Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp271453ybi;
        Wed, 29 May 2019 21:05:58 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzZdYlqiHGyEZOcaDjda7/Nw2E//OM3meESiAnb+Ri0+yM0aZijSaWlX6U/kjDtZrd4oM8i
X-Received: by 2002:a17:902:7c15:: with SMTP id x21mr1765271pll.311.1559189158043;
        Wed, 29 May 2019 21:05:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559189158; cv=none;
        d=google.com; s=arc-20160816;
        b=WDCnmYs1VQw/j/yTVmMH1/0Tb1uGnueXNkBOCQkobvMNdlTnUdWgM8wlx9SQieSz0J
         6X4Gb+E0+2JfqxJNHP1ig4AO4JkBqWw2U3EyY15Qhtc/PSY+tqNPACDHbLj9893ijcHG
         2dUXJ5Tpoem/y/qgkmpcbmF+I7+R3hXx/4C3veTvmI/epZpJxyCiEmilrzYn4wilbYfj
         vsGhmWPA++yiCVajAkyA6avo/zF8zW5NQlJ/b1XvgjOXvzsWsx7dLehrdA2iF+sAkOaR
         aUXIcDKQRjUGDvgaSkjeyex189UhonaSmWuPspo6OiBQW8yvtWOzdTL/dR2HGu3wSeqh
         sePw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=A65o9Z7mm2Eh9I7l9gAaEtwsyOGPTWjcIzMbiWDSUcg=;
        b=RWonNNaf+sDLONlsGP0ALqbDLRmA3q3M3q5gLOqWinrtaQihS0QJNx/HrJZGY1CnXG
         FkqJwNA91/5GCT86u83Ifa5zx+1N75KuLh7ww6Zf2+lqA3CrqmLceY1pRSECeAFMASb7
         2JNeoshEY+pHIxgYKtyLLnP8UqOQb/EqGmCUMBkYbVPkww4ep6qTZu8xv3bNheY2iBck
         aF6/ChvZqIG3WKvrm+djb6nXSJiWNznsoRNMi2w+VrWMFiO8ijO+Vf6+xZPhFCIXjPtk
         GJ3lDItqA+uKYeGXJdjh+sXx5v0hTNfp8xFO0Nfr4qF9P+7aUUlUJuRYhBvHMbNLzbkk
         r1zw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NeLYg4bF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d4si2141656pla.358.2019.05.29.21.05.43;
        Wed, 29 May 2019 21:05:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NeLYg4bF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388030AbfE3EDW (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 30 May 2019 00:03:22 -0400
Received: from mail.kernel.org ([198.145.29.99]:49292 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731348AbfE3DR5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 May 2019 23:17:57 -0400
Received: from localhost (ip67-88-213-2.z213-88-67.customer.algx.net [67.88.213.2])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 663272474C;
        Thu, 30 May 2019 03:17:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1559186276;
        bh=PMELHRCeRDIFD+jrxj6PLctkSpayI5PK/9PmQXSfZX8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=NeLYg4bFbnvHLRM3DDd0GYBoaHvCTyWPmoVsHqrXzNOlIX+TZRLFLpUdJcZ8WAbcT
         3h+WTUhsFo95jWLz9kwgrXVO1KEXK4b3zWpvZmVRl84Y0nMyIH67RZU/oH3YjkbxDn
         GUDCY6szWP6E0x5AFefKCLXW0livsOIleG143Ogo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot <syzbot+f648cfb7e0b52bf7ae32@syzkaller.appspotmail.com>,
        Kay Sievers <kay@vrfy.org>,
        Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
        Sasha Levin <sashal@kernel.org>,
        Dmitry Torokhov <dmitry.torokhov@gmail.com>
Subject: [PATCH 4.19 219/276] kobject: Dont trigger kobject_uevent(KOBJ_REMOVE) twice.
Date:   Wed, 29 May 2019 20:06:17 -0700
Message-Id: <20190530030538.815031887@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190530030523.133519668@linuxfoundation.org>
References: <20190530030523.133519668@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit c03a0fd0b609e2f5c669c2b7f27c8e1928e9196e ]

syzbot is hitting use-after-free bug in uinput module [1]. This is because
kobject_uevent(KOBJ_REMOVE) is called again due to commit 0f4dafc0563c6c49
("Kobject: auto-cleanup on final unref") after memory allocation fault
injection made kobject_uevent(KOBJ_REMOVE) from device_del() from
input_unregister_device() fail, while uinput_destroy_device() is expecting
that kobject_uevent(KOBJ_REMOVE) is not called after device_del() from
input_unregister_device() completed.

That commit intended to catch cases where nobody even attempted to send
"remove" uevents. But there is no guarantee that an event will ultimately
be sent. We are at the point of no return as far as the rest of the kernel
is concerned; there are no repeats or do-overs.

Also, it is not clear whether some subsystem depends on that commit.
If no subsystem depends on that commit, it will be better to remove
the state_{add,remove}_uevent_sent logic. But we don't want to risk
a regression (in a patch which will be backported) by trying to remove
that logic. Therefore, as a first step, let's avoid the use-after-free bug
by making sure that kobject_uevent(KOBJ_REMOVE) won't be triggered twice.

[1] https://syzkaller.appspot.com/bug?id=8b17c134fe938bbddd75a45afaa9e68af43a362d

Reported-by: syzbot <syzbot+f648cfb7e0b52bf7ae32@syzkaller.appspotmail.com>
Analyzed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 0f4dafc0563c6c49 ("Kobject: auto-cleanup on final unref")
Cc: Kay Sievers <kay@vrfy.org>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/kobject_uevent.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
index 63d0816ab23b0..7761f32943391 100644
--- a/lib/kobject_uevent.c
+++ b/lib/kobject_uevent.c
@@ -464,6 +464,13 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
 	int i = 0;
 	int retval = 0;
 
+	/*
+	 * Mark "remove" event done regardless of result, for some subsystems
+	 * do not want to re-trigger "remove" event via automatic cleanup.
+	 */
+	if (action == KOBJ_REMOVE)
+		kobj->state_remove_uevent_sent = 1;
+
 	pr_debug("kobject: '%s' (%p): %s\n",
 		 kobject_name(kobj), kobj, __func__);
 
@@ -565,10 +572,6 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
 		kobj->state_add_uevent_sent = 1;
 		break;
 
-	case KOBJ_REMOVE:
-		kobj->state_remove_uevent_sent = 1;
-		break;
-
 	case KOBJ_UNBIND:
 		zap_modalias_env(env);
 		break;
-- 
2.20.1