavel Machek
2020-11-09 23:04 ` Guenter Roeck
2020-11-09 23:27 ` Shuah Khan
2020-11-10 10:36 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201109125023.890801731@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=hoang.h.le@dektech.com.au \
--cc=jmaloy@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+6ea1f7a8df64596ef4d7@syzkaller.appspotmail.com \
--cc=syzbot+e9cc557752ab126c1b99@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.