Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3330969rwa; Tue, 23 Aug 2022 03:00:59 -0700 (PDT) X-Google-Smtp-Source: AA6agR6FwlQ1Ufb78ebxbMKxcX8wkCLJvTi8I9wd5+LlATDLego9JEddS0oQT0/UGtRvqE9LRKQ3 X-Received: by 2002:a05:6402:2792:b0:446:8864:26c1 with SMTP id b18-20020a056402279200b00446886426c1mr2936007ede.70.1661248858882; Tue, 23 Aug 2022 03:00:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661248858; cv=none; d=google.com; s=arc-20160816; b=N6KC52E1HLZpoW6BvjlXPXmzToA1YzdBltrxaTeE1u9MxzfWzt67B/9HmfSPylkycP pmYVpdlBPtW5GFtM29eP6pIS/SDNFilkV0DETUtyLmgC4HLe9C1YDAGnil1hqBELDbmn K0mLpHRUt+zN0MLRPa4mlQ6na2078nDAUYrZCWVs6fn0+3gcTfJSNR2JhOBxx10VjQEV +HomeFDjzUY0L3z/CBWi2eKn7/hB2CZZMQ27rWKvYIcNkeeO92uBYrvVlTQidknu08eb 8Wmcz4FPqvvz0osOeA9aUbMFrLfODyY0UfNAKMO77UI0Esd/cpheKqgOtg9nuQzNMWWZ HxLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mTL3oi4cYG3PyYd++so5UYaSnuzphbJ4N/fcpCgYYUg=; b=j0j0Ep4qQj2dbECNMIzlRHZnGlJTJSyBd/+sHzKvu3m9uYCp2VazVEG/CqHmmm/dXu 7o1hsc+70k9bjMxRNJLa2XzRyt0eNJMdSmYbiz6KLK+mFi9Sr9JXudwy+yzXLPmKzSvC eTOXugTxNC/5OIpmXt+UnjBS1PDsIuENLwQyfVnsZePh2lqs+s55ZcjiJ39Z8NsoRabU BaK1QJFCV5PFNhdeQDbB0yh8R5Es5t9949QJJjxbKBcVnqO/TV9/rA8SgZwO+65R/Sdv qWkU19T5XX9Xix8PlmU6RreaM541NEIEJYgEN8PoGST/yYLjzqiGDR+3VH5Pj7mNCFtY QhPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LyTpbEqG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gb28-20020a170907961c00b0073d71079711si6710432ejc.491.2022.08.23.03.00.26; Tue, 23 Aug 2022 03:00:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LyTpbEqG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345467AbiHWJuB (ORCPT + 99 others); Tue, 23 Aug 2022 05:50:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242511AbiHWJrc (ORCPT ); Tue, 23 Aug 2022 05:47:32 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 683BF9C8F7; Tue, 23 Aug 2022 01:44:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 24DB8B81C65; Tue, 23 Aug 2022 08:43:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 69EEEC433C1; Tue, 23 Aug 2022 08:43:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661244211; bh=VBgzVhFa46p77ox+2URUyUqTrxw7PqtF3Lnk9z6s+ko=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LyTpbEqG8X/7lF2RI7FQluqUoCmfubebwFcl+djxvSrcSvW4IJVnCsnlFMkdWWQ42 /pumN8LpuZ2rI1DQrf9AouZakm9XPxiEMrx+Ny0QVYCZpWLxmhuykxEZz5hl03+MpX 7rMIA5c/4YU7Vijf2GDykXGIUPBNPGwUXjHr6au8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ido Schimmel , Jiri Pirko , "David S. Miller" Subject: [PATCH 5.15 057/244] devlink: Fix use-after-free after a failed reload Date: Tue, 23 Aug 2022 10:23:36 +0200 Message-Id: <20220823080100.970656746@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080059.091088642@linuxfoundation.org> References: <20220823080059.091088642@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ido Schimmel commit 6b4db2e528f650c7fb712961aac36455468d5902 upstream. After a failed devlink reload, devlink parameters are still registered, which means user space can set and get their values. In the case of the mlxsw "acl_region_rehash_interval" parameter, these operations will trigger a use-after-free [1]. Fix this by rejecting set and get operations while in the failed state. Return the "-EOPNOTSUPP" error code which does not abort the parameters dump, but instead causes it to skip over the problematic parameter. Another possible fix is to perform these checks in the mlxsw parameter callbacks, but other drivers might be affected by the same problem and I am not aware of scenarios where these stricter checks will cause a regression. [1] mlxsw_spectrum3 0000:00:10.0: Port 125: Failed to register netdev mlxsw_spectrum3 0000:00:10.0: Failed to create ports ================================================================== BUG: KASAN: use-after-free in mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904 Read of size 4 at addr ffff8880099dcfd8 by task kworker/u4:4/777 CPU: 1 PID: 777 Comm: kworker/u4:4 Not tainted 5.19.0-rc7-custom-126601-gfe26f28c586d #1 Hardware name: QEMU MSN4700, BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x92/0xbd lib/dump_stack.c:106 print_address_description mm/kasan/report.c:313 [inline] print_report.cold+0x5e/0x5cf mm/kasan/report.c:429 kasan_report+0xb9/0xf0 mm/kasan/report.c:491 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:306 mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904 mlxsw_sp_acl_region_rehash_intrvl_get+0x49/0x60 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c:1106 mlxsw_sp_params_acl_region_rehash_intrvl_get+0x33/0x80 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3854 devlink_param_get net/core/devlink.c:4981 [inline] devlink_nl_param_fill+0x238/0x12d0 net/core/devlink.c:5089 devlink_param_notify+0xe5/0x230 net/core/devlink.c:5168 devlink_ns_change_notify net/core/devlink.c:4417 [inline] devlink_ns_change_notify net/core/devlink.c:4396 [inline] devlink_reload+0x15f/0x700 net/core/devlink.c:4507 devlink_pernet_pre_exit+0x112/0x1d0 net/core/devlink.c:12272 ops_pre_exit_list net/core/net_namespace.c:152 [inline] cleanup_net+0x494/0xc00 net/core/net_namespace.c:582 process_one_work+0x9fc/0x1710 kernel/workqueue.c:2289 worker_thread+0x675/0x10b0 kernel/workqueue.c:2436 kthread+0x30c/0x3d0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the physical page: page:ffffea0000267700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99dc flags: 0x100000000000000(node=0|zone=1) raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099dce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880099dcf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880099dcf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880099dd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880099dd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Fixes: 98bbf70c1c41 ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param") Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/devlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/core/devlink.c +++ b/net/core/devlink.c @@ -4413,7 +4413,7 @@ static int devlink_param_get(struct devl const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->get) + if (!param->get || devlink->reload_failed) return -EOPNOTSUPP; return param->get(devlink, param->id, ctx); } @@ -4422,7 +4422,7 @@ static int devlink_param_set(struct devl const struct devlink_param *param, struct devlink_param_gset_ctx *ctx) { - if (!param->set) + if (!param->set || devlink->reload_failed) return -EOPNOTSUPP; return param->set(devlink, param->id, ctx); }