linux

korg/linux

mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-21 20:22:13 +08:00

History

Hoang Le 911600bf5a tipc: fix use-after-free Read in tipc_named_reinit syzbot found the following issue on: ================================================================== BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764 CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted 5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK> [...] ================================================================== In the commit `d966ddcc38` ("tipc: fix a deadlock when flushing scheduled work"), the cancel_work_sync() function just to make sure ONLY the work tipc_net_finalize_work() is executing/pending on any CPU completed before tipc namespace is destroyed through tipc_exit_net(). But this function is not guaranteed the work is the last queued. So, the destroyed instance may be accessed in the work which will try to enqueue later. In order to completely fix, we re-order the calling of cancel_work_sync() to make sure the work tipc_net_finalize_work() was last queued and it must be completed by calling cancel_work_sync(). Reported-by: syzbot+47af19f3307fc9c5c82e@syzkaller.appspotmail.com Fixes: `d966ddcc38` ("tipc: fix a deadlock when flushing scheduled work") Acked-by: Jon Maloy <jmaloy@redhat.com> Signed-off-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>		2022-06-17 11:39:10 +01:00
..
6lowpan	net: don't include ndisc.h from ipv6.h	2022-02-04 14:15:11 -08:00
9p	xen: switch gnttab_end_foreign_access() to take a struct page pointer	2022-05-27 11:05:29 +02:00
802
8021q	net: add netif_inherit_tso_max()	2022-05-06 12:07:56 +01:00
appletalk	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
atm	net: SO_RCVMARK socket option for SO_MARK with recvmsg()	2022-04-28 13:08:15 -07:00
ax25	net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg	2022-06-15 13:00:22 +01:00
batman-adv	net: wrap the wireless pointers in struct net_device in an ifdef	2022-05-22 21:51:54 +01:00
bluetooth	bluetooth: don't use bitmaps for random flag accesses	2022-06-05 16:28:41 -07:00
bpf	Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2022-05-23 16:07:14 -07:00
bpfilter	uaccess: remove CONFIG_SET_FS	2022-02-25 09:36:06 +01:00
bridge	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-05-19 11:23:59 -07:00
caif	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
can	can: isotp: isotp_bind(): do not validate unused address information	2022-05-19 22:11:28 +02:00
ceph	libceph: use swap() macro instead of taking tmp variable	2022-05-25 20:45:13 +02:00
core	net: fix data-race in dev_isalive()	2022-06-17 10:59:31 +01:00
dcb	net: dcb: disable softirqs in dcbnl_flush_dev()	2022-03-03 08:01:55 -08:00
dccp	Revert "net: Add a second bind table hashed by port and address"	2022-06-16 11:07:59 -07:00
decnet	dn_route: set rt neigh to blackhole_netdev instead of loopback_dev in ifdown	2022-05-17 18:03:23 -07:00
dns_resolver
dsa	net: dsa: OF-ware slave_mii_bus	2022-05-23 12:27:53 +01:00
ethernet	net: ethernet: set default assignment identifier to NET_NAME_ENUM	2022-04-07 21:04:03 -07:00
ethtool	ethtool: Add 10base-T1L link mode entry	2022-05-01 17:45:35 +01:00
hsr	net: add per-cpu storage and net->core_stats	2022-03-11 23:17:24 -08:00
ieee802154	net: SO_RCVMARK socket option for SO_MARK with recvmsg()	2022-04-28 13:08:15 -07:00
ife
ipv4	Revert "net: Add a second bind table hashed by port and address"	2022-06-16 11:07:59 -07:00
ipv6	net: seg6: fix seg6_lookup_any_nexthop() to handle VRFs using flowi_l3mdev	2022-06-09 22:04:47 -07:00
iucv	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
kcm	net: Don't include filter.h from net/sock.h	2021-12-29 08:48:14 -08:00
key	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec	2022-06-01 17:44:04 -07:00
l2tp	ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg	2022-06-08 10:56:43 -07:00
l3mdev	l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu	2022-04-15 14:27:24 -07:00
lapb
llc	llc: only change llc->dev when bind() succeeds	2022-03-25 16:55:41 -07:00
mac80211	wifi: mac80211: fix use-after-free in chanctx code	2022-06-01 12:41:41 +03:00
mac802154	net: mac802154: Fix symbol durations	2022-04-30 20:29:47 +02:00
mctp	Networking changes for 5.19.	2022-05-25 12:22:58 -07:00
mpls	net: mpls: fix memdup.cocci warning	2022-04-07 21:06:41 -07:00
mptcp	Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2022-05-23 16:07:14 -07:00
ncsi	all: replace find_next{,_zero}_bit with find_first{,_zero}_bit where appropriate	2022-01-15 08:47:31 -08:00
netfilter	netfilter: nf_tables: bail out early if hardware offload is not supported	2022-06-06 19:19:15 +02:00
netlabel	netlabel: fix out-of-bounds memory accesses	2022-03-21 10:59:11 +00:00
netlink	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-05-12 16:15:30 -07:00
netrom	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
nfc	net: nfc: Directly use ida_alloc()/free()	2022-05-28 15:28:47 +01:00
nsh
openvswitch	net: openvswitch: fix misuse of the cached connection on tuple changes	2022-06-08 20:49:52 -07:00
packet	net/af_packet: make sure to pull mac header	2022-06-02 10:15:05 -07:00
phonet	net: remove noblock parameter from recvmsg() entities	2022-04-12 15:00:25 +02:00
psample
qrtr	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
rds	Linux 5.18	2022-05-24 12:40:28 -03:00
rfkill	rfkill: make new event layout opt-in	2022-03-18 13:09:17 +02:00
rose	ROSE: Remove unused code and clean up some inconsistent indenting	2022-05-09 17:19:27 -07:00
rxrpc	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-05-23 21:19:17 -07:00
sched	net/sched: act_api: fix error code in tcf_ct_flow_table_fill_tuple_ipv6()	2022-06-01 13:32:04 +02:00
sctp	stcp: Use memset_after() to zero sctp_stream_out_ext	2022-05-20 17:42:53 -07:00
smc	net/smc: fixes for converting from "struct smc_cdc_tx_pend *" to "struct smc_wr_tx_pend_priv "	2022-05-28 12:36:26 +01:00
strparser
sunrpc	Notable changes:	2022-06-10 17:28:43 -07:00
switchdev	net: switchdev: remove lag_mod_cb from switchdev_handle_fdb_event_to_device	2022-02-24 21:31:43 -08:00
tipc	tipc: fix use-after-free Read in tipc_named_reinit	2022-06-17 11:39:10 +01:00
tls	tls: Rename TLS_INFO_ZC_SENDFILE to TLS_INFO_ZC_TX	2022-06-09 21:51:57 -07:00
unix	af_unix: Fix a data-race in unix_dgram_peer_wake_me().	2022-06-07 12:07:46 +02:00
vmw_vsock	hyperv-next for 5.19	2022-05-28 11:39:01 -07:00
wireless	wireless-next patches for v5.19	2022-05-19 13:01:08 -07:00
x25	x25: remove redundant pointer dev	2022-05-10 11:59:22 +02:00
xdp	xsk: Fix handling of invalid descriptors in XSK TX batching API	2022-06-08 16:20:07 +02:00
xfrm	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec	2022-06-01 17:44:04 -07:00
compat.c
devres.c
Kconfig	page_pool: Add allocation stats	2022-03-03 09:55:28 +00:00
Kconfig.debug	net: CONFIG_DEBUG_NET depends on CONFIG_NET	2022-06-02 10:15:05 -07:00
Makefile
socket.c	Networking changes for 5.19.	2022-05-25 12:22:58 -07:00
sysctl_net.c