Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net
History
Kuniyuki Iwashima 333529d2d4 can: bcm: Remove proc entry when dev is unregistered. 
[ Upstream commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 ]

syzkaller reported a warning in bcm_connect() below. [0]

The repro calls connect() to vxcan1, removes vxcan1, and calls
connect() with ifindex == 0.

Calling connect() for a BCM socket allocates a proc entry.
Then, bcm_sk(sk)->bound is set to 1 to prevent further connect().

However, removing the bound device resets bcm_sk(sk)->bound to 0
in bcm_notify().

The 2nd connect() tries to allocate a proc entry with the same
name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the
original proc entry.

Since the proc entry is available only for connect()ed sockets,
let's clean up the entry when the bound netdev is unregistered.

[0]:
proc_dir_entry 'can-bcm/2456' already registered
WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375
Modules linked in:
CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375
Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48
RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246
RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0
R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec
FS:  00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220
 bcm_connect+0x472/0x840 net/can/bcm.c:1673
 __sys_connect_file net/socket.c:2049 [inline]
 __sys_connect+0x5d2/0x690 net/socket.c:2066
 __do_sys_connect net/socket.c:2076 [inline]
 __se_sys_connect net/socket.c:2073 [inline]
 __x64_sys_connect+0x8f/0x100 net/socket.c:2073
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fbd708b0e5d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d
RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040
R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098
R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000
 </TASK>
remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'

Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/all/20240722192842.37421-1-kuniyu@amazon.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-23 23:21:03 +01:00
..
6lowpan
9p net/9p: fix uninit-value in p9_client_rpc() 2024-11-19 12:27:18 +01:00
802
8021q vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING 2024-11-18 12:13:00 +01:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2024-11-18 12:11:49 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2024-11-18 12:11:49 +01:00
ax25
batman-adv batman-adv: fix random jitter calculation 2024-11-19 17:55:48 +01:00
bluetooth Bluetooth: MGMT: Ignore keys being loaded with invalid type 2024-11-23 23:21:00 +01:00
bpf
bpfilter
bridge net: bridge: fix multicast-to-unicast with fraglist GSO 2024-11-19 11:32:43 +01:00
caif
can can: bcm: Remove proc entry when dev is unregistered. 2024-11-23 23:21:03 +01:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-11-19 14:19:45 +01:00
core bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode 2024-11-23 23:20:59 +01:00
dcb
dccp dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2024-11-18 11:43:07 +01:00
decnet
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-11-18 12:12:43 +01:00
dsa
ethernet ethernet: Add helper for assigning packet type when dest address does not match device address 2024-11-19 11:32:39 +01:00
ethtool ethtool: check device is present when getting link settings 2024-11-23 23:20:55 +01:00
hsr hsr: Handle failures in module init 2024-11-19 08:44:59 +01:00
ieee802154
ife net: sched: ife: fix potential use-after-free 2024-11-18 12:11:59 +01:00
ipv4 net: set SOCK_RCU_FREE before inserting socket into hashtable 2024-11-23 23:20:59 +01:00
ipv6 ila: call nf_unregister_net_hooks() sooner 2024-11-23 23:21:00 +01:00
iucv s390/iucv: fix receive buffer virtual vs physical address confusion 2024-11-23 23:20:47 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-11-23 23:20:48 +01:00
key
l2tp l2tp: fix lockdep splat 2024-11-23 23:20:22 +01:00
l3mdev
lapb
llc llc: call sock_orphan() at release time 2024-11-18 12:13:22 +01:00
mac80211 wifi: mac80211: fix BA session teardown race 2024-11-23 23:20:44 +01:00
mac802154 Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" 2024-11-19 14:52:14 +01:00
mpls
mptcp mptcp: pm: avoid possible UaF when selecting endp 2024-11-23 23:21:01 +01:00
ncm
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-11-19 14:19:00 +01:00
netfilter netfilter: nf_conncount: fix wrong variable type 2024-11-23 23:21:03 +01:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-11-18 12:12:25 +01:00
netlink netlink: hold nlk->cb_mutex longer in __netlink_dump_start() 2024-11-23 23:20:45 +01:00
netrom netrom: Fix a memory leak in nr_heartbeat_expiry() 2024-11-19 14:19:08 +01:00
nfc nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 2024-11-19 12:27:10 +01:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-11-19 11:32:42 +01:00
openvswitch openvswitch: Set the skbuff pkt_type for proper pmtud support. 2024-11-19 12:27:09 +01:00
packet af_packet: Handle outgoing VLAN packets without hardware offloading 2024-11-23 23:20:12 +01:00
phonet phonet: fix rtm_phonet_notify() skb allocation 2024-11-19 11:32:46 +01:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2024-11-18 12:11:46 +01:00
qrtr
rds net:rds: Fix possible deadlock in rds_message_put 2024-11-23 23:20:54 +01:00
rfkill net: rfkill: gpio: set GPIO direction 2024-11-18 12:12:01 +01:00
rose net/rose: fix races in rose_kill_by_device() 2024-11-18 12:11:59 +01:00
rxrpc rxrpc: Fix response to PING RESPONSE ACKs to a dead call 2024-11-18 12:13:25 +01:00
sched sched: sch_cake: fix bulk flow accounting logic for host fairness 2024-11-23 23:21:01 +01:00
sctp sctp: Fix null-ptr-deref in reuseport_add_sock(). 2024-11-23 23:20:22 +01:00
skb_tracer
smc net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined 2024-11-23 23:20:06 +01:00
strparser
sunrpc sunrpc: use the struct net as the svc proc private 2024-11-23 23:21:02 +01:00
switchdev
tipc tipc: Return non-zero value from tipc_udp_addr2str() on error 2024-11-23 23:20:17 +01:00
tls tls: fix missing memory barrier in tls_init 2024-11-19 12:27:09 +01:00
unix af_unix: Remove put_pid()/put_cred() in copy_peercred(). 2024-11-23 23:21:03 +01:00
vmw_vsock virtio/vsock: fix logic which reduces credit update messages 2024-11-18 12:12:37 +01:00
wimax
wireless wifi: cfg80211: make hash table duplicates more survivable 2024-11-23 23:20:58 +01:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-11-19 08:44:50 +01:00
xdp xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING 2024-11-19 11:32:19 +01:00
xfrm net: fix __dst_negative_advice() race 2024-11-19 12:27:19 +01:00
compat.c
devres.c
Kconfig
Makefile
socket.c net: Save and restore msg_namelen in sock_sendmsg 2024-11-18 12:12:07 +01:00
sysctl_net.c
TEST_MAPPING