Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp1536534lqg; Sun, 3 Mar 2024 15:20:30 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXcfS44p/glaT2VoEP6CCaFY6HNaajAyKEZ8Kq11/XHgUf78k2y67hwaNdbvK/QRsltZQy3qv1mi9RJD0urxwBeCaBhS7UzifjTQVgdlA== X-Google-Smtp-Source: AGHT+IF7Bq7vf30NWziVEuBEpCN9Tou8BvFynzEDy6WbM+NRDgHe/2gN14GLvP4oxsFMryGJBZtk X-Received: by 2002:a05:620a:c55:b0:787:4148:f6e3 with SMTP id u21-20020a05620a0c5500b007874148f6e3mr15991628qki.37.1709508029836; Sun, 03 Mar 2024 15:20:29 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709508029; cv=pass; d=google.com; s=arc-20160816; b=jEvXEE4mmUcPdAqB5ur8T8EXzi7mwpejT3R25zqBVwUVX0cq9Adn/o/fNQ4L9EMu4w 8Veu4sNlt5stlZNmCywtpVKeNammMg8nlh/9CFUxtQQvXAk8jGREFpD1E23K10njOZtm ySgGy0PrW5zDmLI1eCJxvtdKmNc+1ungDa3IhlFRmylAev2s/kCQivK4RhemEGrNL4r1 1xNHKTKnn3sU4RJmfq75Ir6i0aBDn5p+0xnWm6bk+zXvLB8NaQO5j+mHAWh3rYrttY/g xksBpelHrliE1/WLutue08rrUwvUWU/RqF3efdoFt0u218yU/78vMa0Kh+Y8lRJu6Q+T IgcA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=QIpQyIQBDU9IOQzSfvK3GFtVhA/ANBUgz5c/8nKdj3g=; fh=1F8KIvGZWtM75s5B6ZEnsZSIEbQuneM4kaBsUuEDCw0=; b=LpA2ulB3KCB6lxyNewiil2suC/Ji/Z2LqCtwk/xi8yiFjPUBVg6kgCE3QEWJlaNR9o IFyD2jKu7jjQxnWo6l3myoD2Mi0Rzm5CW5l00bbEXKO3UElEnN6aDOrd6E38OD5chG9W ILKvLntQBxV9nWvJZyVppB0n/fl6yR7OBDEBZefYlTK0G2+ZH1qSJSC8aKmIGT1JGJBp pd9B/URkl7az6iIa/b8hoLqjXqxCTdM0dqQP+alETINg2pC1JWDL9ImhJN4wDqPRjEtj Ci6wy5bao5OFlTeHPfa9F3IRVUD0nB+3+TRhEu8qYEVVCMRKMZ6U4N6WTWWmNzSRIsBb 1yfw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YP7t5Bni; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-89941-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-89941-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id h5-20020a05620a400500b0078819fa06acsi4346774qko.148.2024.03.03.15.20.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 Mar 2024 15:20:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-89941-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=YP7t5Bni; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-89941-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-89941-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 7C9AC1C20BF0 for ; Sun, 3 Mar 2024 23:20:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2AB387B3D4; Sun, 3 Mar 2024 23:20:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="YP7t5Bni" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 612577AE5D for ; Sun, 3 Mar 2024 23:20:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709508018; cv=none; b=X3FYWOUorDXcRsPptnR2E4o+iuySdgmf8cELLL50bjnhVQqkipOlpwTV9ba/kN9tQ88Bqdj3U5YXqzWfwstgWbLN3+UhN7UhaXK5BpMWjvl2akGV7b/M+0YxcvAZArHMsH/2aM1FmQWC7ItEtPSJU7he+ItMtngSjbAjvYnXPUw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709508018; c=relaxed/simple; bh=zjXtMwgm/eHxKWyvHY2jbG2xbcJeROt0u/i/F9exbPI=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=ikJ5cJIPLjIskwDz2IrYz/SXO/9HmFoAFNobSz1nEFyuealnGqtB6+dFmszbhkRUe48xnyNPRom5xYsKztJII6SXotTTakfUK7ilHhgqQOM6Zmp9204uSBs2riHxZJAm7QHGQc+9yUp71r31OToAdeTxxauHm5E15Npzf/LnFrU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=YP7t5Bni; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1709508015; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QIpQyIQBDU9IOQzSfvK3GFtVhA/ANBUgz5c/8nKdj3g=; b=YP7t5BniXPPrwNwiBrE7f6BJAeV+daVeYk71dFnmi0MJPG8aqpOm8ta1dDepT6aq7q4RkA FeS324g9naV9FOVE1XY14jazAuA7dHPj2ZjURZvDantokjUxtHgzdGZb1aNWqAj/M8OXJ2 MBv4jvHDxVziOeNGVwn7DEEJfEGRYAU= Received: from mail-lj1-f198.google.com (mail-lj1-f198.google.com [209.85.208.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-244-iBEce-NsM2OjuOa5ZqAyWg-1; Sun, 03 Mar 2024 18:20:11 -0500 X-MC-Unique: iBEce-NsM2OjuOa5ZqAyWg-1 Received: by mail-lj1-f198.google.com with SMTP id 38308e7fff4ca-2d2ecf61dd7so30613001fa.1 for ; Sun, 03 Mar 2024 15:20:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709508010; x=1710112810; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QIpQyIQBDU9IOQzSfvK3GFtVhA/ANBUgz5c/8nKdj3g=; b=t1l6j0gMb3/DLPK7qXRnKtPADpnXZUUxBbtTgmdEuIuE6qQVYpkc/TuQlgWNLUySog hhKnbolujOLBn3IG2RYWggvAPAPkUWMOkgIWhCs4E0CRCuFTjy/557r4fMP9DFY4ykpA c7E26LYorKzUDqjFEgQzHeLSy2NsSm/zY+bIeSWGNq8cz1wQyhGF+pS/sCrfLT8twD8n DJCczC4m3W9h4MzIY1SuVPhRg5YPK2cjZGUqJyYSlm9Uf814DkYkJkNT75H++zCsbMQ1 qc4kplSLwLOk+rNyTpKg1pXlNQtrYL/TbNxFVavB7mbXqT8+tA48JSppjqAzr7OMdbs9 Fj/g== X-Forwarded-Encrypted: i=1; AJvYcCU0MpdFcp4Dpcfi241FzzgzqhMKyyeISloLkqoUub5YwTFydIApxevbgUx7UUXtpwQUdbGKiYS01orfJSFxDsx6RZnOHNSBxEsu9xqY X-Gm-Message-State: AOJu0Yy7RMY9bcDfIIOV65S4/xdNky3WMDk+0YETrmeogMNZuoW+21/R EFPnnkZecRddWTzHWbfKVyuniaMiwj9wFxe32Z9n8sfKHsYAXQQ9we2YVAUE6LXsgZz6DJnh8Gk 3885F7XaCCAIT1A8c+owqBdqA4QM8w17P/7rtm94CJF8lj9DV+aNRdQI0QJUamQHUUzGaclcjWy Nl1L0cPM9zRqAt/ta8RKjKP+ru8Ys+dH6cwSEP X-Received: by 2002:a2e:3e1a:0:b0:2d2:4108:72a with SMTP id l26-20020a2e3e1a000000b002d24108072amr5378105lja.12.1709508010309; Sun, 03 Mar 2024 15:20:10 -0800 (PST) X-Received: by 2002:a2e:3e1a:0:b0:2d2:4108:72a with SMTP id l26-20020a2e3e1a000000b002d24108072amr5378101lja.12.1709508009972; Sun, 03 Mar 2024 15:20:09 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240228163840.6667-1-pchelkin@ispras.ru> In-Reply-To: <20240228163840.6667-1-pchelkin@ispras.ru> From: Alexander Aring Date: Sun, 3 Mar 2024 18:19:58 -0500 Message-ID: Subject: Re: [PATCH wpan] mac802154: fix llsec key resources release in mac802154_llsec_key_del To: Fedor Pchelkin Cc: Alexander Aring , Stefan Schmidt , Miquel Raynal , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Phoebe Buckheister , linux-wpan@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, On Wed, Feb 28, 2024 at 11:44=E2=80=AFAM Fedor Pchelkin wrote: > > mac802154_llsec_key_del() can free resources of a key directly without > following the RCU rules for waiting before the end of a grace period. Thi= s > may lead to use-after-free in case llsec_lookup_key() is traversing the > list of keys in parallel with a key deletion: > > refcount_t: addition on 0; use-after-free. > WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x= 162/0x2a0 > Modules linked in: > CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian= -1.16.2-1 04/01/2014 > RIP: 0010:refcount_warn_saturate+0x162/0x2a0 > Call Trace: > > llsec_lookup_key.isra.0+0x890/0x9e0 > mac802154_llsec_encrypt+0x30c/0x9c0 > ieee802154_subif_start_xmit+0x24/0x1e0 > dev_hard_start_xmit+0x13e/0x690 > sch_direct_xmit+0x2ae/0xbc0 > __dev_queue_xmit+0x11dd/0x3c20 > dgram_sendmsg+0x90b/0xd60 > __sys_sendto+0x466/0x4c0 > __x64_sys_sendto+0xe0/0x1c0 > do_syscall_64+0x45/0xf0 > entry_SYSCALL_64_after_hwframe+0x6e/0x76 > > Also, ieee802154_llsec_key_entry structures are not freed by > mac802154_llsec_key_del(): > > unreferenced object 0xffff8880613b6980 (size 64): > comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s) > hex dump (first 32 bytes): > 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x......."....... > 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................ > backtrace: > [] __kmem_cache_alloc_node+0x1e2/0x2d0 > [] kmalloc_trace+0x25/0xc0 > [] mac802154_llsec_key_add+0xac9/0xcf0 > [] ieee802154_add_llsec_key+0x5a/0x80 > [] nl802154_add_llsec_key+0x426/0x5b0 > [] genl_family_rcv_msg_doit+0x1fe/0x2f0 > [] genl_rcv_msg+0x531/0x7d0 > [] netlink_rcv_skb+0x169/0x440 > [] genl_rcv+0x28/0x40 > [] netlink_unicast+0x53c/0x820 > [] netlink_sendmsg+0x93b/0xe60 > [] ____sys_sendmsg+0xac5/0xca0 > [] ___sys_sendmsg+0x11d/0x1c0 > [] __sys_sendmsg+0xfa/0x1d0 > [] do_syscall_64+0x45/0xf0 > [] entry_SYSCALL_64_after_hwframe+0x6e/0x76 > > Handle the proper resource release in the RCU callback function > mac802154_llsec_key_del_rcu(). > > Note that if llsec_lookup_key() finds a key, it gets a refcount via > llsec_key_get() and locally copies key id from key_entry (which is a > list element). So it's safe to call llsec_key_put() and free the list > entry after the RCU grace period elapses. > > Found by Linux Verification Center (linuxtesting.org). > > Fixes: 5d637d5aabd8 ("mac802154: add llsec structures and mutators") > Cc: stable@vger.kernel.org > Signed-off-by: Fedor Pchelkin > --- > Should the patch be targeted to "net" tree directly? > > include/net/cfg802154.h | 1 + > net/mac802154/llsec.c | 18 +++++++++++++----- > 2 files changed, 14 insertions(+), 5 deletions(-) > > diff --git a/include/net/cfg802154.h b/include/net/cfg802154.h > index cd95711b12b8..76d2cd2e2b30 100644 > --- a/include/net/cfg802154.h > +++ b/include/net/cfg802154.h > @@ -401,6 +401,7 @@ struct ieee802154_llsec_key { > > struct ieee802154_llsec_key_entry { > struct list_head list; > + struct rcu_head rcu; > > struct ieee802154_llsec_key_id id; > struct ieee802154_llsec_key *key; > diff --git a/net/mac802154/llsec.c b/net/mac802154/llsec.c > index 8d2eabc71bbe..f13b07ebfb98 100644 > --- a/net/mac802154/llsec.c > +++ b/net/mac802154/llsec.c > @@ -265,19 +265,27 @@ int mac802154_llsec_key_add(struct mac802154_llsec = *sec, > return -ENOMEM; > } > > +static void mac802154_llsec_key_del_rcu(struct rcu_head *rcu) > +{ > + struct ieee802154_llsec_key_entry *pos; > + struct mac802154_llsec_key *mkey; > + > + pos =3D container_of(rcu, struct ieee802154_llsec_key_entry, rcu)= ; > + mkey =3D container_of(pos->key, struct mac802154_llsec_key, key); > + > + llsec_key_put(mkey); > + kfree_sensitive(pos); I don't think this kfree is right, "struct ieee802154_llsec_key_entry" is declared as "non pointer" in "struct mac802154_llsec_key". The memory that is part of "struct ieee802154_llsec_key_entry" should be freed when llsec_key_put(), llsec_key_release() hits. Or is there something I am missing here? Thanks. Otherwise the patch looks correct to me. - Alex