linux

korg/linux

mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-07 22:34:18 +08:00

History

Ido Schimmel 6d6f0383b6 netdevsim: Fix use-after-free during device dismantle Commit `da58f90f11` ("netdevsim: Add devlink-trap support") added delayed work to netdevsim that periodically iterates over the registered netdevsim ports and reports various packet traps via devlink. While the delayed work takes the 'port_list_lock' mutex to protect against concurrent addition / deletion of ports, during device creation / dismantle ports are added / deleted without this lock, which can result in a use-after-free [1]. Fix this by making sure that the ports list is always modified under the lock. [1] [ 59.205543] ================================================================== [ 59.207748] BUG: KASAN: use-after-free in nsim_dev_trap_report_work+0xa67/0xad0 [ 59.210247] Read of size 8 at addr ffff8883cbdd3398 by task kworker/3:1/38 [ 59.212584] [ 59.213148] CPU: 3 PID: 38 Comm: kworker/3:1 Not tainted 5.4.0-rc3-custom-16119-ge6abb5f0261e #2013 [ 59.215896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014 [ 59.218384] Workqueue: events nsim_dev_trap_report_work [ 59.219428] Call Trace: [ 59.219924] dump_stack+0xa9/0x10e [ 59.220623] print_address_description.constprop.4+0x21/0x340 [ 59.221976] ? vprintk_func+0x66/0x240 [ 59.222752] __kasan_report.cold.8+0x78/0x91 [ 59.223602] ? nsim_dev_trap_report_work+0xa67/0xad0 [ 59.224603] kasan_report+0xe/0x20 [ 59.225296] nsim_dev_trap_report_work+0xa67/0xad0 [ 59.226435] ? rcu_read_lock_sched_held+0xaf/0xe0 [ 59.227512] ? trace_event_raw_event_rcu_quiescent_state_report+0x360/0x360 [ 59.228851] process_one_work+0x98f/0x1760 [ 59.229684] ? pwq_dec_nr_in_flight+0x330/0x330 [ 59.230656] worker_thread+0x91/0xc40 [ 59.231587] ? process_one_work+0x1760/0x1760 [ 59.232451] kthread+0x34a/0x410 [ 59.233104] ? __kthread_queue_delayed_work+0x240/0x240 [ 59.234141] ret_from_fork+0x3a/0x50 [ 59.234982] [ 59.235371] Allocated by task 187: [ 59.236189] save_stack+0x19/0x80 [ 59.236853] __kasan_kmalloc.constprop.5+0xc1/0xd0 [ 59.237822] kmem_cache_alloc_trace+0x14c/0x380 [ 59.238769] __nsim_dev_port_add+0xaf/0x5c0 [ 59.239627] nsim_dev_probe+0x4fc/0x1140 [ 59.240550] really_probe+0x264/0xc00 [ 59.241418] driver_probe_device+0x208/0x2e0 [ 59.242255] __device_attach_driver+0x215/0x2d0 [ 59.243150] bus_for_each_drv+0x154/0x1d0 [ 59.243944] __device_attach+0x1ba/0x2b0 [ 59.244923] bus_probe_device+0x1dd/0x290 [ 59.245805] device_add+0xbac/0x1550 [ 59.246528] new_device_store+0x1f4/0x400 [ 59.247306] bus_attr_store+0x7b/0xa0 [ 59.248047] sysfs_kf_write+0x10f/0x170 [ 59.248941] kernfs_fop_write+0x283/0x430 [ 59.249843] __vfs_write+0x81/0x100 [ 59.250546] vfs_write+0x1ce/0x510 [ 59.251190] ksys_write+0x104/0x200 [ 59.251873] do_syscall_64+0xa4/0x4e0 [ 59.252642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.253837] [ 59.254203] Freed by task 187: [ 59.254811] save_stack+0x19/0x80 [ 59.255463] __kasan_slab_free+0x125/0x170 [ 59.256265] kfree+0x100/0x440 [ 59.256870] nsim_dev_remove+0x98/0x100 [ 59.257651] nsim_bus_remove+0x16/0x20 [ 59.258382] device_release_driver_internal+0x20b/0x4d0 [ 59.259588] bus_remove_device+0x2e9/0x5a0 [ 59.260551] device_del+0x410/0xad0 [ 59.263777] device_unregister+0x26/0xc0 [ 59.264616] nsim_bus_dev_del+0x16/0x60 [ 59.265381] del_device_store+0x2d6/0x3c0 [ 59.266295] bus_attr_store+0x7b/0xa0 [ 59.267192] sysfs_kf_write+0x10f/0x170 [ 59.267960] kernfs_fop_write+0x283/0x430 [ 59.268800] __vfs_write+0x81/0x100 [ 59.269551] vfs_write+0x1ce/0x510 [ 59.270252] ksys_write+0x104/0x200 [ 59.270910] do_syscall_64+0xa4/0x4e0 [ 59.271680] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.272812] [ 59.273211] The buggy address belongs to the object at ffff8883cbdd3200 [ 59.273211] which belongs to the cache kmalloc-512 of size 512 [ 59.275838] The buggy address is located 408 bytes inside of [ 59.275838] 512-byte region [ffff8883cbdd3200, ffff8883cbdd3400) [ 59.278151] The buggy address belongs to the page: [ 59.279215] page:ffffea000f2f7400 refcount:1 mapcount:0 mapping:ffff8883ecc0ce00 index:0x0 compound_mapcount: 0 [ 59.281449] flags: 0x200000000010200(slab\|head) [ 59.282356] raw: 0200000000010200 ffffea000f2f3a08 ffffea000f2fd608 ffff8883ecc0ce00 [ 59.283949] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 59.285608] page dumped because: kasan: bad access detected [ 59.286981] [ 59.287337] Memory state around the buggy address: [ 59.288310] ffff8883cbdd3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.289763] ffff8883cbdd3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.291452] >ffff8883cbdd3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.292945] ^ [ 59.293815] ffff8883cbdd3400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.295220] ffff8883cbdd3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.296872] ================================================================== Fixes: `da58f90f11` ("netdevsim: Add devlink-trap support") Signed-off-by: Ido Schimmel <idosch@mellanox.com> Reported-by: syzbot+9ed8f68ab30761f3678e@syzkaller.appspotmail.com Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2019-10-31 12:35:14 -07:00
..
appletalk
arcnet	drivers: net: Fix Kconfig indentation	2019-09-26 08:56:17 +02:00
bonding	bonding: fix using uninitialized mode_lock	2019-10-29 18:03:36 -07:00
caif
can	drivers: net: Fix Kconfig indentation	2019-09-26 08:56:17 +02:00
dsa	net: dsa: sja1105: improve NET_DSA_SJA1105_TAS dependency	2019-10-28 16:33:42 -07:00
ethernet	cxgb4: fix panic when attaching to ULD fail	2019-10-30 18:11:13 -07:00
fddi
fjes	fjes: Handle workqueue allocation failure	2019-10-29 10:33:10 -07:00
hamradio	net: core: add generic lockdep keys	2019-10-24 14:53:48 -07:00
hippi
hyperv	hv_netvsc: Fix error handling in netvsc_attach()	2019-10-30 18:17:36 -07:00
ieee802154	Merge tag 'ieee802154-for-davem-2019-09-28' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan	2019-09-30 17:14:45 -07:00
ipvlan	net: core: add generic lockdep keys	2019-10-24 14:53:48 -07:00
netdevsim	netdevsim: Fix use-after-free during device dismantle	2019-10-31 12:35:14 -07:00
phy	net: phy: smsc: LAN8740: add PHY_RST_AFTER_CLK_EN flag	2019-10-23 21:44:44 -07:00
plip
ppp	net: core: add generic lockdep keys	2019-10-24 14:53:48 -07:00
slip
team	team: fix nested locking lockdep warning	2019-10-24 14:53:48 -07:00
usb	net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()	2019-10-28 16:35:04 -07:00
vmxnet3
wan	net/wan: dscc4: remove broken dscc4 driver	2019-09-16 09:14:41 +02:00
wimax	wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle	2019-10-29 16:20:25 -07:00
wireless	virt_wifi: fix refcnt leak in module exit routine	2019-10-24 14:53:49 -07:00
xen-netback	xen/netback: fix error path of xenvif_connect_data()	2019-10-19 11:43:29 -07:00
dummy.c
eql.c
geneve.c
gtp.c
ifb.c
Kconfig	drivers: net: Fix Kconfig indentation	2019-09-26 08:56:17 +02:00
LICENSE.SRC
loopback.c
macsec.c	net: remove unnecessary variables and callback	2019-10-24 14:53:49 -07:00
macvlan.c	net: remove unnecessary variables and callback	2019-10-24 14:53:49 -07:00
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c	net: tap: clean up an indentation issue	2019-09-27 20:58:35 +02:00
thunderbolt.c
tun.c	tun: remove possible false sharing in tun_flow_update()	2019-10-09 21:29:33 -07:00
veth.c
virtio_net.c	netfilter: drop bridge nf reset from nf_reset	2019-10-01 18:42:15 +02:00
vrf.c	net: core: add generic lockdep keys	2019-10-24 14:53:48 -07:00
vsockmon.c
vxlan.c	vxlan: fix unexpected failure of vxlan_changelink()	2019-10-30 11:52:47 -07:00
xen-netfront.c	xen-netfront: do not use ~0U as error return value for xennet_fill_frags()	2019-10-01 21:49:51 -04:00