Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp2576121lqp; Mon, 25 Mar 2024 03:14:31 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVA65lpQ5K6fTkOeEA3N/mS6UzRYjbId8GA6cQREJp2XBU5HkOkys++6zIg13PV5PK5SNBVnTNoyzYH4/00w2F4cbcGw8VGOzQb5juzmQ== X-Google-Smtp-Source: AGHT+IFtCXGNsKahgDaBI2x/L2bOBNKZg4J6niZBB8oDzDMMG+MmINH75gnXg4pDHyzb322D8j8J X-Received: by 2002:a05:622a:1986:b0:431:6179:3881 with SMTP id u6-20020a05622a198600b0043161793881mr576571qtc.58.1711361671664; Mon, 25 Mar 2024 03:14:31 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711361671; cv=pass; d=google.com; s=arc-20160816; b=uJPZQ2uAsCo8gUG1WoOKcgmG5P02PTdqZU+/UBm9iNMj6+X72Q7YtcM21HwM+zZVmP gcfzK9W8vPUSarYq4FZd0MIBwKM5XN+n9v5w3nGKzKSyuVXKnsCC7N4cCofuYnILNoeR r0jNOGBg2XN92hF2dk0QGF2PLg8sVGtjBAZPCG2pXgTwR1EDvpxSvFdv7lj/rccUK0K3 tzWHSqYDkhhZ/iR7t5+bdp93utqtytCpXKhx6TMBi+DU+2vM0ygGnJCF5Lxwo9sk4NgZ dNuVHdymk2zjm1hfvPRlQvzKdg8ral2KvPIGpqP8HC6fBJgkK2CDeamoVrHKFo0xplkU mcsg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=Xk4t9QI6ogBe7MZe5GAGvGRMy2kyMNtUfdkPJLGw9G8=; fh=QjpbeGVwognWl3PIZE4AWsCuylyHvllwVo1MB9wPxTE=; b=LlvHn1LLOpOHAyVEoD9rEBnNkKkkUEM/JPW8H6zPeiXEJDqIOryHx1pe97gbXIDVKE stPTiyYRJuSyOy2KnF8OmSmsntq11/pPsaEPQ0gwqvkx7PxfgxhYl/8NXgVW/H0HNI1b 25lRSqOAv3t9oZGtisz7jv5wSx4SvhIJFzjaEDP2LWWPS1fC17chPOVrlJJ47C2KX3L6 yd8GS1v91aipxJN4cA1W4KMw85uV9Bn8yH6YKdK6TlIqyGrA/+Ph0aQwGisRmUpUQiAY S1zXSDzPREbG1wZ7U9PODLupE8fmNBDrEwxw0fUMYtnZL7fsHWbxVvxV8VdC+taOvJIE X7MQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=oKbPGj6D; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-116145-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-116145-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id jd18-20020a05622a719200b004313d844994si5083904qtb.26.2024.03.25.03.14.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Mar 2024 03:14:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-116145-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=oKbPGj6D; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-116145-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-116145-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3FD391C32A07 for ; Mon, 25 Mar 2024 10:14:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BE2BB281F0C; Mon, 25 Mar 2024 03:32:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="oKbPGj6D" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E057817A91D; Sun, 24 Mar 2024 23:41:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711323695; cv=none; b=UK5NSMAlkKjAXDsh2pBXhyqe5BJfImuvDh8BlwbWG5igb1rKHvU0m2zvlMywE2Jv1IxfX0iSCQ2fKmIn7nZFO9VZP+ILox0G5O6k4rAJnDeWlRyK+s8sBS9O1JfecImSJ83CgGJRP8g2n1YcjPP4f/qwT0FCjQ8RuQeUdmA1SO8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711323695; c=relaxed/simple; bh=3AHGZwGBO1jHXwKXahulwh/1k2oNC2Sm2woEkVkXI0g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=oYQddCQflOA80kLecxcvipy6saVcsKMbKYoOcjuukj+dQpJi/Jx0Sf3T7BNt/+XWAy2G7BjPwYDwj777ZGA9pZbdtHIsdQ7YzjHqpU2iMJx3KSBeIe42XK/Jzxep7Vv4S3XF2LmOlBmNHkZqRqfI0GOOdfIT6IWD9bRYqTBd448= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=oKbPGj6D; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25B92C43399; Sun, 24 Mar 2024 23:41:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711323693; bh=3AHGZwGBO1jHXwKXahulwh/1k2oNC2Sm2woEkVkXI0g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oKbPGj6D91H7595rRKCCyiIsv+xkZw1MahowowXUjY4yYbrZDXbXMAzhoXmz15PqM iKZKnOSmWUKW2m7scp1cBgLtPSoRyYrgISS5dYUGGGqsUo18jAEWaLU1Z3XragqE11 DHW2UgWGrgHaNL84YWtQnwVxwkA+AGzUwzysvi7xuT935LjFep5lYrwePLEi+doOm0 zjAbcbb+pJ8wASm+TMXFq4Zd6oKm1Z5BGUbdjzC9RwXojtrFDgYrWHDlmNKBU3QbSF DXVzvyDkKjjURTpqeN8E7O43GRikyeY2TsdG/dzNI2uL4Ahwncz3uz+xo51y8tgxf9 xQ7YQ/IS/rwtw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: =?UTF-8?q?Alexis=20Lothor=C3=A9?= , Kalle Valo , Sasha Levin Subject: [PATCH 5.10 066/238] wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces Date: Sun, 24 Mar 2024 19:37:34 -0400 Message-ID: <20240324234027.1354210-67-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240324234027.1354210-1-sashal@kernel.org> References: <20240324234027.1354210-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit From: Alexis Lothoré [ Upstream commit cb5942b77c05d54310a0420cac12935e9b6aa21c ] wilc_netdev_cleanup currently triggers a KASAN warning, which can be observed on interface registration error path, or simply by removing the module/unbinding device from driver: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind ================================================================== BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc Read of size 4 at addr c54d1ce8 by task sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x58 dump_stack_lvl from print_report+0x154/0x500 print_report from kasan_report+0xac/0xd8 kasan_report from wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec wilc_bus_remove from spi_remove+0x8c/0xac spi_remove from device_release_driver_internal+0x434/0x5f8 device_release_driver_internal from unbind_store+0xbc/0x108 unbind_store from kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter from vfs_write+0x728/0xf88 vfs_write from ksys_write+0x110/0x1e4 ksys_write from ret_fast_syscall+0x0/0x1c [...] Allocated by task 1: kasan_save_track+0x30/0x5c __kasan_kmalloc+0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211_init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 really_probe+0x270/0xdf4 __driver_probe_device+0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel_init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Freed by task 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove+0x8c/0xac device_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] David Mosberger-Tan initial investigation [1] showed that this use-after-free is due to netdevice unregistration during vif list traversal. When unregistering a net device, since the needs_free_netdev has been set to true during registration, the netdevice object is also freed, and as a consequence, the corresponding vif object too, since it is attached to it as private netdevice data. The next occurrence of the loop then tries to access freed vif pointer to the list to move forward in the list. Fix this use-after-free thanks to two mechanisms: - navigate in the list with list_for_each_entry_safe, which allows to safely modify the list as we go through each element. For each element, remove it from the list with list_del_rcu - make sure to wait for RCU grace period end after each vif removal to make sure it is safe to free the corresponding vif too (through unregister_netdev) Since we are in a RCU "modifier" path (not a "reader" path), and because such path is expected not to be concurrent to any other modifier (we are using the vif_mutex lock), we do not need to use RCU list API, that's why we can benefit from list_for_each_entry_safe. [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/ Fixes: 8399918f3056 ("staging: wilc1000: use RCU list to maintain vif interfaces list") Signed-off-by: Alexis Lothoré Signed-off-by: Kalle Valo Link: https://msgid.link/20240212-wilc_rework_deinit-v1-1-9203ae56c27f@bootlin.com Signed-off-by: Sasha Levin --- .../net/wireless/microchip/wilc1000/netdev.c | 28 +++++-------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c index 463f3bfc3064d..ab84b146aa272 100644 --- a/drivers/net/wireless/microchip/wilc1000/netdev.c +++ b/drivers/net/wireless/microchip/wilc1000/netdev.c @@ -821,8 +821,7 @@ static const struct net_device_ops wilc_netdev_ops = { void wilc_netdev_cleanup(struct wilc *wilc) { - struct wilc_vif *vif; - int srcu_idx, ifc_cnt = 0; + struct wilc_vif *vif, *vif_tmp; if (!wilc) return; @@ -832,32 +831,19 @@ void wilc_netdev_cleanup(struct wilc *wilc) wilc->firmware = NULL; } - srcu_idx = srcu_read_lock(&wilc->srcu); - list_for_each_entry_rcu(vif, &wilc->vif_list, list) { + list_for_each_entry_safe(vif, vif_tmp, &wilc->vif_list, list) { + mutex_lock(&wilc->vif_mutex); + list_del_rcu(&vif->list); + wilc->vif_num--; + mutex_unlock(&wilc->vif_mutex); + synchronize_srcu(&wilc->srcu); if (vif->ndev) unregister_netdev(vif->ndev); } - srcu_read_unlock(&wilc->srcu, srcu_idx); wilc_wfi_deinit_mon_interface(wilc, false); destroy_workqueue(wilc->hif_workqueue); - while (ifc_cnt < WILC_NUM_CONCURRENT_IFC) { - mutex_lock(&wilc->vif_mutex); - if (wilc->vif_num <= 0) { - mutex_unlock(&wilc->vif_mutex); - break; - } - vif = wilc_get_wl_to_vif(wilc); - if (!IS_ERR(vif)) - list_del_rcu(&vif->list); - - wilc->vif_num--; - mutex_unlock(&wilc->vif_mutex); - synchronize_srcu(&wilc->srcu); - ifc_cnt++; - } - wilc_wlan_cfg_deinit(wilc); wlan_deinit_locks(wilc); kfree(wilc->bus_data); -- 2.43.0