From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Schspa Shi <schspa@gmail.com>,
syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
keescook@chromium.org, ulf.hansson@linaro.org, djwong@kernel.org,
kpsingh@kernel.org, Jason@zx2c4.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 20/30] mrp: introduce active flags to prevent UAF when applicant uninit
Date: Sun, 18 Dec 2022 11:18:25 -0500 [thread overview]
Message-ID: <20221218161836.933697-20-sashal@kernel.org> (raw)
In-Reply-To: <20221218161836.933697-1-sashal@kernel.org>
From: Schspa Shi <schspa@gmail.com>
[ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ]
The caller of del_timer_sync must prevent restarting of the timer, If
we have no this synchronization, there is a small probability that the
cancellation will not be successful.
And syzbot report the fellowing crash:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
Write at addr f9ff000024df6058 by task syz-fuzzer/2256
Pointer tag: [f9], memory tag: [fe]
CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
ge01d50cbd6ee #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x1a8/0x4a0 mm/kasan/report.c:395
kasan_report+0x94/0xb4 mm/kasan/report.c:495
__do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
do_bad_area arch/arm64/mm/fault.c:473 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
hlist_add_head include/linux/list.h:929 [inline]
enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
mod_timer+0x14/0x20 kernel/time/timer.c:1161
mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
expire_timers+0x98/0xc4 kernel/time/timer.c:1519
To fix it, we can introduce a new active flags to make sure the timer will
not restart.
Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com
Signed-off-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/mrp.h | 1 +
net/802/mrp.c | 18 +++++++++++++-----
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/include/net/mrp.h b/include/net/mrp.h
index ef58b4a07190..c6c53370e390 100644
--- a/include/net/mrp.h
+++ b/include/net/mrp.h
@@ -120,6 +120,7 @@ struct mrp_applicant {
struct sk_buff *pdu;
struct rb_root mad;
struct rcu_head rcu;
+ bool active;
};
struct mrp_port {
diff --git a/net/802/mrp.c b/net/802/mrp.c
index 5b804dbe2d08..486becf6c78d 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -606,7 +606,10 @@ static void mrp_join_timer(struct timer_list *t)
spin_unlock(&app->lock);
mrp_queue_xmit(app);
- mrp_join_timer_arm(app);
+ spin_lock(&app->lock);
+ if (likely(app->active))
+ mrp_join_timer_arm(app);
+ spin_unlock(&app->lock);
}
static void mrp_periodic_timer_arm(struct mrp_applicant *app)
@@ -620,11 +623,12 @@ static void mrp_periodic_timer(struct timer_list *t)
struct mrp_applicant *app = from_timer(app, t, periodic_timer);
spin_lock(&app->lock);
- mrp_mad_event(app, MRP_EVENT_PERIODIC);
- mrp_pdu_queue(app);
+ if (likely(app->active)) {
+ mrp_mad_event(app, MRP_EVENT_PERIODIC);
+ mrp_pdu_queue(app);
+ mrp_periodic_timer_arm(app);
+ }
spin_unlock(&app->lock);
-
- mrp_periodic_timer_arm(app);
}
static int mrp_pdu_parse_end_mark(struct sk_buff *skb, int *offset)
@@ -872,6 +876,7 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl)
app->dev = dev;
app->app = appl;
app->mad = RB_ROOT;
+ app->active = true;
spin_lock_init(&app->lock);
skb_queue_head_init(&app->queue);
rcu_assign_pointer(dev->mrp_port->applicants[appl->type], app);
@@ -900,6 +905,9 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
RCU_INIT_POINTER(port->applicants[appl->type], NULL);
+ spin_lock_bh(&app->lock);
+ app->active = false;
+ spin_unlock_bh(&app->lock);
/* Delete timer and generate a final TX event to flush out
* all pending messages before the applicant is gone.
*/
--
2.35.1
next prev parent reply other threads:[~2022-12-18 16:58 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-18 16:18 [PATCH AUTOSEL 5.4 01/30] drm/etnaviv: add missing quirks for GC300 Sasha Levin
2022-12-18 16:18 ` Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 02/30] brcmfmac: return error when getting invalid max_flowrings from dongle Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 03/30] wifi: ath9k: verify the expected usb_endpoints are present Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 04/30] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 05/30] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform Sasha Levin
2022-12-18 16:18 ` Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 06/30] ipmi: fix memleak when unload ipmi driver Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 07/30] bpf: make sure skb->len != 0 when redirecting to a tunneling device Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 08/30] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 09/30] hamradio: baycom_epp: Fix return type of baycom_send_packet() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 10/30] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Sasha Levin
2022-12-18 16:18 ` [Intel-wired-lan] [PATCH AUTOSEL 5.4 11/30] igb: Do not free q_vector unless new one was allocated Sasha Levin
2022-12-18 16:18 ` Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 12/30] s390/ctcm: Fix return type of ctc{mp,}m_tx() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 13/30] s390/netiucv: Fix return type of netiucv_tx() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 14/30] s390/lcs: Fix return type of lcs_start_xmit() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 15/30] drm/rockchip: Use drm_mode_copy() Sasha Levin
2022-12-18 16:18 ` Sasha Levin
2022-12-18 16:18 ` Sasha Levin
2022-12-18 16:18 ` Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 16/30] drm/sti: " Sasha Levin
2022-12-18 16:18 ` Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 17/30] drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 18/30] md/raid1: stop mdx_raid1 thread when raid1 array run failed Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 19/30] net: add atomic_long_t to net_device_stats fields Sasha Levin
2022-12-18 16:18 ` Sasha Levin [this message]
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 21/30] ppp: associate skb with a device at tx Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 22/30] bpf: Prevent decl_tag from being referenced in func_proto arg Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 23/30] media: dvb-frontends: fix leak of memory fw Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 24/30] media: dvbdev: adopts refcnt to avoid UAF Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 25/30] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 26/30] blk-mq: fix possible memleak when register 'hctx' failed Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 27/30] regulator: core: fix use_count leakage when handling boot-on Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 28/30] mmc: f-sdh30: Add quirks for broken timeout clock capability Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 29/30] media: si470x: Fix use-after-free in si470x_int_in_callback() Sasha Levin
2022-12-18 16:18 ` [PATCH AUTOSEL 5.4 30/30] clk: st: Fix memory leak in st_of_quadfs_setup() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221218161836.933697-20-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=djwong@kernel.org \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=schspa@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.