Received: by 2002:a05:6512:3d0e:0:0:0:0 with SMTP id d14csp55545lfv;
        Tue, 12 Apr 2022 17:05:24 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxf9pFBMvicleqCrajMECXEq1MiCtr488Pm0K81J31NgaIHlSqp1i4jBcOrullyADrYCQAU
X-Received: by 2002:a63:5756:0:b0:36c:67bc:7f3f with SMTP id h22-20020a635756000000b0036c67bc7f3fmr32991749pgm.389.1649808324655;
        Tue, 12 Apr 2022 17:05:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649808324; cv=none;
        d=google.com; s=arc-20160816;
        b=KVpaBfq6aKAxOT6XLlkNbLDj9cZ3g7tw9EuzO+1jZhHx3ZjjJ0X0so13FgqtBgzgaj
         qO+w1iiol78LpglNGFrNCtztwuQ1zGbWYFuQFlS1ZFiliYIOWCe50rQGwlG7136Bnu4j
         gVeO/YrR2Tfz4hSzdNLLYBIC9VguTDs2vWNGytvq/aUU6DZ7/P9O3t6RpDt+NH6qZQru
         ckawDC61V2NtFMgCDpBD+WRRd5IbRL1X83pFJ8+jQOZG+luc5wzAIbGHXZckkzO0h/Wf
         6XcdMS1ltgWUQ6O/NvFj7TU8Nox3qZvedW6gOmoO+UTnPZoLnUjQs2lD8MwcK3pu2G2C
         78Bg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=JvY2dth7WfDBBP9NjqgWz5IvSVbzLYj1793d9VXOYIo=;
        b=WMytIZkTGSwkNTu0oZwliH3DxNcQ5FyBlYkDdkZT7g8Y5UJKFaNAhJSp3wfCHcZKo2
         KTBXNrYJv0KZ26XyWiKsWCH6bVEjZiw/PjYkqkmGPN9K0sg2L6b6u8qSj6oJXrrAsr2U
         tJ1ohSchX7YSBEkO1+McPdbvxTjX57TZFRJEtkl199xrrQ3Zm6XbRemw+snlwbu6lJLU
         pCAb/NMYxOiDqvy+QS5vuOdG5uctK0tj08S7ColJHEDUQxhOXnyv3HKljwITx6l6WxEs
         lCjup+T1t47RER9cgHIrx8bFxlv/Sb/7ztliydmVR3u+dUPCFQfaiTyzXa+HXSi57JtY
         aN8Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ASj+6bU4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id n3-20020a170902f60300b0015696d1d95asi14242755plg.225.2022.04.12.17.05.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Apr 2022 17:05:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ASj+6bU4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9E045156089;
	Tue, 12 Apr 2022 15:02:10 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1383265AbiDLIgg (ORCPT <rfc822;41i3n8@gmail.com> + 99 others);
        Tue, 12 Apr 2022 04:36:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56358 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1356480AbiDLHgA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Apr 2022 03:36:00 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD7E54A3EE;
        Tue, 12 Apr 2022 00:09:32 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 6370C6146F;
        Tue, 12 Apr 2022 07:09:32 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76B25C385A6;
        Tue, 12 Apr 2022 07:09:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649747371;
        bh=3XFV5biq5OKl0CczAPZ36nRwmNhb5XFyF+xyv26CnHg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ASj+6bU47RexSFOwbVrYwVfvtDi5eOn4VC+z5zwI0GyOdrDk4FqfUSCVbQPIjLgur
         5ZD7M5xDvyzOskl95Nqy5sb9sHI35EunVF3au4tptGszQyjWMgCHhUJMMGzj5JShiK
         PdZ5FfU+GRX/YRRDY6BlDk9CIn8omRTKn5xx210E=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.17 054/343] ref_tracker: implement use-after-free detection
Date:   Tue, 12 Apr 2022 08:27:52 +0200
Message-Id: <20220412062952.665386470@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220412062951.095765152@linuxfoundation.org>
References: <20220412062951.095765152@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit e3ececfe668facd87d920b608349a32607060e66 ]

Whenever ref_tracker_dir_init() is called, mark the struct ref_tracker_dir
as dead.

Test the dead status from ref_tracker_alloc() and ref_tracker_free()

This should detect buggy dev_put()/dev_hold() happening too late
in netdevice dismantle process.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/ref_tracker.h | 2 ++
 lib/ref_tracker.c           | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/include/linux/ref_tracker.h b/include/linux/ref_tracker.h
index 60f3453be23e..a443abda937d 100644
--- a/include/linux/ref_tracker.h
+++ b/include/linux/ref_tracker.h
@@ -13,6 +13,7 @@ struct ref_tracker_dir {
 	spinlock_t		lock;
 	unsigned int		quarantine_avail;
 	refcount_t		untracked;
+	bool			dead;
 	struct list_head	list; /* List of active trackers */
 	struct list_head	quarantine; /* List of dead trackers */
 #endif
@@ -26,6 +27,7 @@ static inline void ref_tracker_dir_init(struct ref_tracker_dir *dir,
 	INIT_LIST_HEAD(&dir->quarantine);
 	spin_lock_init(&dir->lock);
 	dir->quarantine_avail = quarantine_count;
+	dir->dead = false;
 	refcount_set(&dir->untracked, 1);
 	stack_depot_init();
 }
diff --git a/lib/ref_tracker.c b/lib/ref_tracker.c
index a6789c0c626b..32ff6bd497f8 100644
--- a/lib/ref_tracker.c
+++ b/lib/ref_tracker.c
@@ -20,6 +20,7 @@ void ref_tracker_dir_exit(struct ref_tracker_dir *dir)
 	unsigned long flags;
 	bool leak = false;
 
+	dir->dead = true;
 	spin_lock_irqsave(&dir->lock, flags);
 	list_for_each_entry_safe(tracker, n, &dir->quarantine, head) {
 		list_del(&tracker->head);
@@ -72,6 +73,8 @@ int ref_tracker_alloc(struct ref_tracker_dir *dir,
 	gfp_t gfp_mask = gfp;
 	unsigned long flags;
 
+	WARN_ON_ONCE(dir->dead);
+
 	if (gfp & __GFP_DIRECT_RECLAIM)
 		gfp_mask |= __GFP_NOFAIL;
 	*trackerp = tracker = kzalloc(sizeof(*tracker), gfp_mask);
@@ -100,6 +103,8 @@ int ref_tracker_free(struct ref_tracker_dir *dir,
 	unsigned int nr_entries;
 	unsigned long flags;
 
+	WARN_ON_ONCE(dir->dead);
+
 	if (!tracker) {
 		refcount_dec(&dir->untracked);
 		return -EEXIST;
-- 
2.35.1