kernel_samsung_a53x/net/core
Yue Haibing 4f76885213 netns: Make get_net_ns() handle zero refcount net
[ Upstream commit ff960f9d3edbe08a736b5a224d91a305ccc946b0 ]

Syzkaller hit a warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 7890 at lib/refcount.c:25 refcount_warn_saturate+0xdf/0x1d0
Modules linked in:
CPU: 3 PID: 7890 Comm: tun Not tainted 6.10.0-rc3-00100-gcaa4f9578aba-dirty #310
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xdf/0x1d0
Code: 41 49 04 31 ff 89 de e8 9f 1e cd fe 84 db 75 9c e8 76 26 cd fe c6 05 b6 41 49 04 01 90 48 c7 c7 b8 8e 25 86 e8 d2 05 b5 fe 90 <0f> 0b 90 90 e9 79 ff ff ff e8 53 26 cd fe 0f b6 1
RSP: 0018:ffff8881067b7da0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c72ac
RDX: ffff8881026a2140 RSI: ffffffff811c72b5 RDI: 0000000000000001
RBP: ffff8881067b7db0 R08: 0000000000000000 R09: 205b5d3730353139
R10: 0000000000000000 R11: 205d303938375420 R12: ffff8881086500c4
R13: ffff8881086500c4 R14: ffff8881086500b0 R15: ffff888108650040
FS:  00007f5b2961a4c0(0000) GS:ffff88823bd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d7ed36fd18 CR3: 00000001482f6000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ? show_regs+0xa3/0xc0
 ? __warn+0xa5/0x1c0
 ? refcount_warn_saturate+0xdf/0x1d0
 ? report_bug+0x1fc/0x2d0
 ? refcount_warn_saturate+0xdf/0x1d0
 ? handle_bug+0xa1/0x110
 ? exc_invalid_op+0x3c/0xb0
 ? asm_exc_invalid_op+0x1f/0x30
 ? __warn_printk+0xcc/0x140
 ? __warn_printk+0xd5/0x140
 ? refcount_warn_saturate+0xdf/0x1d0
 get_net_ns+0xa4/0xc0
 ? __pfx_get_net_ns+0x10/0x10
 open_related_ns+0x5a/0x130
 __tun_chr_ioctl+0x1616/0x2370
 ? __sanitizer_cov_trace_switch+0x58/0xa0
 ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30
 ? __pfx_tun_chr_ioctl+0x10/0x10
 tun_chr_ioctl+0x2f/0x40
 __x64_sys_ioctl+0x11b/0x160
 x64_sys_call+0x1211/0x20d0
 do_syscall_64+0x9e/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b28f165d7
Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 8
RSP: 002b:00007ffc2b59c5e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b28f165d7
RDX: 0000000000000000 RSI: 00000000000054e3 RDI: 0000000000000003
RBP: 00007ffc2b59c650 R08: 00007f5b291ed8c0 R09: 00007f5b2961a4c0
R10: 0000000029690010 R11: 0000000000000246 R12: 0000000000400730
R13: 00007ffc2b59cf40 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...

This is trigger as below:
          ns0                                    ns1
tun_set_iff() //dev is tun0
   tun->dev = dev
//ip link set tun0 netns ns1
                                       put_net() //ref is 0
__tun_chr_ioctl() //TUNGETDEVNETNS
   net = dev_net(tun->dev);
   open_related_ns(&net->ns, get_net_ns); //ns1
     get_net_ns()
        get_net() //addition on 0

Use maybe_get_net() in get_net_ns in case net's ref is zero to fix this

Fixes: 0c3e0e3bb623 ("tun: Add ioctl() TUNGETDEVNETNS cmd to allow obtaining real net ns of tun device")
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20240614131302.2698509-1-yuehaibing@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-19 14:19:08 +01:00
..
bpf_sk_storage.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
datagram.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
datagram.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dev.c net: give more chances to rcu in netdev_wait_allrefs_any() 2024-11-19 12:26:55 +01:00
dev_addr_lists.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dev_ioctl.c net: dev: Convert sa_data to flexible array in struct sockaddr 2024-11-18 22:25:41 +01:00
devlink.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drop_monitor.c drop_monitor: replace spin_lock by raw_spin_lock 2024-11-19 14:19:06 +01:00
dst.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dst_cache.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
failover.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_notifier.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_rules.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
filter.c bpf: net: Change sk_getsockopt() to take the sockptr_t argument 2024-11-18 23:19:51 +01:00
flow_dissector.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
flow_offload.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gen_estimator.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gen_stats.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gro_cells.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hwbm.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
link_watch.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lwt_bpf.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lwtunnel.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
neighbour.c neighbour: Don't let neigh_forced_gc() disable preemption for long 2024-11-18 12:12:16 +01:00
net-procfs.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net-sysfs.c Backport mac80211 patches from linux-6.1.y 2024-06-15 16:29:20 -03:00
net-sysfs.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net-traces.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net_namespace.c netns: Make get_net_ns() handle zero refcount net 2024-11-19 14:19:08 +01:00
netclassid_cgroup.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netevent.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netpoll.c netpoll: Fix race condition in netpoll_owner_active 2024-11-19 14:19:06 +01:00
netprio_cgroup.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
page_pool.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
pktgen.c net: pktgen: Fix interface flags printing 2024-11-08 11:26:11 +01:00
ptp_classifier.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
request_sock.c tcp: make sure init the accept_queue's spinlocks once 2024-11-18 12:12:59 +01:00
rtnetlink.c rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation 2024-11-19 11:32:45 +01:00
scm.c Revert "io_uring/unix: drop usage of io_uring socket" 2024-11-19 09:11:51 +01:00
secure_seq.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
skbuff.c kcov: Remove kcov include from sched.h and move it to its users. 2024-11-19 11:32:46 +01:00
skmsg.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sock.c net: mark racy access on sk->sk_rcvbuf 2024-11-19 11:32:43 +01:00
sock_diag.c sock_diag: annotate data-races around sock_diag_handlers[family] 2024-11-19 08:44:38 +01:00
sock_map.c bpf, sockmap: Prevent lock inversion deadlock in map delete elem 2024-11-19 09:22:46 +01:00
sock_reuseport.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
stream.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sysctl_net_core.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
timestamping.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tso.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
utils.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xdp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00