From: Shigeru Yoshida <syoshida@redhat.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Shigeru Yoshida <syoshida@redhat.com>
Subject: [PATCH] net: tun: Fix use-after-free in tun_detach()
Date: Sat, 19 Nov 2022 16:56:15 +0900 [thread overview]
Message-ID: <20221119075615.723290-1-syoshida@redhat.com> (raw)
syzbot reported use-after-free in tun_detach() [1]. This causes call
trace like below:
==================================================================
BUG: KASAN: use-after-free in notifier_call_chain+0x1da/0x1e0
...
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x178
print_report+0x167/0x470
? __virt_addr_valid+0x5e/0x2d0
? __phys_addr+0xc6/0x140
? notifier_call_chain+0x1da/0x1e0
? notifier_call_chain+0x1da/0x1e0
kasan_report+0xbf/0x1e0
? notifier_call_chain+0x1da/0x1e0
notifier_call_chain+0x1da/0x1e0
call_netdevice_notifiers_info+0x83/0x130
netdev_run_todo+0xc33/0x11b0
? generic_xdp_install+0x490/0x490
? __tun_detach+0x1500/0x1500
tun_chr_close+0xe2/0x190
__fput+0x26a/0xa40
task_work_run+0x14d/0x240
? task_work_cancel+0x30/0x30
do_exit+0xb31/0x2a40
? reacquire_held_locks+0x4a0/0x4a0
? do_raw_spin_lock+0x12e/0x2b0
? mm_update_next_owner+0x7c0/0x7c0
? rwlock_bug.part.0+0x90/0x90
? lockdep_hardirqs_on_prepare+0x17f/0x410
do_group_exit+0xd4/0x2a0
__x64_sys_exit_group+0x3e/0x50
do_syscall_64+0x38/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that sock_put() from __tun_detach() drops
last reference count for struct net, and then notifier_call_chain()
from netdev_state_change() accesses that struct net.
This patch fixes the issue by calling sock_put() from tun_detach()
after all necessary accesses for the struct net has done.
Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
drivers/net/tun.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 7a3ab3427369..ce9fcf4c8ef4 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -686,7 +686,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
if (tun)
xdp_rxq_info_unreg(&tfile->xdp_rxq);
ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
- sock_put(&tfile->sk);
}
}
@@ -702,6 +701,11 @@ static void tun_detach(struct tun_file *tfile, bool clean)
if (dev)
netdev_state_change(dev);
rtnl_unlock();
+
+ if (clean) {
+ synchronize_rcu();
+ sock_put(&tfile->sk);
+ }
}
static void tun_detach_all(struct net_device *dev)
--
2.38.1
next reply other threads:[~2022-11-19 7:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-19 7:56 Shigeru Yoshida [this message]
2022-11-19 18:31 ` [PATCH] net: tun: Fix use-after-free in tun_detach() Eric Dumazet
2022-11-20 8:37 ` Shigeru Yoshida
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221119075615.723290-1-syoshida@redhat.com \
--to=syoshida@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.