* [net] net-sysfs: avoid registering new queue objects after device unregistration
@ 2021-10-26 13:38 Antoine Tenart
2021-10-26 14:30 ` David Miller
0 siblings, 1 reply; 4+ messages in thread
From: Antoine Tenart @ 2021-10-26 13:38 UTC (permalink / raw)
To: davem, kuba; +Cc: Antoine Tenart, pabeni, netdev
netdev_queue_update_kobjects can be called after device unregistration
started (and device_del was called) resulting in two issues: possible
registration of new queue kobjects (leading to the following trace) and
providing a wrong 'old_num' number (because real_num_tx_queues is not
updated in the unregistration path).
BUG: KASAN: use-after-free in kobject_get+0x14/0x90
Read of size 1 at addr ffff88801961248c by task ethtool/755
CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
Call Trace:
dump_stack_lvl+0x57/0x72
print_address_description.constprop.0+0x1f/0x140
kasan_report.cold+0x7f/0x11b
kobject_get+0x14/0x90
kobject_add_internal+0x3d1/0x450
kobject_init_and_add+0xba/0xf0
netdev_queue_update_kobjects+0xcf/0x200
netif_set_real_num_tx_queues+0xb4/0x310
veth_set_channels+0x1c3/0x550
ethnl_set_channels+0x524/0x610
The fix for both is to only allow unregistering queue kobjects after a
net device started its unregistration and to ensure we know the current
Tx queue number (we update dev->real_num_tx_queues before returning).
This relies on the fact that dev->real_num_tx_queues is used for
'old_num' expect when firstly allocating queues.
(Rx queues are not affected as net_rx_queue_update_kobjects can't be
called after a net device started its unregistration).
Fixes: 5c56580b74e5 ("net: Adjust TX queue kobjects if number of queues changes during unregister")
Signed-off-by: Antoine Tenart <atenart@kernel.org>
---
Hi,
The 'dev->real_num_tx_queues' update is usually done (or is not needed)
when calling netdev_queue_update_kobjects and I could have added one in
the unregistration path (where it's missing). But I thought this would
be easier to backport for stable and better to tie it with the call of
this function: a following-up patch for net-next cleaning the now
duplicate updates can be made, instead.
To avoid future issues like this and invalid number of queues given to
netdev_queue_update_kobjects we could introduce a warning like (and a
similar one for Rx queues):
WARN_ON(old_num != 0 && dev->real_num_tx_queues != old_num);
A better fix would be to remove 'old_num' from the function's parameters
and to always use dev->real_num_tx_queues; but it's not that
straightforward: the value can be set before the net device is
registered (and used elsewhere) and when firstly calling
netdev_queue_update_kobjects dev->real_num_tx_queues can not be relied
on. Anyway if possible that would not be a good candidate for a fix.
Thanks,
Antoine
net/core/net-sysfs.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index b2e49eb7001d..2e5c89c7e3c9 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1651,6 +1651,12 @@ netdev_queue_update_kobjects(struct net_device *dev, int old_num, int new_num)
int i;
int error = 0;
+ /* When unregistering a net device we can't register new kobjects, as
+ * this would result in an UaF of the device's kobj.
+ */
+ if (dev->reg_state == NETREG_UNREGISTERING && new_num > old_num)
+ return -EINVAL;
+
for (i = old_num; i < new_num; i++) {
error = netdev_queue_add_kobject(dev, i);
if (error) {
@@ -1670,6 +1676,7 @@ netdev_queue_update_kobjects(struct net_device *dev, int old_num, int new_num)
kobject_put(&queue->kobj);
}
+ dev->real_num_tx_queues = new_num;
return error;
#else
return 0;
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [net] net-sysfs: avoid registering new queue objects after device unregistration
2021-10-26 13:38 [net] net-sysfs: avoid registering new queue objects after device unregistration Antoine Tenart
@ 2021-10-26 14:30 ` David Miller
2021-10-26 14:37 ` Antoine Tenart
0 siblings, 1 reply; 4+ messages in thread
From: David Miller @ 2021-10-26 14:30 UTC (permalink / raw)
To: atenart; +Cc: kuba, pabeni, netdev
From: Antoine Tenart <atenart@kernel.org>
Date: Tue, 26 Oct 2021 15:38:22 +0200
> netdev_queue_update_kobjects can be called after device unregistration
> started (and device_del was called) resulting in two issues: possible
> registration of new queue kobjects (leading to the following trace) and
> providing a wrong 'old_num' number (because real_num_tx_queues is not
> updated in the unregistration path).
>
> BUG: KASAN: use-after-free in kobject_get+0x14/0x90
> Read of size 1 at addr ffff88801961248c by task ethtool/755
>
> CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
> Call Trace:
> dump_stack_lvl+0x57/0x72
> print_address_description.constprop.0+0x1f/0x140
> kasan_report.cold+0x7f/0x11b
> kobject_get+0x14/0x90
> kobject_add_internal+0x3d1/0x450
> kobject_init_and_add+0xba/0xf0
> netdev_queue_update_kobjects+0xcf/0x200
> netif_set_real_num_tx_queues+0xb4/0x310
> veth_set_channels+0x1c3/0x550
> ethnl_set_channels+0x524/0x610
>
> The fix for both is to only allow unregistering queue kobjects after a
> net device started its unregistration and to ensure we know the current
> Tx queue number (we update dev->real_num_tx_queues before returning).
> This relies on the fact that dev->real_num_tx_queues is used for
> 'old_num' expect when firstly allocating queues.
>
> (Rx queues are not affected as net_rx_queue_update_kobjects can't be
> called after a net device started its unregistration).
>
> Fixes: 5c56580b74e5 ("net: Adjust TX queue kobjects if number of queues changes during unregister")
> Signed-off-by: Antoine Tenart <atenart@kernel.org>
netdev_queue_update_kobjects is a confusing function name, it sounds like it handles both rx and tx.
It only handles tx so net_tx_queue_update_kobjects is more appropriate.
Could you rename the function in this patch please?
Thank you.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [net] net-sysfs: avoid registering new queue objects after device unregistration
2021-10-26 14:30 ` David Miller
@ 2021-10-26 14:37 ` Antoine Tenart
2021-11-05 10:39 ` Antoine Tenart
0 siblings, 1 reply; 4+ messages in thread
From: Antoine Tenart @ 2021-10-26 14:37 UTC (permalink / raw)
To: David Miller; +Cc: kuba, pabeni, netdev
Quoting David Miller (2021-10-26 16:30:57)
> From: Antoine Tenart <atenart@kernel.org>
> Date: Tue, 26 Oct 2021 15:38:22 +0200
>
> > netdev_queue_update_kobjects can be called after device unregistration
> > started (and device_del was called) resulting in two issues: possible
> > registration of new queue kobjects (leading to the following trace) and
> > providing a wrong 'old_num' number (because real_num_tx_queues is not
> > updated in the unregistration path).
> >
> > BUG: KASAN: use-after-free in kobject_get+0x14/0x90
> > Read of size 1 at addr ffff88801961248c by task ethtool/755
> >
> > CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
> > Call Trace:
> > dump_stack_lvl+0x57/0x72
> > print_address_description.constprop.0+0x1f/0x140
> > kasan_report.cold+0x7f/0x11b
> > kobject_get+0x14/0x90
> > kobject_add_internal+0x3d1/0x450
> > kobject_init_and_add+0xba/0xf0
> > netdev_queue_update_kobjects+0xcf/0x200
> > netif_set_real_num_tx_queues+0xb4/0x310
> > veth_set_channels+0x1c3/0x550
> > ethnl_set_channels+0x524/0x610
> >
> > The fix for both is to only allow unregistering queue kobjects after a
> > net device started its unregistration and to ensure we know the current
> > Tx queue number (we update dev->real_num_tx_queues before returning).
> > This relies on the fact that dev->real_num_tx_queues is used for
> > 'old_num' expect when firstly allocating queues.
> >
> > (Rx queues are not affected as net_rx_queue_update_kobjects can't be
> > called after a net device started its unregistration).
> >
> > Fixes: 5c56580b74e5 ("net: Adjust TX queue kobjects if number of queues changes during unregister")
> > Signed-off-by: Antoine Tenart <atenart@kernel.org>
>
> netdev_queue_update_kobjects is a confusing function name, it sounds
> like it handles both rx and tx. It only handles tx so
> net_tx_queue_update_kobjects is more appropriate.
Agreed.
> Could you rename the function in this patch please?
As this is targeting stable kernels, shouldn't the rename be a separate
patch sent to net-next instead? (And it's not the only function that
should be renamed if we take this path, such as netdev_queue_add_kobject
and the functions in struct kobj_type netdev_queue_ktype).
Thanks!
Antoine
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [net] net-sysfs: avoid registering new queue objects after device unregistration
2021-10-26 14:37 ` Antoine Tenart
@ 2021-11-05 10:39 ` Antoine Tenart
0 siblings, 0 replies; 4+ messages in thread
From: Antoine Tenart @ 2021-11-05 10:39 UTC (permalink / raw)
To: David Miller; +Cc: kuba, pabeni, netdev
Quoting Antoine Tenart (2021-10-26 16:37:33)
> Quoting David Miller (2021-10-26 16:30:57)
> > From: Antoine Tenart <atenart@kernel.org>
> > Date: Tue, 26 Oct 2021 15:38:22 +0200
> >
> > > netdev_queue_update_kobjects can be called after device unregistration
> > > started (and device_del was called) resulting in two issues: possible
> > > registration of new queue kobjects (leading to the following trace) and
> > > providing a wrong 'old_num' number (because real_num_tx_queues is not
> > > updated in the unregistration path).
> > >
> > > BUG: KASAN: use-after-free in kobject_get+0x14/0x90
> > > Read of size 1 at addr ffff88801961248c by task ethtool/755
> > >
> > > CPU: 0 PID: 755 Comm: ethtool Not tainted 5.15.0-rc6+ #778
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/014
> > > Call Trace:
> > > dump_stack_lvl+0x57/0x72
> > > print_address_description.constprop.0+0x1f/0x140
> > > kasan_report.cold+0x7f/0x11b
> > > kobject_get+0x14/0x90
> > > kobject_add_internal+0x3d1/0x450
> > > kobject_init_and_add+0xba/0xf0
> > > netdev_queue_update_kobjects+0xcf/0x200
> > > netif_set_real_num_tx_queues+0xb4/0x310
> > > veth_set_channels+0x1c3/0x550
> > > ethnl_set_channels+0x524/0x610
> > >
> > > The fix for both is to only allow unregistering queue kobjects after a
> > > net device started its unregistration and to ensure we know the current
> > > Tx queue number (we update dev->real_num_tx_queues before returning).
> > > This relies on the fact that dev->real_num_tx_queues is used for
> > > 'old_num' expect when firstly allocating queues.
> > >
> > > (Rx queues are not affected as net_rx_queue_update_kobjects can't be
> > > called after a net device started its unregistration).
> > >
> > > Fixes: 5c56580b74e5 ("net: Adjust TX queue kobjects if number of queues changes during unregister")
> > > Signed-off-by: Antoine Tenart <atenart@kernel.org>
> >
> > netdev_queue_update_kobjects is a confusing function name, it sounds
> > like it handles both rx and tx. It only handles tx so
> > net_tx_queue_update_kobjects is more appropriate.
>
> Agreed.
>
> > Could you rename the function in this patch please?
>
> As this is targeting stable kernels, shouldn't the rename be a separate
> patch sent to net-next instead? (And it's not the only function that
> should be renamed if we take this path, such as netdev_queue_add_kobject
> and the functions in struct kobj_type netdev_queue_ktype).
Gentle ping.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-05 10:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-26 13:38 [net] net-sysfs: avoid registering new queue objects after device unregistration Antoine Tenart
2021-10-26 14:30 ` David Miller
2021-10-26 14:37 ` Antoine Tenart
2021-11-05 10:39 ` Antoine Tenart
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.