Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Thu, 28 Oct 2021 08:45:03 -0300
From:   Jason Gunthorpe <jgg@nvidia.com>
To:     Jakub Kicinski <kuba@kernel.org>
Cc:     Ziyang Xuan <william.xuanziyang@huawei.com>, davem@davemloft.net,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-rdma@vger.kernel.org
Subject: Re: [PATCH net] net: vlan: fix a UAF in vlan_dev_real_dev()
Message-ID: <20211028114503.GM2744544@nvidia.com>
References: <20211027121606.3300860-1-william.xuanziyang@huawei.com>
 <20211027184640.7955767e@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20211027184640.7955767e@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Zuf6nyMS/khZPbOeh5p61ZcsDArUpnbZ/X6JQODiNlaCmWJqf5Y7PrKq+qUZ?=
 =?us-ascii?Q?P/l8D088WfTN2ROqQeheRU2ObHz63pQKQ/KcoD1fwAd3DUlJSbleiOZlPbDo?=
 =?us-ascii?Q?usQUsXLvLlLXDpNSo9z3UfJK+pf139o3olZIic26uW+M0gBGj5eR4nTtmEz6?=
 =?us-ascii?Q?+t1P3eKjLzwcqzTRUHQgXy+mXB/+c3bS7lfooSGiZw/IiBa7sRnBF5Ccbuot?=
 =?us-ascii?Q?q5LQD/07djJDmgLRzrmLSyL+kyh4kDJfMlFaEKG3xE3LrKYXjf0CRCA7rV/u?=
 =?us-ascii?Q?B1evbaP02Vhtm3WUUYx96thFtdV1Ugsjb5ZE6/bwqJX/figjbYAiNgFpiibb?=
 =?us-ascii?Q?tZUWzZkS1rtzduHgVFzAFtWEHWiOtT9pNq4EPsiOv6AAwrvYX99DHuct9t28?=
 =?us-ascii?Q?5bSHI9JcFma/KnIzdc3QK53vNODiUQbU9Ib0qCkgyfky95J39eXkZ8Nv4K/8?=
 =?us-ascii?Q?A2IX1+FdK0DGV1h+bne7FfaABYsZ4zAqUPC7qOP9/EuQxMK+JpA2Qt4MFxR1?=
 =?us-ascii?Q?yfybF34C9MhnuNzN9laL3WknrDKs67qWymJxqWxIXc8SOo3PtIZZZTR6UImk?=
 =?us-ascii?Q?Ivc57/AriTegmKTyZLoeb3agOEI0r1Kzfkd5S7i6GpslEXeyTtPc81Y1nxOC?=
 =?us-ascii?Q?xMcZCCMbI1gWpXu3wJjW/CIthDYeY42RCYkGMI9mcXKGBjDyvLoqs1eCwmJC?=
 =?us-ascii?Q?DjrRzM0KdFN9wFHgekzWhZ+oc9aHjBbpdDVmref2CVZIhAQqD8MF3vLzm6Nx?=
 =?us-ascii?Q?7y0bDLSv87Tt6GFQKZWF4wsbAa5suCrCtwV15wWyzYtUIDU1vnJQgWKTEIIW?=
 =?us-ascii?Q?DclatUtaAMao3G6ncQVcM5JAcsPZOhH57m0iWxEUlm1OXb9HRCrBfgt/gQZZ?=
 =?us-ascii?Q?+bPHZEx8ksGpRtD1wZcdSbUnd96UUXmmWkpREQ4Ozgq4RLPCpDC9jKHDuJOr?=
 =?us-ascii?Q?+ScE4ygHo2xQUnx2Tygfc05i/EBnRt8DHaW8hQSDcUCilP6jpg0eG0xyNO1f?=
 =?us-ascii?Q?9+Inde4ItpXXYU0HRGhS+oaP1FM2cv8haU+rakCgLC5uycT8zv1E0G9XSOMM?=
 =?us-ascii?Q?dg/hi1xiE/q9MLx37wIG5808KHW/qItPnErnxYfFeX30RDMOLq496yuyqBoM?=
 =?us-ascii?Q?jNDHZgrdgBJ2Mtu2Er7UBolSFph8ipBCHroYQnk2OC404yl0jlyStltPMSY7?=
 =?us-ascii?Q?G9M5sgNnEzvqvtYoIvbGW0mSf9neV5iALUp/ymoWoJtLTaLVqZLdo4T1p8tE?=
 =?us-ascii?Q?eRKmaQVMK1ctNYZOWolwrbK8SVUxPpBRheO47nOZQhZ7fg7bOuZ99a54ba2Q?=
 =?us-ascii?Q?Lqey0fkohRPk7DGVQKAoF4dBnGfH33W5naP0tAsNS7yeY1Vf4VENI752qtf7?=
 =?us-ascii?Q?YjNhN+U5fY6aIsTvrLppgNOpnABCUq0W5Lt5b0fevxhRRt2PgpDmUTbEP0zL?=
 =?us-ascii?Q?cY721VCwaLtN/DeGGNVpzskJSTiQdQ5oiBWfWJcocgnpR3op6fRMj3EMD4G6?=
 =?us-ascii?Q?rLwGmuMGaPzVg2kSxuZokBgkQI557bKQlhUVO0aEuo5wRHfZv1aaJNCA/iMQ?=
 =?us-ascii?Q?wJOBcRREigPsVI6kHQw=3D?=
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 24580696-3dbb-4a6f-712c-08d99a086202
X-MS-Exchange-CrossTenant-AuthSource: BL0PR12MB5506.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Oct 2021 11:45:04.6459
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: /n+0FMKXFdoaEboCbKFDJsCSD3pVoROTFyrsoW0TtCPXK7q8243TOfB++aN9ytdY
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR12MB5538
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Oct 27, 2021 at 06:46:40PM -0700, Jakub Kicinski wrote:
> On Wed, 27 Oct 2021 20:16:06 +0800 Ziyang Xuan wrote:
> > The real_dev of a vlan net_device may be freed after
> > unregister_vlan_dev(). Access the real_dev continually by
> > vlan_dev_real_dev() will trigger the UAF problem for the
> > real_dev like following:
> > 
> > ==================================================================
> > BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120
> > Call Trace:
> >  kasan_report.cold+0x83/0xdf
> >  vlan_dev_real_dev+0xf9/0x120
> >  is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0
> >  is_eth_port_of_netdev_filter+0x28/0x40
> >  ib_enum_roce_netdev+0x1a3/0x300
> >  ib_enum_all_roce_netdevs+0xc7/0x140
> >  netdevice_event_work_handler+0x9d/0x210
> > ...
> > 
> > Freed by task 9288:
> >  kasan_save_stack+0x1b/0x40
> >  kasan_set_track+0x1c/0x30
> >  kasan_set_free_info+0x20/0x30
> >  __kasan_slab_free+0xfc/0x130
> >  slab_free_freelist_hook+0xdd/0x240
> >  kfree+0xe4/0x690
> >  kvfree+0x42/0x50
> >  device_release+0x9f/0x240
> >  kobject_put+0x1c8/0x530
> >  put_device+0x1b/0x30
> >  free_netdev+0x370/0x540
> >  ppp_destroy_interface+0x313/0x3d0
> > ...
> > 
> > Set vlan->real_dev to NULL after dev_put(real_dev) in
> > unregister_vlan_dev(). Check real_dev is not NULL before
> > access it in vlan_dev_real_dev().
> > 
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Reported-by: syzbot+e4df4e1389e28972e955@syzkaller.appspotmail.com
> > Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
> >  net/8021q/vlan.c      | 1 +
> >  net/8021q/vlan_core.c | 2 +-
> >  2 files changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
> > index 55275ef9a31a..1106da84e725 100644
> > +++ b/net/8021q/vlan.c
> > @@ -126,6 +126,7 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
> >  
> >  	/* Get rid of the vlan's reference to real_dev */
> >  	dev_put(real_dev);
> > +	vlan->real_dev = NULL;
> >  }
> >  
> >  int vlan_check_real_dev(struct net_device *real_dev,
> > diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
> > index 59bc13b5f14f..343f34479d8b 100644
> > +++ b/net/8021q/vlan_core.c
> > @@ -103,7 +103,7 @@ struct net_device *vlan_dev_real_dev(const struct net_device *dev)
> >  {
> >  	struct net_device *ret = vlan_dev_priv(dev)->real_dev;
> >  
> > -	while (is_vlan_dev(ret))
> > +	while (ret && is_vlan_dev(ret))
> >  		ret = vlan_dev_priv(ret)->real_dev;
> >  
> >  	return ret;
> 
> But will make all the callers of vlan_dev_real_dev() feel like they
> should NULL-check the result, which is not necessary.

Isn't it better to reliably return NULL instead of a silent UAF in
this edge case? 

> RDMA must be calling this helper on a vlan which was already
> unregistered, can we fix RDMA instead?

RDMA holds a get on the netdev which prevents unregistration, however
unregister_vlan_dev() does:

        unregister_netdevice_queue(dev, head);
        dev_put(real_dev);

Which corrupts the still registered vlan device while it is sitting in
the queue waiting to unregister. So, it is not true that a registered
vlan device always has working vlan_dev_real_dev().

Jason