Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp165655imn; Wed, 27 Jul 2022 02:59:22 -0700 (PDT) X-Google-Smtp-Source: AGRyM1szGh5wfpTEtarU/wG6whQKbSs2/oWmMgvL6c51J2Aqd/Q8rTKKHVlnN83pKkiY3o/7Qppn X-Received: by 2002:a17:90b:1c0b:b0:1f0:23df:5406 with SMTP id oc11-20020a17090b1c0b00b001f023df5406mr3729470pjb.157.1658915962585; Wed, 27 Jul 2022 02:59:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658915962; cv=none; d=google.com; s=arc-20160816; b=ANcZ4GNRcS3JNOCwh/j2UlH7M74knDTJCLUTsvFoddLemmy35BnMN7kbL1P5/zwXx3 CufdkpSXwugujemOKHGklsyFrn/49hid1E5iXx7n/V01o+BO/qJ9qiuiVNM5O94v7Sca QMUNhwX1VdoO+p/YwGQ8ayk8kgF7xZJuoCBOdG6W91aPUxXYE47IbmMJOKzKIeGUOy6e frxeTEn9PAgeydCoVULUqAf27q5ue+0gWjII+YrwbkNwMWlGXKrq4+szrxKIwyEvz/9f rxXpJKsK+RAj+hxlfIDDnVvPOrXRH7XpgznQDKl50fxrJ4hr9F5iZ4IRfARI2nG1ce3J VhrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=2JA3LAcWFrVgyNzQ7tMzU8nSe9RRNefwId5LqLUrTHQ=; b=yTOa7kspZ+RaMKa4tYztdg1l4yW69SaWqjqRc2Tvo9cmq4HLSGZ/quEuh4KGFzeG7a HydsWjLoZ5cH3x4YKZcCBOeIRJx5s9sR/hhOaz/TRiQMU11CU1afvjrYXmXypDplA0C6 cEJBL1dHQVMe1KgQa/eZ+sDG5ZAJ1F/vJY9cGREvNz0GIl6pfrYZChqOJSTgCH7cn5+q yVS6hU2cBMLbSJwlPAb91NsHgpJciND2S2snEjDtwjEesjQAbvmVondhOgBlSbYc6SDE T2S01W9Ea5QSMmi2M+8jCkIpDtdbMOWh1HsjWSSLTOQVOq0UDoX7ykf3uaCC7SIaFeN1 HzRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ezdrOVHk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id kk4-20020a17090b4a0400b001f30db82da4si1027859pjb.50.2022.07.27.02.59.07; Wed, 27 Jul 2022 02:59:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=ezdrOVHk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231374AbiG0JHD (ORCPT + 99 others); Wed, 27 Jul 2022 05:07:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231371AbiG0JGb (ORCPT ); Wed, 27 Jul 2022 05:06:31 -0400 Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E23947BAC for ; Wed, 27 Jul 2022 02:06:20 -0700 (PDT) Received: by mail-yb1-xb2e.google.com with SMTP id 123so6433747ybv.7 for ; Wed, 27 Jul 2022 02:06:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2JA3LAcWFrVgyNzQ7tMzU8nSe9RRNefwId5LqLUrTHQ=; b=ezdrOVHkkyEdsd/J8XDbRmdIHm7C5TePfztuPZ1+9R7RYYYgX8fx2sv6pD+0jpkAk9 ZU83e2CNY86ab90uImfbz3u4zZJtrKiTbuFTIGpX30JX1N1Is1ROn//mtf3OkPZRz6Yx 1EarM9/uzIFwgKeGKawqXUYQde8F03mRUiEbrAdhxaWFH1chCR2ZuZsyAAS6mKnMJuRu 5UMMEZIQz5Wy7DumqXoVGKwamiiMPK6l+6BJhvC42yylB4tRqobUhEPvVdTSA5um1TI5 R7oGn4o+d1XL0SmX/RbVpAkHuMISzLyjNIJwwPmCsBUjYYyzEU92leesROlpH54OjX5c LBeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2JA3LAcWFrVgyNzQ7tMzU8nSe9RRNefwId5LqLUrTHQ=; b=Metl6/sAdKeXguTgNGLdgHVFWEniWh8RkE8KL7a1OucLzM3It149ESrOfzYvQ/JhLg BuolU0glnMQqJe8jyGap0vB+F/pY0vbf7CC+DU/mHuUxLmU6HYQaI03E54bOorplv8rG FPUUfaaCkcY0h8V2JmUshrE3L4PGrYgcv0zcEAYrBFIs3wXqrt8DxidQvOkp1un1N+Kj UyN9HTvsBAzHSgOdoykMJwAXx1AWuFs1Q+XYU5MPwcXLdK65EGDH+GIRpRtKjhJaVXWa YSBy4b77hfllYmui5KTb1k0VrO/7ZKD6pf8v+LJfEcS9Uw8Gg+NHXZ5xV9hht/oL/+JM MhOA== X-Gm-Message-State: AJIora8iEiiYgr/nC9xevo+VbJTw5LxPG50l/2Nld+ahUgXVZcdSuJp3 BmSiYDNQ5jSPsXG0ngR2J8YO/kyHSStq3ZoIkqz24w== X-Received: by 2002:a25:e752:0:b0:671:cdb7:90fd with SMTP id e79-20020a25e752000000b00671cdb790fdmr485491ybh.407.1658912779195; Wed, 27 Jul 2022 02:06:19 -0700 (PDT) MIME-Version: 1.0 References: <20220722103750.1938776d@kernel.org> <20220726182518.47047-1-f6bvp@free.fr> In-Reply-To: <20220726182518.47047-1-f6bvp@free.fr> From: Eric Dumazet Date: Wed, 27 Jul 2022 11:06:08 +0200 Message-ID: Subject: Re: [PATCH 1/1] [PATCH] net: rose: fix unregistered netdevice: waiting for rose0 to become free To: Bernard Pidoux Cc: Jakub Kicinski , David Miller , Duoming Zhou , linux-hams@vger.kernel.org, LKML , netdev , Paolo Abeni , Ralf Baechle Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 26, 2022 at 8:25 PM Bernard Pidoux wrote: > > Here is the context. > > This patch adds dev_put(dev) in order to allow removal of rose module > after use of AX25 and ROSE via rose0 device. > > Otherwise when trying to remove rose module via rmmod rose an infinite > loop message was displayed on all consoles with xx being a random number. > > unregistered_netdevice: waiting for rose0 to become free. Usage count = xx > > unregistered_netdevice: waiting for rose0 to become free. Usage count = xx > > ... > > With the patch it is ok to rmmod rose. But removing a net device will leave a dangling pointer, leading to UAF. We must keep a reference and remove it when the socket is dismantled. Also rose_dev_first() is buggy, because it leaves the rcu section without taking first a reference on the found device. Here is a probably not complete patch, can you give it a try ? (Also enable CONFIG_NET_DEV_REFCNT_TRACKER=y in your .config to ease debugging) (I can send you privately the patch, just ask me, I include it inline here for clarity only) Thanks. diff --git a/include/net/rose.h b/include/net/rose.h index 0f0a4ce0fee7cc5e125507a8fc3cfb8cb826be73..64f808eed0e15a2482e8ce010d712eef1e0b9d85 100644 --- a/include/net/rose.h +++ b/include/net/rose.h @@ -131,7 +131,8 @@ struct rose_sock { ax25_address source_digis[ROSE_MAX_DIGIS]; ax25_address dest_digis[ROSE_MAX_DIGIS]; struct rose_neigh *neighbour; - struct net_device *device; + struct net_device *device; + netdevice_tracker dev_tracker; unsigned int lci, rand; unsigned char state, condition, qbitincl, defer; unsigned char cause, diagnostic; diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c index bf2d986a6bc392a9d830b1dfa7fbaa3bca969aa3..520a48999f1bf8a41d66e8a4f86606b66f2b9408 100644 --- a/net/rose/af_rose.c +++ b/net/rose/af_rose.c @@ -192,6 +192,7 @@ static void rose_kill_by_device(struct net_device *dev) rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); if (rose->neighbour) rose->neighbour->use--; + dev_put_track(rose->device, &rose->dev_tracker); rose->device = NULL; } } @@ -592,6 +593,8 @@ static struct sock *rose_make_new(struct sock *osk) rose->idle = orose->idle; rose->defer = orose->defer; rose->device = orose->device; + if (rose->device) + dev_hold_track(rose->device, &rose->dev_tracker, GFP_ATOMIC); rose->qbitincl = orose->qbitincl; return sk; @@ -695,7 +698,11 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) } rose->source_addr = addr->srose_addr; + // TODO: should probably hold socket lock at this point ? + WARN_ON_ONCE(rose->device); rose->device = dev; + netdev_tracker_alloc(rose->device, &rose->dev_tracker, GFP_KERNEL); + rose->source_ndigis = addr->srose_ndigis; if (addr_len == sizeof(struct full_sockaddr_rose)) { @@ -721,7 +728,6 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le struct rose_sock *rose = rose_sk(sk); struct sockaddr_rose *addr = (struct sockaddr_rose *)uaddr; unsigned char cause, diagnostic; - struct net_device *dev; ax25_uid_assoc *user; int n, err = 0; @@ -778,9 +784,12 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le } if (sock_flag(sk, SOCK_ZAPPED)) { /* Must bind first - autobinding in this may or may not work */ + struct net_device *dev; + sock_reset_flag(sk, SOCK_ZAPPED); - if ((dev = rose_dev_first()) == NULL) { + dev = rose_dev_first(); + if (!dev) { err = -ENETUNREACH; goto out_release; } @@ -788,12 +797,15 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le user = ax25_findbyuid(current_euid()); if (!user) { err = -EINVAL; + dev_put(dev); goto out_release; } memcpy(&rose->source_addr, dev->dev_addr, ROSE_ADDR_LEN); rose->source_call = user->call; rose->device = dev; + netdev_tracker_alloc(rose->device, &rose->dev_tracker, + GFP_KERNEL); ax25_uid_put(user); rose_insert_socket(sk); /* Finish the bind */ @@ -1017,6 +1029,7 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros make_rose->source_digis[n] = facilities.source_digis[n]; make_rose->neighbour = neigh; make_rose->device = dev; + dev_hold_track(make_rose->device, &make_rose->dev_tracker, GFP_ATOMIC); make_rose->facilities = facilities; make_rose->neighbour->use++;