Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2208093rwb; Sat, 19 Nov 2022 11:00:53 -0800 (PST) X-Google-Smtp-Source: AA0mqf7nfa4CNS+dHsnt0+1hZclA11sJtKbnlyVeatr8jgjQHcXBYtVZxIYwZPk6eQRRoU9lSPaD X-Received: by 2002:a17:907:2904:b0:78d:b598:bb6a with SMTP id eq4-20020a170907290400b0078db598bb6amr9816881ejc.258.1668884452889; Sat, 19 Nov 2022 11:00:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668884452; cv=none; d=google.com; s=arc-20160816; b=LUeWSFhti2rdOF1Tp29twww8iHN5U2EoZkBkiy4G2qE9cmwvDgn+LPO9iSHl3okxr1 rqvmoDLyOvbZ5w27yLEaEEowxVo2jE1MCCMMUaiRdQHZdBAemWB9W/Zf3iOMWzUXjqS6 3h+dlf1N42rB+reaLIJ5fBMXFarPPeT0P7U7JWhXwF90xGQZ8XzbgFU5wB9h4wBO7Rtu QtXvPm//kQUbHOSYuXk3JJ7Bf4kXL9OVqpmDwMfUol9JA84CekKwxy94HxBu/GsRP+rK wXkbgNe75VgbtwB9+e96L7tH17lZGHSSbsgQV6W8vOCGHSV2o3hPQgccVjBeU6Lpjr4e uliA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=IWUt2aOgdPhBZTsItNj8gJnhW81NAJJXG1h3QcsUyVE=; b=KR2sZSiZ38LmVGjNfVBlyvCYWbylRt88DLih1hF+KZi4PPk/qwU95iVvjBLDQIlXbr XOR+ngJqQIV3yYPnJiGG7QZqwTzRczl4OzIbSE9V19XijQhJ1El1Bmog6DvgyJeEENLS CU42bkExFY1S6SILpTo1yteNOHv3FVW2Nv/klFDGGryjI8f8tSsYLdlIadx4va6k4iQR haen33FydL6cEmk2+7CHkpQpbB14QL0l0GdepWMJXG6/eHXyNGkGX3kPlx/7iRhKbMN7 y2xKj3AppuJz++kGKMndXjg9EfchpEYMyV2ZIRMayIgIh7LJYsVS+w4oStW0R6henkYR 5mNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=N5WlWPU9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id js3-20020a17090797c300b007a7fc67c880si4415262ejc.71.2022.11.19.11.00.30; Sat, 19 Nov 2022 11:00:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=N5WlWPU9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234136AbiKSSbw (ORCPT + 91 others); Sat, 19 Nov 2022 13:31:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231351AbiKSSbv (ORCPT ); Sat, 19 Nov 2022 13:31:51 -0500 Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7E7F10B7A for ; Sat, 19 Nov 2022 10:31:50 -0800 (PST) Received: by mail-yb1-xb36.google.com with SMTP id k84so9279707ybk.3 for ; Sat, 19 Nov 2022 10:31:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=IWUt2aOgdPhBZTsItNj8gJnhW81NAJJXG1h3QcsUyVE=; b=N5WlWPU9BX7vv2x+RIeDT7v+Yo6NfOHsEcFInqqwnwM+vXNh1t48AH2NKhoIEAsHfj nu7eoa01HyWaZrBVpGucrPKrPT9jHfiO45IMktrrgyVIE6uUAJYM/V+xXCCYfBXFGzBU hpVsxZ97aIQM0rgxTG0GSHwU9ETx5krWvU4e7rcFxTNh0AGncNmTs43NMT6GfQPVuE/Z viZwb1loHDTQ4r96X/FoUBjQGplcFLRJKUp2nq9h1IXC6VQnM597jY2Cgsd+ZMMJadfq iL0yP/hSvfnAnuH7WcVhstDTbF85ueWn2dmfHkqag8s9etQsUHbP41rsHFjgZ2hcI01F 8Imw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IWUt2aOgdPhBZTsItNj8gJnhW81NAJJXG1h3QcsUyVE=; b=oBY1t1JCgiLdCPdgO2NcVMwcXcjik40yqVJOGNwDBV2qAsZ2G1xhheWiVma3peRqck cDQDUe9ZmZwAOsJQMs9vYPIgU0lDHsT5FmVDcMIcEIlpXLD4rsb/PpE9jKndaX3fB+er vtUQ+BsUX1J6IMsGiFp2kaTmlXoq/QU/040Sqz85xtKfI10JFeWAf2e5tX7QqK2zuMkv X/m3afZGoRasHeTB9UQrh0aoXEjOH32G/zX4iaOrZ0EQe7KSjv5xvFx/ELhqkWbO6PUB olhWhutSAkUfiKdriBjUG90CVh75Ykgx/oQ3Fwbcq8E3WjfN+ufeq9XdMYzsF+/cA4Ct V71A== X-Gm-Message-State: ANoB5pm+Z98VpsvpLbiRXsyX3PQGvQibLhkPqaResqKsQiIdfgNvWESg PH91OoOfCn3K+/j0MhwglWL3BACqMSbZl7vOFIV4/w== X-Received: by 2002:a25:348c:0:b0:6cb:ec87:a425 with SMTP id b134-20020a25348c000000b006cbec87a425mr10439320yba.387.1668882709536; Sat, 19 Nov 2022 10:31:49 -0800 (PST) MIME-Version: 1.0 References: <20221119075615.723290-1-syoshida@redhat.com> In-Reply-To: <20221119075615.723290-1-syoshida@redhat.com> From: Eric Dumazet Date: Sat, 19 Nov 2022 10:31:38 -0800 Message-ID: Subject: Re: [PATCH] net: tun: Fix use-after-free in tun_detach() To: Shigeru Yoshida Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 18, 2022 at 11:56 PM Shigeru Yoshida wrote: > > syzbot reported use-after-free in tun_detach() [1]. This causes call > trace like below: > > ================================================================== > BUG: KASAN: use-after-free in notifier_call_chain+0x1da/0x1e0 > ... > Call Trace: Please include a symbolic stack trace, I think syzbot has them. > > dump_stack_lvl+0x100/0x178 > print_report+0x167/0x470 > ? __virt_addr_valid+0x5e/0x2d0 > ? __phys_addr+0xc6/0x140 > ? notifier_call_chain+0x1da/0x1e0 > ? notifier_call_chain+0x1da/0x1e0 > kasan_report+0xbf/0x1e0 > ? notifier_call_chain+0x1da/0x1e0 > notifier_call_chain+0x1da/0x1e0 > call_netdevice_notifiers_info+0x83/0x130 > netdev_run_todo+0xc33/0x11b0 > ? generic_xdp_install+0x490/0x490 > ? __tun_detach+0x1500/0x1500 > tun_chr_close+0xe2/0x190 > __fput+0x26a/0xa40 > task_work_run+0x14d/0x240 > ? task_work_cancel+0x30/0x30 > do_exit+0xb31/0x2a40 > ? reacquire_held_locks+0x4a0/0x4a0 > ? do_raw_spin_lock+0x12e/0x2b0 > ? mm_update_next_owner+0x7c0/0x7c0 > ? rwlock_bug.part.0+0x90/0x90 > ? lockdep_hardirqs_on_prepare+0x17f/0x410 > do_group_exit+0xd4/0x2a0 > __x64_sys_exit_group+0x3e/0x50 > do_syscall_64+0x38/0xb0 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > The cause of the issue is that sock_put() from __tun_detach() drops > last reference count for struct net, and then notifier_call_chain() > from netdev_state_change() accesses that struct net. > > This patch fixes the issue by calling sock_put() from tun_detach() > after all necessary accesses for the struct net has done. > > Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1] > Signed-off-by: Shigeru Yoshida Please add a Fixes: tag, once you identified which commit added this bug. > --- > drivers/net/tun.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index 7a3ab3427369..ce9fcf4c8ef4 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -686,7 +686,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean) > if (tun) > xdp_rxq_info_unreg(&tfile->xdp_rxq); > ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free); > - sock_put(&tfile->sk); > } > } > > @@ -702,6 +701,11 @@ static void tun_detach(struct tun_file *tfile, bool clean) > if (dev) > netdev_state_change(dev); > rtnl_unlock(); > + > + if (clean) { > + synchronize_rcu(); > + sock_put(&tfile->sk); > + } > } > > static void tun_detach_all(struct net_device *dev) > -- > 2.38.1 >