Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2665916rwd;
        Fri, 26 May 2023 09:26:44 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ62y3hqNzhASjjH97pGnj3DQ40HXO+d0Am4P85Xs8Qrnavxnc4C/oSKf2dDyUQgvtG24Lqn
X-Received: by 2002:a17:902:8218:b0:1af:bcf7:2bd8 with SMTP id x24-20020a170902821800b001afbcf72bd8mr2537792pln.52.1685118403862;
        Fri, 26 May 2023 09:26:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685118403; cv=none;
        d=google.com; s=arc-20160816;
        b=L4IUqVPBRuvwRT1lxJBS5X3Y665llZd6qu4FNLh5PIATJiGgQghJu+u9pjbpkcIpCZ
         B/aVu6RIb642KZNc0255vfq6mHMB4rzf5tKDVgx4MBUnn+Yd7QY/iIQPfx9GF4vTTi/5
         3BpunQ+zg064Doi3EprjxTH9Hlu5mCZYE1iQkj/QRjK61c6rRWHBRBMuwn0hhhZJuDSs
         6UKQwLxV/jHEGFMbIRcQjW4tX7T6tdbv624iO5rN07+77gCjxxOBwK4YcXHX4yE+pmhz
         gnIQHeQeh09bx0ukkKdimbCn+FXDSvfgHnSevE0xqJPMXIyH2rZsARJRM/nlalYLGdOL
         5aAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter;
        bh=aqS+SmgTj1O1ACMyKobn1Ejjd1RSyeh/KMYxC+E+Wpw=;
        b=dgpKEdOB1ClRwJjX5SHYe9h/7CxRf4+ss1HpD5uYuiXF3CAFlR3xuHzineG9XOs7gE
         fMptiGX6TkYhfZq6mxrYhCvJIvlzbyqW9FoAYvncDpqfj8MlwrEkHGaL8uOHcktI0P+6
         SW6qe7zdcFpyei1xnnCAhB2Pb8FWtP54GxXQ01keth9YP1d574SD050feU3PCNvse7Ec
         qt4GLm65c9U/FjkK9V9jDEyDDhtZZylzQA6dJW5ismTEpEeyrNK1ec2svLqFuTtUqGGO
         XWrASxUnL1eJ5+Q25sT5uVUhGyWO5uzOYDBaYhRRcM4KpPpfKE/BRvM/uW5jQSNXSpyx
         Qqrg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=WWuzkfee;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id l18-20020a170903245200b001a920be2722si4803632pls.610.2023.05.26.09.26.31;
        Fri, 26 May 2023 09:26:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=WWuzkfee;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235137AbjEZQR1 (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Fri, 26 May 2023 12:17:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32886 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229648AbjEZQR0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 May 2023 12:17:26 -0400
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FA94BC;
        Fri, 26 May 2023 09:17:25 -0700 (PDT)
Received: from vefanov-Precision-3650-Tower.intra.ispras.ru (unknown [10.10.2.69])
        by mail.ispras.ru (Postfix) with ESMTPSA id 878B644C100F;
        Fri, 26 May 2023 16:17:23 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 878B644C100F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1685117843;
        bh=aqS+SmgTj1O1ACMyKobn1Ejjd1RSyeh/KMYxC+E+Wpw=;
        h=From:To:Cc:Subject:Date:From;
        b=WWuzkfeeBYGRMal7EvzSPJ1GwuO9j5aqUIvjRD/XGiesQHPXHBQL4RuXh1Ed4gZfg
         deRtyLECp5+T7H6Wyse4v5qDYMKCBT0wkBc1y0dCyY6AvrK7HuR9daK5FjFGmpG8yR
         T57ZgSiCU27zWgZp6IXoHAuFKLuNIOAzmzY/nT8k=
From:   Vladislav Efanov <VEfanov@ispras.ru>
To:     Marek Lindner <mareklindner@neomailbox.ch>
Cc:     Vladislav Efanov <VEfanov@ispras.ru>,
        Simon Wunderlich <sw@simonwunderlich.de>,
        Antonio Quartulli <a@unstable.cc>,
        Sven Eckelmann <sven@narfation.org>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
Subject: [PATCH] batman-adv: Broken sync while rescheduling delayed work
Date:   Fri, 26 May 2023 19:16:32 +0300
Message-Id: <20230526161632.1460753-1-VEfanov@ispras.ru>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Syzkaller got a lot of crashes like:
KASAN: use-after-free Write in *_timers*

All of these crashes point to the same memory area:

The buggy address belongs to the object at ffff88801f870000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 5320 bytes inside of
 8192-byte region [ffff88801f870000, ffff88801f872000)

This area belongs to :
        batadv_priv->batadv_priv_dat->delayed_work->timer_list

The reason for these issues is the lack of synchronization. Delayed
work (batadv_dat_purge) schedules new timer/work while the device
is being deleted. As the result new timer/delayed work is set after
cancel_delayed_work_sync() was called. So after the device is freed
the timer list contains pointer to already freed memory.

Found by Linux Verification Center (linuxtesting.org) with syzkaller.

Fixes: 2f1dfbe18507 ("batman-adv: Distributed ARP Table - implement local storage")
Signed-off-by: Vladislav Efanov <VEfanov@ispras.ru>
---
 net/batman-adv/distributed-arp-table.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 6968e55eb971..28a939d56090 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -101,7 +101,6 @@ static void batadv_dat_purge(struct work_struct *work);
  */
 static void batadv_dat_start_timer(struct batadv_priv *bat_priv)
 {
-	INIT_DELAYED_WORK(&bat_priv->dat.work, batadv_dat_purge);
 	queue_delayed_work(batadv_event_workqueue, &bat_priv->dat.work,
 			   msecs_to_jiffies(10000));
 }
@@ -819,6 +818,7 @@ int batadv_dat_init(struct batadv_priv *bat_priv)
 	if (!bat_priv->dat.hash)
 		return -ENOMEM;
 
+	INIT_DELAYED_WORK(&bat_priv->dat.work, batadv_dat_purge);
 	batadv_dat_start_timer(bat_priv);
 
 	batadv_tvlv_handler_register(bat_priv, batadv_dat_tvlv_ogm_handler_v1,
-- 
2.34.1