Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp1531556rwj; Sun, 18 Dec 2022 10:01:08 -0800 (PST) X-Google-Smtp-Source: AA0mqf6YIEfMV+RdbqJ0BSz1zp1iVTJb5ccSQppjKQhsViemCWgQ9QSX3HMUrnCnB3c7CiavkTkj X-Received: by 2002:a05:6a20:6f90:b0:a7:e65:2b65 with SMTP id gv16-20020a056a206f9000b000a70e652b65mr48085934pzb.23.1671386468410; Sun, 18 Dec 2022 10:01:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671386468; cv=none; d=google.com; s=arc-20160816; b=E89lbFXVKsKHWuetolPgjtb/LFrsImEMpMCK0GYZzSv3B7sS1K75ij8Kstx1cAKuiP ZtEgQFm8EEhqnxW1vspVSrt/6EJqAX3EbnwBGwlhWXwXXTgDQ2WXVeK5kL80KP0zgnR1 F71nH/ZyipaicfoAXkTeoyqKO9kdg1LY1oTcpRf78L3dGRyTpnGz5UExbrkufGOQD6sO x3BMR3rzpjPTY2x1Ouco8ZL0v+a9G6iI5DHicz7oR9t8pXonanDzXTNm1PFO9OhbANGp h7YbFXchhaDRJvIV8Ff3VWPDsum/V6K8khrr3yRmelN79O1KrUJEyXbyoQayTie2PFtB KLfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=IzRrHGbL4Pj8NS5vQg5/lnhELZvUfO8v/ewcPX4xrhg=; b=HIp2hhb2e1y/p9pda91k1spViXBLuqi5SxppmCUkqyJ/5cp5c1YHwljpAyTbuJnPRA cCKJEmMqUJfl3tur0zjhb2ecVRcYD3I47TcNNx9pcO5ay+phcPYFqe5JyXgzdIh4PjJ9 8usGAVSjOUFoYb7DQOXLV0+2JP5lxFh4V5d86e5xL7GZd/Jc4HPt9O0RcoxAUFGu5SoE iItLZsIXdp/bJbr+8Kpi0tNpojtmy9U1g+gKYhpsyaiLin1NXJlpEsrsfxCykJi/SwMb +nuxRb5OKp4mIQuJvwKry3VQqbeg3pdFzIO19u6q577lGbASG0Yo3f+EJdvLUCGvXbnb DI5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XYKSBw8o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f34-20020a635122000000b00477b4b68f09si8633208pgb.258.2022.12.18.10.00.59; Sun, 18 Dec 2022 10:01:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XYKSBw8o; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232520AbiLRQnC (ORCPT + 70 others); Sun, 18 Dec 2022 11:43:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232559AbiLRQlV (ORCPT ); Sun, 18 Dec 2022 11:41:21 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59694DDF; Sun, 18 Dec 2022 08:14:52 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 0B602B80B43; Sun, 18 Dec 2022 16:14:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 78482C433F1; Sun, 18 Dec 2022 16:14:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1671380089; bh=GEMHxz9UeYpqBtx6PdRfOQw98dL7l1iH3y89uzKmimI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XYKSBw8oL3jfQO8dzUqZ7JSELxZrfhHnpPT3agDLb1NM9mDQtE7SEeXp3hkhtvuxg Agn8UuLqgbO4LAki8fpH1BNo7ZAXBc3yqc7vknWsI5V/vdHCfzzqtf0hUrZ4v949gK jrxBg6tuL1ADH16JTG7LXKeUgYzieukn6ECwKW870+i1mGANQ6M2n4xfSIcVAwtNMo P10/v4j4BQRwq4G/M/6vAUHWZZN8jLONjMClzJ0aOv8dct3dubYckErKtl02vM4qCk 8mlH2SGxPl7ViHzz3qHQty7DVczzeh1aqVuZzjCpO6QLTLEnMLbeAKWdqkt/t9U+eB foS1JnZ+dJVKw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Schspa Shi , syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com, "David S . Miller" , Sasha Levin , edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, christoph.boehmwalder@linbit.com, ulf.hansson@linaro.org, Jason@zx2c4.com, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.15 30/46] mrp: introduce active flags to prevent UAF when applicant uninit Date: Sun, 18 Dec 2022 11:12:28 -0500 Message-Id: <20221218161244.930785-30-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20221218161244.930785-1-sashal@kernel.org> References: <20221218161244.930785-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Schspa Shi [ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ] The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com Signed-off-by: Schspa Shi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- include/net/mrp.h | 1 + net/802/mrp.c | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/include/net/mrp.h b/include/net/mrp.h index 1c308c034e1a..a8102661fd61 100644 --- a/include/net/mrp.h +++ b/include/net/mrp.h @@ -120,6 +120,7 @@ struct mrp_applicant { struct sk_buff *pdu; struct rb_root mad; struct rcu_head rcu; + bool active; }; struct mrp_port { diff --git a/net/802/mrp.c b/net/802/mrp.c index 35e04cc5390c..c10a432a5b43 100644 --- a/net/802/mrp.c +++ b/net/802/mrp.c @@ -606,7 +606,10 @@ static void mrp_join_timer(struct timer_list *t) spin_unlock(&app->lock); mrp_queue_xmit(app); - mrp_join_timer_arm(app); + spin_lock(&app->lock); + if (likely(app->active)) + mrp_join_timer_arm(app); + spin_unlock(&app->lock); } static void mrp_periodic_timer_arm(struct mrp_applicant *app) @@ -620,11 +623,12 @@ static void mrp_periodic_timer(struct timer_list *t) struct mrp_applicant *app = from_timer(app, t, periodic_timer); spin_lock(&app->lock); - mrp_mad_event(app, MRP_EVENT_PERIODIC); - mrp_pdu_queue(app); + if (likely(app->active)) { + mrp_mad_event(app, MRP_EVENT_PERIODIC); + mrp_pdu_queue(app); + mrp_periodic_timer_arm(app); + } spin_unlock(&app->lock); - - mrp_periodic_timer_arm(app); } static int mrp_pdu_parse_end_mark(struct sk_buff *skb, int *offset) @@ -872,6 +876,7 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl) app->dev = dev; app->app = appl; app->mad = RB_ROOT; + app->active = true; spin_lock_init(&app->lock); skb_queue_head_init(&app->queue); rcu_assign_pointer(dev->mrp_port->applicants[appl->type], app); @@ -900,6 +905,9 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl) RCU_INIT_POINTER(port->applicants[appl->type], NULL); + spin_lock_bh(&app->lock); + app->active = false; + spin_unlock_bh(&app->lock); /* Delete timer and generate a final TX event to flush out * all pending messages before the applicant is gone. */ -- 2.35.1