Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net
History
Jiri Benc 4b6fb836c2 ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr 
[ Upstream commit 7633c4da919ad51164acbf1aa322cc1a3ead6129 ]

Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it
still means hlist_for_each_entry_rcu can return an item that got removed
from the list. The memory itself of such item is not freed thanks to RCU
but nothing guarantees the actual content of the memory is sane.

In particular, the reference count can be zero. This can happen if
ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry
from inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all
references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough
timing, this can happen:

1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.

2. Then, the whole ipv6_del_addr is executed for the given entry. The
   reference count drops to zero and kfree_rcu is scheduled.

3. ipv6_get_ifaddr continues and tries to increments the reference count
   (in6_ifa_hold).

4. The rcu is unlocked and the entry is freed.

5. The freed entry is returned.

Prevent increasing of the reference count in such case. The name
in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.

[   41.506330] refcount_t: addition on 0; use-after-free.
[   41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130
[   41.507413] Modules linked in: veth bridge stp llc
[   41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa 
[   41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
[   41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130
[   41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff
[   41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282
[   41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000
[   41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900
[   41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff
[   41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000
[   41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48
[   41.514086] FS:  00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000
[   41.514726] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0
[   41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   41.516799] Call Trace:
[   41.517037]  <TASK>
[   41.517249]  ? __warn+0x7b/0x120
[   41.517535]  ? refcount_warn_saturate+0xa5/0x130
[   41.517923]  ? report_bug+0x164/0x190
[   41.518240]  ? handle_bug+0x3d/0x70
[   41.518541]  ? exc_invalid_op+0x17/0x70
[   41.520972]  ? asm_exc_invalid_op+0x1a/0x20
[   41.521325]  ? refcount_warn_saturate+0xa5/0x130
[   41.521708]  ipv6_get_ifaddr+0xda/0xe0
[   41.522035]  inet6_rtm_getaddr+0x342/0x3f0
[   41.522376]  ? __pfx_inet6_rtm_getaddr+0x10/0x10
[   41.522758]  rtnetlink_rcv_msg+0x334/0x3d0
[   41.523102]  ? netlink_unicast+0x30f/0x390
[   41.523445]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   41.523832]  netlink_rcv_skb+0x53/0x100
[   41.524157]  netlink_unicast+0x23b/0x390
[   41.524484]  netlink_sendmsg+0x1f2/0x440
[   41.524826]  __sys_sendto+0x1d8/0x1f0
[   41.525145]  __x64_sys_sendto+0x1f/0x30
[   41.525467]  do_syscall_64+0xa5/0x1b0
[   41.525794]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[   41.526213] RIP: 0033:0x7fbc4cfcea9a
[   41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[   41.527942] RSP: 002b:00007ffcf54012a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   41.528593] RAX: ffffffffffffffda RBX: 00007ffcf5401368 RCX: 00007fbc4cfcea9a
[   41.529173] RDX: 000000000000002c RSI: 00007fbc4b9d9bd0 RDI: 0000000000000005
[   41.529786] RBP: 00007fbc4bafb040 R08: 00007ffcf54013e0 R09: 000000000000000c
[   41.530375] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   41.530977] R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007fbc4ca85d1b
[   41.531573]  </TASK>

Fixes: 5c578aedcb21d ("IPv6: convert addrconf hash list to RCU")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Link: https://lore.kernel.org/r/8ab821e36073a4a406c50ec83c9e8dc586c539e4.1712585809.git.jbenc@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-19 11:32:19 +01:00
..
6lowpan
9p 9p/net: fix possible memory leak in p9_check_errors() 2024-11-18 12:12:01 +01:00
802
8021q vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING 2024-11-18 12:13:00 +01:00
appletalk
atm
ax25
batman-adv batman-adv: Avoid infinite loop trying to resize local TT 2024-11-19 11:32:19 +01:00
bluetooth Bluetooth: Fix memory leak in hci_req_sync_complete() 2024-11-19 11:32:19 +01:00
bpf
bpfilter
bridge netfilter: validate user input for expected length 2024-11-19 09:22:46 +01:00
caif
can can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) 2024-11-18 12:13:33 +01:00
ceph
core bpf, sockmap: Prevent lock inversion deadlock in map delete elem 2024-11-19 09:22:46 +01:00
dcb
dccp
decnet
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-11-18 12:12:43 +01:00
dsa
ethernet
ethtool ethtool: netlink: Add missing ethnl_ops_begin/complete 2024-11-18 12:12:51 +01:00
hsr hsr: Handle failures in module init 2024-11-19 08:44:59 +01:00
ieee802154
ife net: sched: ife: fix potential use-after-free 2024-11-18 12:11:59 +01:00
ipv4 ipv4/route: avoid unused-but-set-variable warning 2024-11-19 11:32:19 +01:00
ipv6 ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr 2024-11-19 11:32:19 +01:00
iucv net/iucv: fix the allocation size of iucv_path_table array 2024-11-19 08:44:36 +01:00
kcm net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function 2024-11-19 08:44:50 +01:00
key
l2tp l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function 2024-11-19 08:44:50 +01:00
l3mdev
lapb
llc llc: call sock_orphan() at release time 2024-11-18 12:13:22 +01:00
mac80211 wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes 2024-11-19 09:22:41 +01:00
mac802154 mac802154: fix llsec key resources release in mac802154_llsec_key_del 2024-11-19 09:22:33 +01:00
mpls
mptcp mptcp: don't account accept() of non-MPC client as fallback to TCP 2024-11-19 09:23:11 +01:00
ncm
ncsi net/ncsi: Fix netlink major/minor version numbers 2024-11-18 12:12:28 +01:00
netfilter netfilter: nf_tables: discard table flag update with pending basechain deletion 2024-11-19 09:23:15 +01:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-11-18 12:12:25 +01:00
netlink netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter 2024-11-18 23:18:28 +01:00
netrom netrom: Fix data-races around sysctl_net_busy_read 2024-11-18 23:19:35 +01:00
nfc nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet 2024-11-19 09:22:44 +01:00
nsh
openvswitch net: openvswitch: fix unwanted error log on timeout policy probing 2024-11-19 11:32:19 +01:00
packet packet: annotate data-races around ignore_outgoing 2024-11-19 08:44:59 +01:00
phonet
psample
qrtr
rds net/rds: fix possible cp null dereference 2024-11-19 09:22:45 +01:00
rfkill net: rfkill: gpio: set GPIO direction 2024-11-18 12:12:01 +01:00
rose net/rose: fix races in rose_kill_by_device() 2024-11-18 12:11:59 +01:00
rxrpc rxrpc: Fix response to PING RESPONSE ACKs to a dead call 2024-11-18 12:13:25 +01:00
sched net/sched: act_skbmod: prevent kernel-infoleak 2024-11-19 09:22:46 +01:00
sctp
skb_tracer
smc net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() 2024-11-19 09:23:13 +01:00
strparser
sunrpc net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() 2024-11-19 08:44:57 +01:00
switchdev
tipc tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() 2024-11-18 12:13:25 +01:00
tls tls: stop recv() if initial process_rx_list gave us non-DATA 2024-11-18 22:25:42 +01:00
unix Revert "io_uring/unix: drop usage of io_uring socket" 2024-11-19 09:11:51 +01:00
vmw_vsock virtio/vsock: fix logic which reduces credit update messages 2024-11-18 12:12:37 +01:00
wimax
wireless wifi: nl80211: reject iftype change with mesh ID change 2024-11-18 23:18:29 +01:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-11-19 08:44:50 +01:00
xdp xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING 2024-11-19 11:32:19 +01:00
xfrm xfrm: Avoid clang fortify warning in copy_to_user_tmpl() 2024-11-19 09:22:38 +01:00
compat.c
devres.c
Kconfig
Makefile
socket.c net: Save and restore msg_namelen in sock_sendmsg 2024-11-18 12:12:07 +01:00
sysctl_net.c
TEST_MAPPING