From patchwork Thu Apr 21 10:24:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568093 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B129BC433F5 for ; Thu, 21 Apr 2022 10:25:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388630AbiDUK2l (ORCPT ); Thu, 21 Apr 2022 06:28:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1388508AbiDUK1n (ORCPT ); Thu, 21 Apr 2022 06:27:43 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A031D2A2 for ; Thu, 21 Apr 2022 03:24:52 -0700 (PDT) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23L9s7K4014742; Thu, 21 Apr 2022 10:24:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=7TFmkyBCMnay/VfFqyyfgP1hiLmBDFebAUOgbIWPhlI=; b=EO04DWM2WpEEj8H2YjWgwKYXChKmw9Ou3ILBaGYdooU+aUL8kh+ICDSzHQd74dJk3rr4 E2jVjNS8iPU0qqMtt/svL1sZFi+zIspnFvMURRBingf2r6WeEfsjutp9GxYhGI4sVxGX etIgS0SPY3blg3GD7nwxzpRl+pU8Y2n976BRbJTlYRGZ4tFJq1PjFAy20ej3f36FUYSe FMTY6TRYMpdEwIco47501oizaKqrJFx3g0K40MI7udv5sK0qfBjrvMtVMMjjgFMUNo/F eFESDeL/OizJvXXQfJQPfhcO3ZvGlm0edvxlycvuXYuoxaYpTcMUwzjekrrE38oInP8I Tg== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2047.outbound.protection.outlook.com [104.47.56.47]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffpqn3qr3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 10:24:49 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T4cbNVf132MZ+x1uiJW2lRqOeRGIzLkjqdxRsJmEam5dKUA7j6cKnp+XSUlZTVjgwPOAfvaUDnzJRPGtHneG8d5JiMNTEtApfpnFcbfuDsWQps3pOPlJoLWg0E+vHE91F1cd/mRPuj17X8cKa3bmhd85j5xCVeLoXwlzBpdjtdybRfsfQmCUe7OyRgis3hbuqJ9NlgIUn0LnZ5bjBNOnt7sZ4NOfPU6nhoEs7U1PL3POJI21Y6tl4Y7gUKS9ogOVKHIXAUpa0zwJuPRa5wMxZU75TMXisCGQTjrOwXwGsz4VSW/tRzuyJF6qsMqAZvLfYiIhMJvra7///wZTDGRoSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7TFmkyBCMnay/VfFqyyfgP1hiLmBDFebAUOgbIWPhlI=; b=kPdZqiO0vhswMwfn/fYu+AArYtq/xFCeRgijyRFMIh/2yH6NJL9tCVFqt87k/XS6neOko6qvKtfll18FYuSp+6tc0rs/3JEtvLGkFRxnNzX74IRtOkXsoYlOSgg3tkMcT/wk8Plqpa3iSfajOYWEJRJLBbicd2YThq5gC3iyMIxAugW99Zx4rjMmtdkLS7jPGNP/Eb7DYBLZHESCeFaX4QUaqBdJA0NO0NwUhFMouQ+QDlP8pv4V9wW+ikauGGSLa8OYrd71D0SW43aIaG5ZDNUyZO4uwkRVxGN/hBgvALe0HTdepgMAkc0ObP7VNwzJM4NnmkchsvZBRMKqyk/SFw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by SN6PR11MB2640.namprd11.prod.outlook.com (2603:10b6:805:56::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Thu, 21 Apr 2022 10:24:47 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:24:46 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , "David S . Miller" , Ovidiu Panait Subject: [PATCH 4.19 1/8] ax25: add refcount in ax25_dev to avoid UAF bugs Date: Thu, 21 Apr 2022 13:24:15 +0300 Message-Id: <20220421102422.1206656-1-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 X-ClientProxiedBy: VI1P195CA0092.EURP195.PROD.OUTLOOK.COM (2603:10a6:802:59::45) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b038a923-6aaa-43f9-dfa8-08da238128b5 X-MS-TrafficTypeDiagnostic: SN6PR11MB2640:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +qrx7+qevgvTNslYY/DlVuvdThSbaWiNtfEpzNGh7bu91i6noj8BbarbaDgcxy5eVO+WXcvRIFM3SKcgCuJz2s/UtVKt+GKqmqj04yge1AeEPq9GQjjJJxEJhG4bymaM8R9G6uYtujxCWTClAAQAmFdc3a9K3K9ehDWbn46NIlQNi6SnyM88a8UDoAoHc9X63wQLYDz/hzjFBeMkVamEMF/YY2v6ZVrN4MxnghOYOhL2cTzfw7BvxA11BaKnRqSnd15QLbkykaN77tEcLwFkLnI+fT8morvZK6TDHPAOxGFc1TKP0Bm1palIGzUuVaZnu4LwRHMs6PPsTbRG9g90giPaWZWjaDfxRn3QjsORmVuvVdDtdv8kgjvaqJ/eIMJvrlHxndYDSC8j/TJDxKdh7JwTOkKvtysvAxP+1P1TsyC7dBD9zw5McObZiue5gvHc3T9tK3MqJ+aV7mHiNBAX/v9nBmLU0KF0+uanCTo33jYWSWLO4nx1xxRAiEFz/zwAabwEiwYDE3C91Cg2ec9U5yH0fObw/QcyLCfhQD2tGT7bkuD83Q/d+HHvBrZl3SdOWMpDfG7hp3fI5G0yLUOUeE+6lpLjR88WcS4S2cAYFmCUqSYgf86aO4189k9/CRNZCt5fvSKvfkTLNzLR0hP6CTmvB4x1diEQMGAvW1RK6v7d9hWcq0I3zwaH7RkxVNR8uxHDo/4K+ACwesRKY0zaXg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38350700002)(38100700002)(66946007)(36756003)(83380400001)(8676002)(44832011)(2906002)(4326008)(6916009)(5660300002)(6486002)(6512007)(8936002)(107886003)(66476007)(508600001)(6666004)(66556008)(86362001)(54906003)(1076003)(2616005)(186003)(26005)(52116002)(316002)(6506007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: /eN+YdvL5rtHHioR+pRNwAYgJRe5H7nfT8Lw25gC6DXulaDlIrr+n4op1qCy6Bw/B4sGwn4Zx7Z0fS6/AjQuKhHRjoRquv0aRRnunN/txD5R7v900P/XrkdpU/AetQDr8dKOLIXZLHp4Hbpw60GOxn/FFkDNs+HxLRF6m+n8WjQaOxO5zUZSY6AcA9uudGPb/3Q7Tv2YtzwFenaK0V7MyWyq4+DS+fNN5wwVI8Z6PplKKMG8nS4yZ5nWSD2trPMklnKm0/v5Iqr0ZatmPqk6KhThIrl9FM7/EpcivSkuLpqCw6E61adY16+gXq/0+OQ9kzSIquCMeTJO8ExLZ5eiZDDwlFAfXla2nVkO2vMvAiwPTgJgfN79SbPUl1J4stf8hbF4Mn1UuRFrNhAs0odiWZfagSdtIAQh1GXZhiIJqFBIptvyPbjvo4wBOn2LwPLGcyQSq5d8QOT0XDH4a0uXB1ihE+pKMTcqOSwr+IKTuJ8Wz7fzT6qEyDdzUp4Pv2FF8osF6V3wP/8qz5O/ERK8SPSxc5wsQFg1WOV8QgAB299p+ds6G1ibEf3G0q9ilG69NFKdj1t5cf1y0qoBQhxWQjOHdzIubNGIPW+HFRcBMTqxcGtmTeJLq7jsxsaajcjiV18RG3LHLrP/MT2BP/h70oPDWvqYMiR1cXwJBORuhe0r5aX2pLlVxCT89ctGoVxYxjFArVahdL7ZM5ARGYDmdCsxPRDWmuocedO/lk2YIieBkoNsYM5blteFKLMRs1uyhzxGonAiy5K5J13VCE1aFdUiDWMFjG/tVTgVs+uqrc4+WxVYFSFltcTisQM59fLiJJ+qaRGDnNMinUL3oM1sCzZkGE6WiJWPmwC+32N2Jhh2n+rgZv/wQkdmU/hnZnPCFg3z/0R3ZG8dK3qVppm2ZitHBcHvz6+uX+5VYN7JG31uQI8vGSsqt5ZYgAZuXQb2zVbi/CCd/32gdlYvEdI28gB8LAm/rtqr4Jrq/r5VoGJvZ4/qXnNUSqh9SN9dYjWc/FFMi+3JLsII/gO324cRxza5/b8Rvww1O4DI3Rhc7a+LTW8efsqw/g9Z7MgR+WMsfnyhPgpMH1k2CPSf1s7wXEeCwckInMNx5epCG7lMTPGGKZ7n0wv5z6XyDNaKlPwhBqsRY5m0+Su0ZDR28JWVhIErOGligYxTu2NYPMzv8/II++kEy/b4A+YNQrqLfXtv58Qp7jW6RMdehRmYHMEpHntO6sVthX41Ki2NvkFCOd/KdVofGiKAcsb0rsadOQIXeo4zmm+fhnSjX/AVc46k90VrQa/rzjmFIOVcSHJv/EHRzhx4PUlAUbyXxO5Gi5Gu+JgcxOqdBqkjdapj8G7rz0cjFfTeLXLf6adI9rxFdnHtPzDGDF+EMwKmhe7E/6SJzsgCMz41kY0kqwnymkalr0bUrPj1RWsuIyqqmqp1fBvnPGTMQqVqnId2y7ReZm9HE2zCoiWe54xTnW3SzJZt8TrRHptwp2ABAXMJo4oYMhxOIcBy7BuU0JLCX/ZzZwAjWUsO9pdJEDOPLBPmewUXMn7aXtzSL9lGp6u+vdxOKnFbyydT6VAXjnNKW1sUhXtu1LnBO0qQSJy8mC0hJ/omlCv5iydf2I791woiNcsoiTW2yxyokbkuO2Jz8kpHosLCi3tx7E3uInpoXoHnw0dg7O6VMG2Pr9bBNMmnlYJ41VwpznPzm/Np2wiYI7FVn1vqJ4W+xROe4rZ3vP1Tdc2vc+01vq4ayQ9D8vYSHSN2Sig= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: b038a923-6aaa-43f9-dfa8-08da238128b5 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:24:46.8201 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dYWv3tUeGoyWSD03deO2kivFATWwaeX3ZnaTDG7+K+YvIo0z5rJHTnWo2gXRTs3dCBvFi9gHDwqdX8IEEhfDLSwBjr5aPJZTcoLS61XDPKY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB2640 X-Proofpoint-GUID: ibvJXNVFFTIZDD3vmrORKS05laUZCjh4 X-Proofpoint-ORIG-GUID: ibvJXNVFFTIZDD3vmrORKS05laUZCjh4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 phishscore=0 impostorscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 malwarescore=0 clxscore=1011 suspectscore=0 mlxlogscore=785 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210057 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit d01ffb9eee4af165d83b08dd73ebdf9fe94a519b upstream. If we dereference ax25_dev after we call kfree(ax25_dev) in ax25_dev_device_down(), it will lead to concurrency UAF bugs. There are eight syscall functions suffer from UAF bugs, include ax25_bind(), ax25_release(), ax25_connect(), ax25_ioctl(), ax25_getname(), ax25_sendmsg(), ax25_getsockopt() and ax25_info_show(). One of the concurrency UAF can be shown as below: (USE) | (FREE) | ax25_device_event | ax25_dev_device_down ax25_bind | ... ... | kfree(ax25_dev) ax25_fillin_cb() | ... ax25_fillin_cb_from_dev() | ... | The root cause of UAF bugs is that kfree(ax25_dev) in ax25_dev_device_down() is not protected by any locks. When ax25_dev, which there are still pointers point to, is released, the concurrency UAF bug will happen. This patch introduces refcount into ax25_dev in order to guarantee that there are no pointers point to it when ax25_dev is released. Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 4.19: adjusted context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 10 ++++++++++ net/ax25/af_ax25.c | 2 ++ net/ax25/ax25_dev.c | 12 ++++++++++-- net/ax25/ax25_route.c | 3 +++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index 8b7eb46ad72d..d81bfb674906 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -236,6 +236,7 @@ typedef struct ax25_dev { #if defined(CONFIG_AX25_DAMA_SLAVE) || defined(CONFIG_AX25_DAMA_MASTER) ax25_dama_info dama; #endif + refcount_t refcount; } ax25_dev; typedef struct ax25_cb { @@ -290,6 +291,15 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } +#define ax25_dev_hold(__ax25_dev) \ + refcount_inc(&((__ax25_dev)->refcount)) + +static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +{ + if (refcount_dec_and_test(&ax25_dev->refcount)) { + kfree(ax25_dev); + } +} static inline __be16 ax25_type_trans(struct sk_buff *skb, struct net_device *dev) { skb->dev = dev; diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 3170b43b9f89..56776e2997a5 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -101,6 +101,7 @@ static void ax25_kill_by_device(struct net_device *dev) spin_unlock_bh(&ax25_list_lock); lock_sock(sk); s->ax25_dev = NULL; + ax25_dev_put(ax25_dev); release_sock(sk); ax25_disconnect(s, ENETUNREACH); spin_lock_bh(&ax25_list_lock); @@ -449,6 +450,7 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) } out_put: + ax25_dev_put(ax25_dev); ax25_cb_put(ax25); return ret; diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d92195cd7834..76d105390706 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -40,6 +40,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) if (ax25cmp(addr, (ax25_address *)ax25_dev->dev->dev_addr) == 0) { res = ax25_dev; + ax25_dev_hold(ax25_dev); } spin_unlock_bh(&ax25_dev_lock); @@ -59,6 +60,7 @@ void ax25_dev_device_up(struct net_device *dev) return; } + refcount_set(&ax25_dev->refcount, 1); dev->ax25_ptr = ax25_dev; ax25_dev->dev = dev; dev_hold(dev); @@ -86,6 +88,7 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; + ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); ax25_register_dev_sysctl(ax25_dev); @@ -115,20 +118,22 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; + ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; dev_put(dev); - kfree(ax25_dev); + ax25_dev_put(ax25_dev); return; } @@ -136,6 +141,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + ax25_dev_put(ax25_dev); } int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) @@ -152,6 +158,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) if (ax25_dev->forward != NULL) return -EINVAL; ax25_dev->forward = fwd_dev->dev; + ax25_dev_put(fwd_dev); break; case SIOCAX25DELFWD: @@ -164,6 +171,7 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) return -EINVAL; } + ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index 66d54fc11831..cd380767245c 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -119,6 +119,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; + ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); @@ -175,6 +176,7 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return 0; @@ -217,6 +219,7 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: + ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); return err; } From patchwork Thu Apr 21 10:24:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568092 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F93CC433EF for ; Thu, 21 Apr 2022 10:26:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388375AbiDUK2s (ORCPT ); Thu, 21 Apr 2022 06:28:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1388517AbiDUK1p (ORCPT ); Thu, 21 Apr 2022 06:27:45 -0400 Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16C1AB91 for ; Thu, 21 Apr 2022 03:24:55 -0700 (PDT) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23L9s7K5014742; Thu, 21 Apr 2022 10:24:50 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=li5BqRBlHCcxy0zk42kvSA4oTRQEwUPjgW1sz7Tf+lE=; b=iihBI28HW42S/fvNWyK3QIR8JLPiaI2v1ItoCMnFA3z9ThvH2T+zZaoL9icGBNyWKvJ3 2xGQ/SV65xF1clkZaGFTxsgf46OaDG/CpT9rwqPfk8iu+aNL6xkA3kKWDAXTEnDEj28v JxomKtczKIa22d5jmacvge2Ef/LWNQHnqRnGAdtwaSCzlBdfvFRwiuKpCT8MN2eI/KJi 2i2M9wizbzaLPpJwpss3aEFODfiKrRgTZxyKNXLnK8IKxvgF9uKR4qpwdAWxVENgV3y6 KAbA2e8rPnwi4fUHHCOUwyD4lsoNVfGZtnf4KKGMMJGaecIEffQe6Mc/LyfCOy1K6xEa UQ== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2047.outbound.protection.outlook.com [104.47.56.47]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffpqn3qr3-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 10:24:49 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h+uxfa00vtGBFi/+YbcGMMWw+8NIudLnIJL0O+ZbBbZSde1zS88SgwPMkM789bA7ywcNg2vpXcA4/+wGgFhs7ojAhw3KdvEL/VzKvM+nsvZbO4tViWPQAHeZPJX2GuYa79QSm3LXFs8psBxGz0xo5hmHZ7SC6+tCXjrq2hJW/I4RUltcwucAU9eawblq3irvVfNmZrcpkOFcHnKrr100fXf/z11inBnnOeG2vfyHZKkGaLjg+X4ePuhbRz06VY4OFnXty//3ksQLmU3FzRqnGEhn4Qnc/l6nY4AyeW+lxAHp5st0h3jcwVhG5zIPyqdQ8K+niKO3/q6Y7hn52HvYBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=li5BqRBlHCcxy0zk42kvSA4oTRQEwUPjgW1sz7Tf+lE=; b=NrZnQ8M3FkOTyMOmnIDyajKaPGbgY7gSC3v6Gr1DSJokIP4gwprzTCAgg71ZF03kcXWMZqUu0BzcVA1+Lm8ZUnDeDDr6T/iIv8xv8jsFSENeVXvEx2ybWycKtOXNJIvpOLxpZA/WEPOGWXmhD8V+1AtmUGx7wy90nB5lIupgJb6rb6VZtDT5RP5EpBO+9vWmxPX/lv33mzhc6AHkSjw3ppZQfdftvubu5idMEc8ROqoVEsriXmVU923agyjeBYd/mg+7v8SIorIM5Z5feMyGWhAhRgHnCw0pZcRgvUO/sGnnVUK9TO1UhAC5AlyVnx9KoU2DlC/+tQbfSjzIR8pMxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by SN6PR11MB2640.namprd11.prod.outlook.com (2603:10b6:805:56::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Thu, 21 Apr 2022 10:24:48 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:24:48 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , Dan Carpenter , Jakub Kicinski , Ovidiu Panait Subject: [PATCH 4.19 2/8] ax25: fix reference count leaks of ax25_dev Date: Thu, 21 Apr 2022 13:24:16 +0300 Message-Id: <20220421102422.1206656-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220421102422.1206656-1-ovidiu.panait@windriver.com> References: <20220421102422.1206656-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1P195CA0092.EURP195.PROD.OUTLOOK.COM (2603:10a6:802:59::45) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 336d8e58-a5fa-4f27-212b-08da23812996 X-MS-TrafficTypeDiagnostic: SN6PR11MB2640:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: K/UViwDsNnzUPW3zqyf9Thv5jj3kRWzQnU4INFYA7ktiend42QzTzo8FeA+E5D/pZCFMfNv+xhi8LWRqx0W0fBdjP0Rj7z4deZvVdhWSNs5qaQfzu/hDw4I4fVrUX/q3Y3DWMLN3k7eVbNPkvX8RvIpi8ATjKs3tAyE9+36WY8g2Gas4ulS6vnT/iQDCagaY2kU7kzHkC/7D4rGlKNCe/PmdypWjehIxD/udQzVV8T42zoFeusRbT5sDxyozymTAgIqmmWHp/7RsW7QdZf1bLIefC8A5R2K4z9xODyytf7aszmNhcRwh6qDt4tbPz5O0jGRsKo8jSM595ADplOFaNiBGlQnvGm/JJP/2bhoWQXzokR07KepWcDmzHnbUt9YV+1/9hn/H68etCKeoU+I//mLjxFZIJdMM5os1e/9roUCtZ0QyVRwP4pgG/J2k8KkXxSUUXceBk1mmqGtSwrFzLzCMzOvlCkzx+JbdaWoiCaYS0ZHbuRssaPcu+hFQl1LCcSCzIQrRaVPARs3VXgCwpew686YFEk5/7VyRvEC6C6i8bQOPriYT0B6tIWe9OKFyGoyNcMIaBEyxxmZ8K7O990cTkgZeGa9X7klHIcjEZKpOHKhfkZOU4ALd4d/8bRWyJmvaANIzOp8AiiaAJlotkC6wteGSnX2kKvgYbZGds/ecu1vPGIeuKEZMe23jNMg6S9M/YCslu8hI9nnDZy+F29qOflkeKYtzj1e1kNLu04NYgmQrG7CoYeUdalQSBj7TXclCM0HgziGzGglmbRx73Ehk7WMZZAM1WdjG7ONulTc= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38350700002)(38100700002)(66946007)(36756003)(83380400001)(8676002)(44832011)(2906002)(4326008)(6916009)(5660300002)(6486002)(6512007)(8936002)(107886003)(66476007)(508600001)(966005)(6666004)(66556008)(86362001)(54906003)(1076003)(2616005)(186003)(26005)(52116002)(316002)(6506007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4T48+kcKSto2iTLmuWMIYqVUmX0ptJEiYlTUSbiQVopQ5/4E1uf39lNv8CPWd4IsaXGG76eyOKP9IihxcGveWEjogBRASr022Fxv4YrMk402gJVvUMfFD1/fnhi4mBJScZAWG4Wk88pGlyv9aly3PFKCkiyUn0NtTYPDFDHo070xSqbUotFfAEP/fwkhRC7BmitUijDH4XRbhtV3Vc2lY7rPBJf00vR+lgfFnWqgNjVaGIWRGWd6UVEJkwwHToR2/b194k6HoE39GEkni7ov+KqPrDMrFcRK/ez2xQzDB5kcET9jvOZ6iJlsNN7YzviOQ7cvvpBY/FvX4jh6G6+j6pSaeMyTj8LB6S6DAATqot9c+TN+KJHlBElC24PUoYEobwKl41keaS4mztY3Kb4YL9NCFXLgWOfxxc4LKb1zD72cZGM5Adsogj7fUacDatWc3ZHPVg0EKLCjNsmtYuBZdQ8eY2rMI7ZAtoxUiJ3g+2DOayU3BumBPplFoQLcn/DHm7NE38grUaO1xraBmYvC+nsdmEaiHjE/BMxQl3BWQJ3AL7WC6wtIV/7RJ9ZOiu9R3Gz3rgq1QV9tirVlWApLAVgySE6WDppnjsxusU0k95q0mWNLo95b4QRK1DqThPSf03L/Dtg2H63WvLEZXMBUUtslnBz3C4GCO/pIGl3NoXPJYBnBWJHahAsg2JZdfGGvyoMlW46wgUfnQRg1pAOYBnQbHAoQ1McFOn8WHHibhkgavX4/rkEAHRauePCeDRd6fzssod2pesXPgvGvgAxtgVxEYEHifcVb064lHqWdTEcA+ICmMysIOsUM65VHH4JaUeEeDehDzKPGaGuIeUSLah6GZrWgIEOciJ1Dt+UKGtRKlcAajSehGazIoKzJVwT5lBKPpVl5RJJGQglFa7zOWwslsnL/WpLGTJktDI3YUbUfIBuQB90VDoVhT2qEaHftC6XG2YtpzdpIkpCarAFoDh0yNwu3rdlL2088KUx1uYkxUGWDHNIWLwEqFb1Xwve9gwl9DU7MmgivIq0k6P6ge7EzYS33CKFUH3EEmiM2Z+hmIbxU8JWDxgKu90p8WY3tdeRu8fMNOY1uSPeFJXVqmlP+H1RIv3a33dGvjRlvEMTEv0cqL2wug4rWpDvrxa15ltJcEMdKClzKOluwDARU1WQ//TYopf0FeNVcOyip1O02M3dwmWbDwD4DQFD55MxzXbWr7Vm6YMpJQzBjGAIivV1E4c044CfUnXu16kFD1yKOF8Z0uDwC2kZ/xOH8vkjmM0eGIx6eM7PalQAv4xwP/xWsehXqFgyL3gIaRko6VhG1oj7gtHnIKBgdyXwiS7o6LcGVNnd42zmoXb6g8vxywpWXaQSo4r/dbZEtdQIfU1ojzXwgnAEbN15ogh2JNuE/vtnHfrWrGPXVHyryA1csyrRNkUabsIz5WMMokuJmV9Jv4OvMUQQAm0yoDmpAckWjwOtBu79Orxfan24va6XbNP6Nn2ZqjRokZqT0IcsIdkwnbq62sECBtTdNTomQKnxzquN4TBBgjJHKn4/wGuiSI7UDektkxaPy814qDi2jUC0bQB69cKWwsofltjMeusoahF0voHHeE4RuR6D6rz0yNXvK8sm1uBeP+wpaesvdvG3Zt21Kyo/N29preF4dEVxjvLqzO0eoKCqLw1ylCujClox9XAzqDx2EYahNplMJb9xiQuE+Qi7k6V54wOA7UU3E8VnuIqraBRkWzEyViETtQm70HqPaG6NJTPsDUwXr4Qc= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 336d8e58-a5fa-4f27-212b-08da23812996 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:24:48.2898 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZZM/ohI9YCKom48wnygkmV6AHqQejwUAmqBIIEFxot8BLDLNqzZM9dqB6kiUmxoK4JyAzw7gEZEVIFy6v21Ngz+a5V8p3N47InhRAbFCvKY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB2640 X-Proofpoint-GUID: rTv9Qagg480yqZlKG2qRlxlI7VN1Q2tQ X-Proofpoint-ORIG-GUID: rTv9Qagg480yqZlKG2qRlxlI7VN1Q2tQ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 phishscore=0 impostorscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 malwarescore=0 clxscore=1011 suspectscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210057 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit 87563a043cef044fed5db7967a75741cc16ad2b1 upstream. The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") introduces refcount into ax25_dev, but there are reference leak paths in ax25_ctl_ioctl(), ax25_fwd_ioctl(), ax25_rt_add(), ax25_rt_del() and ax25_rt_opt(). This patch uses ax25_dev_put() and adjusts the position of ax25_addr_ax25dev() to fix reference cout leaks of ax25_dev. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Signed-off-by: Duoming Zhou Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20220203150811.42256-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski [OP: backport to 4.19: adjust context] Signed-off-by: Ovidiu Panait --- include/net/ax25.h | 8 +++++--- net/ax25/af_ax25.c | 12 ++++++++---- net/ax25/ax25_dev.c | 24 +++++++++++++++++------- net/ax25/ax25_route.c | 16 +++++++++++----- 4 files changed, 41 insertions(+), 19 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index d81bfb674906..aadff553e4b7 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -291,10 +291,12 @@ static __inline__ void ax25_cb_put(ax25_cb *ax25) } } -#define ax25_dev_hold(__ax25_dev) \ - refcount_inc(&((__ax25_dev)->refcount)) +static inline void ax25_dev_hold(ax25_dev *ax25_dev) +{ + refcount_inc(&ax25_dev->refcount); +} -static __inline__ void ax25_dev_put(ax25_dev *ax25_dev) +static inline void ax25_dev_put(ax25_dev *ax25_dev) { if (refcount_dec_and_test(&ax25_dev->refcount)) { kfree(ax25_dev); diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 56776e2997a5..f605549fd25a 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -369,21 +369,25 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg) if (copy_from_user(&ax25_ctl, arg, sizeof(ax25_ctl))) return -EFAULT; - if ((ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr)) == NULL) - return -ENODEV; - if (ax25_ctl.digi_count > AX25_MAX_DIGIS) return -EINVAL; if (ax25_ctl.arg > ULONG_MAX / HZ && ax25_ctl.cmd != AX25_KILL) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr); + if (!ax25_dev) + return -ENODEV; + digi.ndigi = ax25_ctl.digi_count; for (k = 0; k < digi.ndigi; k++) digi.calls[k] = ax25_ctl.digi_addr[k]; - if ((ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev)) == NULL) + ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev); + if (!ax25) { + ax25_dev_put(ax25_dev); return -ENOTCONN; + } switch (ax25_ctl.cmd) { case AX25_KILL: diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 76d105390706..55a611f7239b 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -88,8 +88,8 @@ void ax25_dev_device_up(struct net_device *dev) spin_lock_bh(&ax25_dev_lock); ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; - ax25_dev_hold(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_hold(ax25_dev); ax25_register_dev_sysctl(ax25_dev); } @@ -118,8 +118,8 @@ void ax25_dev_device_down(struct net_device *dev) if ((s = ax25_dev_list) == ax25_dev) { ax25_dev_list = s->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -129,8 +129,8 @@ void ax25_dev_device_down(struct net_device *dev) while (s != NULL && s->next != NULL) { if (s->next == ax25_dev) { s->next = ax25_dev->next; - ax25_dev_put(ax25_dev); spin_unlock_bh(&ax25_dev_lock); + ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; dev_put(dev); ax25_dev_put(ax25_dev); @@ -153,25 +153,35 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd) switch (cmd) { case SIOCAX25ADDFWD: - if ((fwd_dev = ax25_addr_ax25dev(&fwd->port_to)) == NULL) + fwd_dev = ax25_addr_ax25dev(&fwd->port_to); + if (!fwd_dev) { + ax25_dev_put(ax25_dev); return -EINVAL; - if (ax25_dev->forward != NULL) + } + if (ax25_dev->forward) { + ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = fwd_dev->dev; ax25_dev_put(fwd_dev); + ax25_dev_put(ax25_dev); break; case SIOCAX25DELFWD: - if (ax25_dev->forward == NULL) + if (!ax25_dev->forward) { + ax25_dev_put(ax25_dev); return -EINVAL; + } ax25_dev->forward = NULL; + ax25_dev_put(ax25_dev); break; default: + ax25_dev_put(ax25_dev); return -EINVAL; } - ax25_dev_put(ax25_dev); return 0; } diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index cd380767245c..8f81de88f006 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c @@ -78,11 +78,13 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_dev *ax25_dev; int i; - if ((ax25_dev = ax25_addr_ax25dev(&route->port_addr)) == NULL) - return -EINVAL; if (route->digi_count > AX25_MAX_DIGIS) return -EINVAL; + ax25_dev = ax25_addr_ax25dev(&route->port_addr); + if (!ax25_dev) + return -EINVAL; + write_lock_bh(&ax25_route_lock); ax25_rt = ax25_route_list; @@ -94,6 +96,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -104,6 +107,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) } } write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } ax25_rt = ax25_rt->next; @@ -111,6 +115,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) if ((ax25_rt = kmalloc(sizeof(ax25_route), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return -ENOMEM; } @@ -119,11 +124,11 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->dev = ax25_dev->dev; ax25_rt->digipeat = NULL; ax25_rt->ip_mode = ' '; - ax25_dev_put(ax25_dev); if (route->digi_count != 0) { if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { write_unlock_bh(&ax25_route_lock); kfree(ax25_rt); + ax25_dev_put(ax25_dev); return -ENOMEM; } ax25_rt->digipeat->lastrepeat = -1; @@ -136,6 +141,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route) ax25_rt->next = ax25_route_list; ax25_route_list = ax25_rt; write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -176,8 +182,8 @@ static int ax25_rt_del(struct ax25_routes_struct *route) } } } - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return 0; } @@ -219,8 +225,8 @@ static int ax25_rt_opt(struct ax25_route_opt_struct *rt_option) } out: - ax25_dev_put(ax25_dev); write_unlock_bh(&ax25_route_lock); + ax25_dev_put(ax25_dev); return err; } From patchwork Thu Apr 21 10:24:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 568091 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 475AAC433EF for ; Thu, 21 Apr 2022 10:26:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388363AbiDUK2u (ORCPT ); Thu, 21 Apr 2022 06:28:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1388525AbiDUK1r (ORCPT ); Thu, 21 Apr 2022 06:27:47 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D434A1106 for ; Thu, 21 Apr 2022 03:24:57 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23LA8WLN024294; Thu, 21 Apr 2022 03:24:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=y8cv70/h66tFYtlY7CxyFRgpQeas58ti9YV8hDvFVFU=; b=Qk3mz7wW4OOznfxm08sW4FSaf2Oks36zJNybalUDdY0qwLuSNdNaJnDFF+O2IZmzJlj/ PZonCe1w0EH2N7MaUbFDlGzK4au2ji4ita/o7ESW9M+qNxJEM4wPrczuhQgbqh5zkJEn EyJyxjN1BkjTpNEnxuXcaZP/SlmBhNaAuRwXHR6q9DlPHmDX+FdFHdZttYhrN+AAe4J2 S4lVHCxo2a5BLduBIh6bcUgBvFTRobdd3m+msSn7FjDr1naxCmPA4hHnOYxNeGWxAp8j vEJB4FvMIj6K4Y7GRfzKezASL3ppLvNgkMl7VI4h2L8vdE0dAzyNWiCBT7ExsO+0bwGS 8g== Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2169.outbound.protection.outlook.com [104.47.58.169]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3ffs313ngq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Apr 2022 03:24:57 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T9FNhy1Whtd/JB77lAdWnu2HJP732u4QD0+F/B3dyJhlV8Zmw8zrglm/Zbxo8G+axfhVDSujQom/jLcTxZxqU9rcyWyMafIjub8KrqflbLhI5J/j9PTGiJVmrrk5ikpN2JApbZLouAAThmEL0QiAN46W9z2SLC9U5o2V22OZmX4ivFKo31R8rpJ93AU0pdRsarfl0+ckBPgHQDziz/6/lXkWm3khNLvnk+byxGMoP6dyvOEXht+p0Wl3qtsTYIDdeRZ9GfLa4537OqwxRyc/ljYmHmG+ooyVhAxJqdecAkDfM6riTf1h+ra6ZDDOjEANjYAwJ3KipAlRAvVe7SrBlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=y8cv70/h66tFYtlY7CxyFRgpQeas58ti9YV8hDvFVFU=; b=Coc61XdWa1MkvD/TiBpBsSfeMXnvILpbgYdyrdnACmV13l2Hz8n8ky5efVj8UZecagEJEJ3bYKZ32GeDeTsRdYlcRNNa1wk68lVzgne3McJxIMcwD2mA5FncsMWlPkc0NsjQldMkTtd8IifijlpOd2o67wVBtEDswdVL8OMfaKfZU3Pa14hYoAUYeJTfVeaO+pidVpR3lV08daAh1vcG2s19g7yHgdnHQXQuEak6Pw+zZ09s105pC9keyoUJrCVJrgJ+fR1TcyexblXVMUZBaXkpMfUCGAkVOVBHdS+IylkURqH4e/dRG+oWg4kb9pq7r/yYGO8XGkbmV975hmyCxg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by SN6PR11MB2640.namprd11.prod.outlook.com (2603:10b6:805:56::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Thu, 21 Apr 2022 10:24:55 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::c903:4c47:ac8a:992d%4]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 10:24:55 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: Duoming Zhou , "David S . Miller" , Ovidiu Panait Subject: [PATCH 4.19 7/8] ax25: Fix NULL pointer dereferences in ax25 timers Date: Thu, 21 Apr 2022 13:24:21 +0300 Message-Id: <20220421102422.1206656-7-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220421102422.1206656-1-ovidiu.panait@windriver.com> References: <20220421102422.1206656-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VI1P195CA0092.EURP195.PROD.OUTLOOK.COM (2603:10a6:802:59::45) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5c5a40c9-3b2d-4672-829a-08da23812d93 X-MS-TrafficTypeDiagnostic: SN6PR11MB2640:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: H8hUw27fm4rMyoQ/REVhRT0+1nIJkOXv3AObxf0MbcFzVsYZrKkR8s1FxR1AahyCnjLheL7QeHUPrSu4RV4V+PMo+2Rm4vqkRC+HqP3j+QSClpqmn18taFKHY8hwCuwC1w9SslBMiyYP/GHKmJu50fsQFlCcRzcHmzmyZI/+/TiRNW1KGjo1FHCnzhU5fHIf2NF83EkfdwQr7okQkrbYz7rpVyevhZ0y/FfVOyFCev5X9wO7tWBl1hONuDGOFfdCYfWrwfI+cMfje9l6MOM0aq/WoLr/OdLKDojfYKdCeIk1HYDrri5KiM/Sm+4gqv8+j+nlDlFNzVt6DdURyv09cogQ+Hpe6ZDsnL2IQZqigi3U3NOoITYz5R2eZY/NPq5M/uW5ioISUkIqZLEHzyiS87HDLhzUuit0rsFSqld0uFv3d+laY0YvvxyW+Ais8MfLcix+TYa7QVdh2NdnKUgY2XXV0aqMTH9+V0KL7g1wubUiyK5i9KpHtLwDraes55XsthzJLf0wHS7uIvRHuGL9JMJ/oH7XJo213ZOCBO3S65gCjV9kEy97o8qpOR8iE6xhwQCFmIWN7jE/XQFCNZUlodUkec1SeEVfbIyeKhcanDmBx/STnrNFzEo54jJCxOrob3qCGJtdecanCy5OH+wE776a6LdxhEez+hHL9bEWP2ryPwibSrHaF6DKvftkdiD6AVB4mRdad1SEP89a9ac86w== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38350700002)(38100700002)(66946007)(36756003)(83380400001)(8676002)(44832011)(2906002)(4326008)(6916009)(5660300002)(6486002)(6512007)(8936002)(107886003)(66476007)(508600001)(6666004)(66556008)(86362001)(54906003)(1076003)(2616005)(186003)(26005)(52116002)(316002)(6506007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: wB9n00fVkDsDiy5RmYFgVf2hC6DWi6zxwnirYwI9DTkJ3nlZM/N+LLNKIyrcVkwn9VUuPZys2zisod4ynpsQRfC557+CcdbcPDwKknKiETZVwoWcqoSvUvu8kmDHkxuLHPC2zkro/XThi5QpTLbVlmfxlMBtyShbI5rYMnXA6oVQJMYzLKu13TYIgGID7XTK87kcGUzfx4ZpnPz3cBqaJyp7HqDencxq6DN4iPQZsD/taDNM2iYkPJc8zaQelBghiQl6oP8hNQJS1fe1zt+KQ6RQvZ2kES2Vx+cLFXH/1S5IEwSQLG9+AYY6vYlnnuhS8MYnh3MMNdYFA98aFTzOH9S2RSK4dzSjGj7aB6r88h9BIjYkeGjMoYxSFiQQ+erapFjlUYkAleO4txuuZdJ7aqBfyEp9YcTf+7cFzyAStHaAKgEbq7PZHHOPo5q8jEXuFIvPU0xo0YYyg9jPVqQgRer3wHpQEcdrFIBPWSrfjnuQV2OMFLL5L7x4GE/7PT6CyMxfn7Y+fJH0NpphcT5RMtQVWf/MHukm6NTCeH4Erp5lpgMggDJ2suNcTraVCac/mxS7XhkYpm/kA+YUYGGXcro/VT7FPl/479CE9QunagOOKfepm22Aeyta9S/VcJGxphXBSHNT8D6VH5QLr/E7GZHNazYDJ7pBoGWrxPze+XD94FGaFiAfq/7eN0VgY2Hqx5Q4EP/L1C1dnbkEHdrW9pYiPrNWefr5XVpX7f3bZn42PkZdu1XIBkmJ6wl2K/QWPRABYIuEr2mpB8+9kdNsyatkD49fdra4WxTvhkR5cmpOvC25EaysQ/iPT51qxwo9DQrnhFLB/SgwPT4m4WmC4mTF+COt4K4ve5PwTyQI4XTfZlZJt4HYEdV1p3Dw4f0xrWzLQpqrFAEVNodQsYyXqWHiaArVVHw2dGo2In84ctlVsto6OJGR0BdXgYCzB4K7rMKwi2B9fFUDALSAL4XH3zTSXRzMUhE4byWo24Q9DOjVVENh6EHZpUrXAZ4p4A/AYz1Tqc01f47myMbb3xGKzcOHpkX6/huk5BGyUGk+000teK86gtAEnan6MNKRNV8lioShDkbgsJUZeKwTXyS/kH8bbS2Fk4nlp7Uys5ZUkwWO5AL8yPGBAK+GRzpYYyl8ZbLXyucabwd4dIoPqmNUCrqzS6E3LnDul6nx3YdstGPEgGYNwRP6AViP2yAeWDZB1T8ON/VXxmvKzL9Z5yiNTn9cF82Qtmunlf2y23w+RwcvECeFypb5cL/VERMsuH/nO1sDG6d/NgcAFQeVQSIX9evPm2tq60wqffYKqNLy9Fn6ofUvMNUOqyzxlBNyyXjZz1qrJN3wk/fAlsnEeHPnrkZdV1izSrAqlNcruRWMXpegwMCJb7OeNSBu7s/5bRnZrSLvHxuK1sOAja61SKzc+JAOC6e2LgkcUQ6FDpq8ImHgR03cqO65a2wcBRqD+EkDW1UgzjSY/8/v2UjG6mfVCU2xQAqdnNHxrwbSZx+seeVAnw/KJRZLCW87078PfO1GV0q3dK/sgtVe+G0R/vlpiNu8kiosZNZIky8o6qJAiimeStBFJra5Wgp+c+mdxJxXDYHj4ud1UqjBmhtjksQJ4IKbB6ORknGpuaUhWm/cvuKARZd6yEFTPFg9fA40MYdb88rIc7BN8F6sQ0TPI90bUNevhqcIjIMLQS7gZV6nzMsY9oEQJl0Vi0syDAsgE+UcR11DYx5d7HsMB4N+uqhVM+y9PLBtRqWmFmDxsWswQ98= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5c5a40c9-3b2d-4672-829a-08da23812d93 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2022 10:24:54.9679 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: F7ofd7AIPDcs9xYT2z4RqkcNJZ5/OhlOI5E4eKQEvNoK57FH6MoknpbB7MeQ1q0/BgjMr3CyaaXU58Uj6uGL2hrBwNSz8T+rMQH3qQrQjMo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB2640 X-Proofpoint-ORIG-GUID: XG8WKlkYB4-yJ7qhot_8bUjI3sWexdaF X-Proofpoint-GUID: XG8WKlkYB4-yJ7qhot_8bUjI3sWexdaF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_06,2022-04-21_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=757 mlxscore=0 adultscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 impostorscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204210057 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Duoming Zhou commit fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009 upstream. The previous commit 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") move ax25_disconnect into lock_sock() in order to prevent NPD bugs. But there are race conditions that may lead to null pointer dereferences in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we use ax25_kill_by_device() to detach the ax25 device. One of the race conditions that cause null pointer dereferences can be shown as below: (Thread 1) | (Thread 2) ax25_connect() | ax25_std_establish_data_link() | ax25_start_t1timer() | mod_timer(&ax25->t1timer,..) | | ax25_kill_by_device() (wait a time) | ... | s->ax25_dev = NULL; //(1) ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //(2)| ... ... | We set null to ax25_cb->ax25_dev in position (1) and dereference the null pointer in position (2). The corresponding fail log is shown below: =============================================================== BUG: kernel NULL pointer dereference, address: 0000000000000050 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0 RIP: 0010:ax25_t1timer_expiry+0x12/0x40 ... Call Trace: call_timer_fn+0x21/0x120 __run_timers.part.0+0x1ca/0x250 run_timer_softirq+0x2c/0x60 __do_softirq+0xef/0x2f3 irq_exit_rcu+0xb6/0x100 sysvec_apic_timer_interrupt+0xa2/0xd0 ... This patch moves ax25_disconnect() before s->ax25_dev = NULL and uses del_timer_sync() to delete timers in ax25_disconnect(). If ax25_disconnect() is called by ax25_kill_by_device() or ax25->ax25_dev is NULL, the reason in ax25_disconnect() will be equal to ENETUNREACH, it will wait all timers to stop before we set null to s->ax25_dev in ax25_kill_by_device(). Fixes: 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller [OP: backport to 4.19: adjust context] Signed-off-by: Ovidiu Panait --- net/ax25/af_ax25.c | 4 ++-- net/ax25/ax25_subr.c | 20 ++++++++++++++------ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index cc0d6b3d5ad7..faa098faafa7 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -92,20 +92,20 @@ static void ax25_kill_by_device(struct net_device *dev) sk = s->sk; if (!sk) { spin_unlock_bh(&ax25_list_lock); - s->ax25_dev = NULL; ax25_disconnect(s, ENETUNREACH); + s->ax25_dev = NULL; spin_lock_bh(&ax25_list_lock); goto again; } sock_hold(sk); spin_unlock_bh(&ax25_list_lock); lock_sock(sk); + ax25_disconnect(s, ENETUNREACH); s->ax25_dev = NULL; if (sk->sk_socket) { dev_put(ax25_dev->dev); ax25_dev_put(ax25_dev); } - ax25_disconnect(s, ENETUNREACH); release_sock(sk); spin_lock_bh(&ax25_list_lock); sock_put(sk); diff --git a/net/ax25/ax25_subr.c b/net/ax25/ax25_subr.c index 038b109b2be7..c129865cad9f 100644 --- a/net/ax25/ax25_subr.c +++ b/net/ax25/ax25_subr.c @@ -264,12 +264,20 @@ void ax25_disconnect(ax25_cb *ax25, int reason) { ax25_clear_queues(ax25); - if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) - ax25_stop_heartbeat(ax25); - ax25_stop_t1timer(ax25); - ax25_stop_t2timer(ax25); - ax25_stop_t3timer(ax25); - ax25_stop_idletimer(ax25); + if (reason == ENETUNREACH) { + del_timer_sync(&ax25->timer); + del_timer_sync(&ax25->t1timer); + del_timer_sync(&ax25->t2timer); + del_timer_sync(&ax25->t3timer); + del_timer_sync(&ax25->idletimer); + } else { + if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY)) + ax25_stop_heartbeat(ax25); + ax25_stop_t1timer(ax25); + ax25_stop_t2timer(ax25); + ax25_stop_t3timer(ax25); + ax25_stop_idletimer(ax25); + } ax25->state = AX25_STATE_0;