From patchwork Thu Apr 21 10:24:21 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ovidiu Panait <ovidiu.panait@windriver.com>
X-Patchwork-Id: 568091
Return-Path: <stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 475AAC433EF
 for <stable@archiver.kernel.org>; Thu, 21 Apr 2022 10:26:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1388363AbiDUK2u (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 21 Apr 2022 06:28:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52232 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1388525AbiDUK1r (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 21 Apr 2022 06:27:47 -0400
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D434A1106
 for <stable@vger.kernel.org>; Thu, 21 Apr 2022 03:24:57 -0700 (PDT)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
 by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id
 23LA8WLN024294; Thu, 21 Apr 2022 03:24:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
 h=from : to : cc :
 subject : date : message-id : in-reply-to : references :
 content-transfer-encoding : content-type : mime-version; s=PPS06212021;
 bh=y8cv70/h66tFYtlY7CxyFRgpQeas58ti9YV8hDvFVFU=;
 b=Qk3mz7wW4OOznfxm08sW4FSaf2Oks36zJNybalUDdY0qwLuSNdNaJnDFF+O2IZmzJlj/
 PZonCe1w0EH2N7MaUbFDlGzK4au2ji4ita/o7ESW9M+qNxJEM4wPrczuhQgbqh5zkJEn
 EyJyxjN1BkjTpNEnxuXcaZP/SlmBhNaAuRwXHR6q9DlPHmDX+FdFHdZttYhrN+AAe4J2
 S4lVHCxo2a5BLduBIh6bcUgBvFTRobdd3m+msSn7FjDr1naxCmPA4hHnOYxNeGWxAp8j
 vEJB4FvMIj6K4Y7GRfzKezASL3ppLvNgkMl7VI4h2L8vdE0dAzyNWiCBT7ExsO+0bwGS 8g==
Received: from nam11-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169])
 by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffs313ngq-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=NOT); Thu, 21 Apr 2022 03:24:57 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=T9FNhy1Whtd/JB77lAdWnu2HJP732u4QD0+F/B3dyJhlV8Zmw8zrglm/Zbxo8G+axfhVDSujQom/jLcTxZxqU9rcyWyMafIjub8KrqflbLhI5J/j9PTGiJVmrrk5ikpN2JApbZLouAAThmEL0QiAN46W9z2SLC9U5o2V22OZmX4ivFKo31R8rpJ93AU0pdRsarfl0+ckBPgHQDziz/6/lXkWm3khNLvnk+byxGMoP6dyvOEXht+p0Wl3qtsTYIDdeRZ9GfLa4537OqwxRyc/ljYmHmG+ooyVhAxJqdecAkDfM6riTf1h+ra6ZDDOjEANjYAwJ3KipAlRAvVe7SrBlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=y8cv70/h66tFYtlY7CxyFRgpQeas58ti9YV8hDvFVFU=;
 b=Coc61XdWa1MkvD/TiBpBsSfeMXnvILpbgYdyrdnACmV13l2Hz8n8ky5efVj8UZecagEJEJ3bYKZ32GeDeTsRdYlcRNNa1wk68lVzgne3McJxIMcwD2mA5FncsMWlPkc0NsjQldMkTtd8IifijlpOd2o67wVBtEDswdVL8OMfaKfZU3Pa14hYoAUYeJTfVeaO+pidVpR3lV08daAh1vcG2s19g7yHgdnHQXQuEak6Pw+zZ09s105pC9keyoUJrCVJrgJ+fR1TcyexblXVMUZBaXkpMfUCGAkVOVBHdS+IylkURqH4e/dRG+oWg4kb9pq7r/yYGO8XGkbmV975hmyCxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22)
 by SN6PR11MB2640.namprd11.prod.outlook.com (2603:10b6:805:56::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Thu, 21 Apr
 2022 10:24:55 +0000
Received: from DM4PR11MB5327.namprd11.prod.outlook.com
 ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com
 ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022
 10:24:55 +0000
From: Ovidiu Panait <ovidiu.panait@windriver.com>
To: stable@vger.kernel.org
Cc: Duoming Zhou <duoming@zju.edu.cn>,
 "David S . Miller" <davem@davemloft.net>,
 Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.19 7/8] ax25: Fix NULL pointer dereferences in ax25 timers
Date: Thu, 21 Apr 2022 13:24:21 +0300
Message-Id: <20220421102422.1206656-7-ovidiu.panait@windriver.com>
X-Mailer: git-send-email 2.36.0
In-Reply-To: <20220421102422.1206656-1-ovidiu.panait@windriver.com>
References: <20220421102422.1206656-1-ovidiu.panait@windriver.com>
X-ClientProxiedBy: VI1P195CA0092.EURP195.PROD.OUTLOOK.COM
 (2603:10a6:802:59::45) To DM4PR11MB5327.namprd11.prod.outlook.com
 (2603:10b6:5:392::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5c5a40c9-3b2d-4672-829a-08da23812d93
X-MS-TrafficTypeDiagnostic: SN6PR11MB2640:EE_
X-Microsoft-Antispam-PRVS: <SN6PR11MB2640E0D078AC4052C4FFC37DFEF49@SN6PR11MB2640.namprd11.prod.outlook.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: H8hUw27fm4rMyoQ/REVhRT0+1nIJkOXv3AObxf0MbcFzVsYZrKkR8s1FxR1AahyCnjLheL7QeHUPrSu4RV4V+PMo+2Rm4vqkRC+HqP3j+QSClpqmn18taFKHY8hwCuwC1w9SslBMiyYP/GHKmJu50fsQFlCcRzcHmzmyZI/+/TiRNW1KGjo1FHCnzhU5fHIf2NF83EkfdwQr7okQkrbYz7rpVyevhZ0y/FfVOyFCev5X9wO7tWBl1hONuDGOFfdCYfWrwfI+cMfje9l6MOM0aq/WoLr/OdLKDojfYKdCeIk1HYDrri5KiM/Sm+4gqv8+j+nlDlFNzVt6DdURyv09cogQ+Hpe6ZDsnL2IQZqigi3U3NOoITYz5R2eZY/NPq5M/uW5ioISUkIqZLEHzyiS87HDLhzUuit0rsFSqld0uFv3d+laY0YvvxyW+Ais8MfLcix+TYa7QVdh2NdnKUgY2XXV0aqMTH9+V0KL7g1wubUiyK5i9KpHtLwDraes55XsthzJLf0wHS7uIvRHuGL9JMJ/oH7XJo213ZOCBO3S65gCjV9kEy97o8qpOR8iE6xhwQCFmIWN7jE/XQFCNZUlodUkec1SeEVfbIyeKhcanDmBx/STnrNFzEo54jJCxOrob3qCGJtdecanCy5OH+wE776a6LdxhEez+hHL9bEWP2ryPwibSrHaF6DKvftkdiD6AVB4mRdad1SEP89a9ac86w==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(13230001)(4636009)(366004)(38350700002)(38100700002)(66946007)(36756003)(83380400001)(8676002)(44832011)(2906002)(4326008)(6916009)(5660300002)(6486002)(6512007)(8936002)(107886003)(66476007)(508600001)(6666004)(66556008)(86362001)(54906003)(1076003)(2616005)(186003)(26005)(52116002)(316002)(6506007);
 DIR:OUT; SFP:1101; 
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: wB9n00fVkDsDiy5RmYFgVf2hC6DWi6zxwnirYwI9DTkJ3nlZM/N+LLNKIyrcVkwn9VUuPZys2zisod4ynpsQRfC557+CcdbcPDwKknKiETZVwoWcqoSvUvu8kmDHkxuLHPC2zkro/XThi5QpTLbVlmfxlMBtyShbI5rYMnXA6oVQJMYzLKu13TYIgGID7XTK87kcGUzfx4ZpnPz3cBqaJyp7HqDencxq6DN4iPQZsD/taDNM2iYkPJc8zaQelBghiQl6oP8hNQJS1fe1zt+KQ6RQvZ2kES2Vx+cLFXH/1S5IEwSQLG9+AYY6vYlnnuhS8MYnh3MMNdYFA98aFTzOH9S2RSK4dzSjGj7aB6r88h9BIjYkeGjMoYxSFiQQ+erapFjlUYkAleO4txuuZdJ7aqBfyEp9YcTf+7cFzyAStHaAKgEbq7PZHHOPo5q8jEXuFIvPU0xo0YYyg9jPVqQgRer3wHpQEcdrFIBPWSrfjnuQV2OMFLL5L7x4GE/7PT6CyMxfn7Y+fJH0NpphcT5RMtQVWf/MHukm6NTCeH4Erp5lpgMggDJ2suNcTraVCac/mxS7XhkYpm/kA+YUYGGXcro/VT7FPl/479CE9QunagOOKfepm22Aeyta9S/VcJGxphXBSHNT8D6VH5QLr/E7GZHNazYDJ7pBoGWrxPze+XD94FGaFiAfq/7eN0VgY2Hqx5Q4EP/L1C1dnbkEHdrW9pYiPrNWefr5XVpX7f3bZn42PkZdu1XIBkmJ6wl2K/QWPRABYIuEr2mpB8+9kdNsyatkD49fdra4WxTvhkR5cmpOvC25EaysQ/iPT51qxwo9DQrnhFLB/SgwPT4m4WmC4mTF+COt4K4ve5PwTyQI4XTfZlZJt4HYEdV1p3Dw4f0xrWzLQpqrFAEVNodQsYyXqWHiaArVVHw2dGo2In84ctlVsto6OJGR0BdXgYCzB4K7rMKwi2B9fFUDALSAL4XH3zTSXRzMUhE4byWo24Q9DOjVVENh6EHZpUrXAZ4p4A/AYz1Tqc01f47myMbb3xGKzcOHpkX6/huk5BGyUGk+000teK86gtAEnan6MNKRNV8lioShDkbgsJUZeKwTXyS/kH8bbS2Fk4nlp7Uys5ZUkwWO5AL8yPGBAK+GRzpYYyl8ZbLXyucabwd4dIoPqmNUCrqzS6E3LnDul6nx3YdstGPEgGYNwRP6AViP2yAeWDZB1T8ON/VXxmvKzL9Z5yiNTn9cF82Qtmunlf2y23w+RwcvECeFypb5cL/VERMsuH/nO1sDG6d/NgcAFQeVQSIX9evPm2tq60wqffYKqNLy9Fn6ofUvMNUOqyzxlBNyyXjZz1qrJN3wk/fAlsnEeHPnrkZdV1izSrAqlNcruRWMXpegwMCJb7OeNSBu7s/5bRnZrSLvHxuK1sOAja61SKzc+JAOC6e2LgkcUQ6FDpq8ImHgR03cqO65a2wcBRqD+EkDW1UgzjSY/8/v2UjG6mfVCU2xQAqdnNHxrwbSZx+seeVAnw/KJRZLCW87078PfO1GV0q3dK/sgtVe+G0R/vlpiNu8kiosZNZIky8o6qJAiimeStBFJra5Wgp+c+mdxJxXDYHj4ud1UqjBmhtjksQJ4IKbB6ORknGpuaUhWm/cvuKARZd6yEFTPFg9fA40MYdb88rIc7BN8F6sQ0TPI90bUNevhqcIjIMLQS7gZV6nzMsY9oEQJl0Vi0syDAsgE+UcR11DYx5d7HsMB4N+uqhVM+y9PLBtRqWmFmDxsWswQ98=
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5c5a40c9-3b2d-4672-829a-08da23812d93
X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:24:54.9679 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: F7ofd7AIPDcs9xYT2z4RqkcNJZ5/OhlOI5E4eKQEvNoK57FH6MoknpbB7MeQ1q0/BgjMr3CyaaXU58Uj6uGL2hrBwNSz8T+rMQH3qQrQjMo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB2640
X-Proofpoint-ORIG-GUID: XG8WKlkYB4-yJ7qhot_8bUjI3sWexdaF
X-Proofpoint-GUID: XG8WKlkYB4-yJ7qhot_8bUjI3sWexdaF
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514
 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0
 priorityscore=1501 lowpriorityscore=0 mlxlogscore=757 mlxscore=0
 adultscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0
 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.12.0-2202240000 definitions=main-2204210057
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Duoming Zhou <duoming@zju.edu.cn>

commit fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009 upstream.

The previous commit 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect")
move ax25_disconnect into lock_sock() in order to prevent NPD bugs. But
there are race conditions that may lead to null pointer dereferences in
ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(),
ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we use
ax25_kill_by_device() to detach the ax25 device.

One of the race conditions that cause null pointer dereferences can be
shown as below:

      (Thread 1)                    |      (Thread 2)
ax25_connect()                      |
 ax25_std_establish_data_link()     |
  ax25_start_t1timer()              |
   mod_timer(&ax25->t1timer,..)     |
                                    | ax25_kill_by_device()
   (wait a time)                    |  ...
                                    |  s->ax25_dev = NULL; //(1)
   ax25_t1timer_expiry()            |
    ax25->ax25_dev->values[..] //(2)|  ...
     ...                            |

We set null to ax25_cb->ax25_dev in position (1) and dereference
the null pointer in position (2).

The corresponding fail log is shown below:
===============================================================
BUG: kernel NULL pointer dereference, address: 0000000000000050
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0
RIP: 0010:ax25_t1timer_expiry+0x12/0x40
...
Call Trace:
 call_timer_fn+0x21/0x120
 __run_timers.part.0+0x1ca/0x250
 run_timer_softirq+0x2c/0x60
 __do_softirq+0xef/0x2f3
 irq_exit_rcu+0xb6/0x100
 sysvec_apic_timer_interrupt+0xa2/0xd0
...

This patch moves ax25_disconnect() before s->ax25_dev = NULL
and uses del_timer_sync() to delete timers in ax25_disconnect().
If ax25_disconnect() is called by ax25_kill_by_device() or
ax25->ax25_dev is NULL, the reason in ax25_disconnect() will be
equal to ENETUNREACH, it will wait all timers to stop before we
set null to s->ax25_dev in ax25_kill_by_device().

Fixes: 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
[OP: backport to 4.19: adjust context]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
---
 net/ax25/af_ax25.c   |  4 ++--
 net/ax25/ax25_subr.c | 20 ++++++++++++++------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index cc0d6b3d5ad7..faa098faafa7 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -92,20 +92,20 @@ static void ax25_kill_by_device(struct net_device *dev)
 			sk = s->sk;
 			if (!sk) {
 				spin_unlock_bh(&ax25_list_lock);
-				s->ax25_dev = NULL;
 				ax25_disconnect(s, ENETUNREACH);
+				s->ax25_dev = NULL;
 				spin_lock_bh(&ax25_list_lock);
 				goto again;
 			}
 			sock_hold(sk);
 			spin_unlock_bh(&ax25_list_lock);
 			lock_sock(sk);
+			ax25_disconnect(s, ENETUNREACH);
 			s->ax25_dev = NULL;
 			if (sk->sk_socket) {
 				dev_put(ax25_dev->dev);
 				ax25_dev_put(ax25_dev);
 			}
-			ax25_disconnect(s, ENETUNREACH);
 			release_sock(sk);
 			spin_lock_bh(&ax25_list_lock);
 			sock_put(sk);
diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c
index 038b109b2be7..c129865cad9f 100644
--- a/net/ax25/ax25_subr.c
+++ b/net/ax25/ax25_subr.c
@@ -264,12 +264,20 @@ void ax25_disconnect(ax25_cb *ax25, int reason)
 {
 	ax25_clear_queues(ax25);
 
-	if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY))
-		ax25_stop_heartbeat(ax25);
-	ax25_stop_t1timer(ax25);
-	ax25_stop_t2timer(ax25);
-	ax25_stop_t3timer(ax25);
-	ax25_stop_idletimer(ax25);
+	if (reason == ENETUNREACH) {
+		del_timer_sync(&ax25->timer);
+		del_timer_sync(&ax25->t1timer);
+		del_timer_sync(&ax25->t2timer);
+		del_timer_sync(&ax25->t3timer);
+		del_timer_sync(&ax25->idletimer);
+	} else {
+		if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY))
+			ax25_stop_heartbeat(ax25);
+		ax25_stop_t1timer(ax25);
+		ax25_stop_t2timer(ax25);
+		ax25_stop_t3timer(ax25);
+		ax25_stop_idletimer(ax25);
+	}
 
 	ax25->state = AX25_STATE_0;