Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Bogendoerfer <tbogendoerfer@suse.de>2019-11-05 14:08:48 +0100
committerThomas Bogendoerfer <tbogendoerfer@suse.de>2019-11-05 14:09:56 +0100
commit49568a995d7d15f1888181a8e0f7747789c22f93 (patch)
tree2ba5eae614c12a0a3281dc4ea74c46c419c8275a
parent36a7c617e2f0c0b26757779b259a08439df1db06 (diff)
netdevsim: Fix use-after-free during device dismantle
(bsc#1154353).
-rw-r--r--patches.suse/netdevsim-Fix-use-after-free-during-device-dismantle.patch151
-rw-r--r--series.conf1
2 files changed, 152 insertions, 0 deletions
diff --git a/patches.suse/netdevsim-Fix-use-after-free-during-device-dismantle.patch b/patches.suse/netdevsim-Fix-use-after-free-during-device-dismantle.patch
new file mode 100644
index 0000000000..b665573bba
--- /dev/null
+++ b/patches.suse/netdevsim-Fix-use-after-free-during-device-dismantle.patch
@@ -0,0 +1,151 @@
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Thu, 31 Oct 2019 18:20:30 +0200
+Subject: netdevsim: Fix use-after-free during device dismantle
+Patch-mainline: v5.4-rc6
+Git-commit: 6d6f0383b697f004c65823c2b64240912f18515d
+References: bsc#1154353
+
+Commit da58f90f11f5 ("netdevsim: Add devlink-trap support") added
+delayed work to netdevsim that periodically iterates over the registered
+netdevsim ports and reports various packet traps via devlink.
+
+While the delayed work takes the 'port_list_lock' mutex to protect
+against concurrent addition / deletion of ports, during device creation
+/ dismantle ports are added / deleted without this lock, which can
+result in a use-after-free [1].
+
+Fix this by making sure that the ports list is always modified under the
+lock.
+
+[1]
+[ 59.205543] ==================================================================
+[ 59.207748] BUG: KASAN: use-after-free in nsim_dev_trap_report_work+0xa67/0xad0
+[ 59.210247] Read of size 8 at addr ffff8883cbdd3398 by task kworker/3:1/38
+[ 59.212584]
+[ 59.213148] CPU: 3 PID: 38 Comm: kworker/3:1 Not tainted 5.4.0-rc3-custom-16119-ge6abb5f0261e #2013
+[ 59.215896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014
+[ 59.218384] Workqueue: events nsim_dev_trap_report_work
+[ 59.219428] Call Trace:
+[ 59.219924] dump_stack+0xa9/0x10e
+[ 59.220623] print_address_description.constprop.4+0x21/0x340
+[ 59.221976] ? vprintk_func+0x66/0x240
+[ 59.222752] __kasan_report.cold.8+0x78/0x91
+[ 59.223602] ? nsim_dev_trap_report_work+0xa67/0xad0
+[ 59.224603] kasan_report+0xe/0x20
+[ 59.225296] nsim_dev_trap_report_work+0xa67/0xad0
+[ 59.226435] ? rcu_read_lock_sched_held+0xaf/0xe0
+[ 59.227512] ? trace_event_raw_event_rcu_quiescent_state_report+0x360/0x360
+[ 59.228851] process_one_work+0x98f/0x1760
+[ 59.229684] ? pwq_dec_nr_in_flight+0x330/0x330
+[ 59.230656] worker_thread+0x91/0xc40
+[ 59.231587] ? process_one_work+0x1760/0x1760
+[ 59.232451] kthread+0x34a/0x410
+[ 59.233104] ? __kthread_queue_delayed_work+0x240/0x240
+[ 59.234141] ret_from_fork+0x3a/0x50
+[ 59.234982]
+[ 59.235371] Allocated by task 187:
+[ 59.236189] save_stack+0x19/0x80
+[ 59.236853] __kasan_kmalloc.constprop.5+0xc1/0xd0
+[ 59.237822] kmem_cache_alloc_trace+0x14c/0x380
+[ 59.238769] __nsim_dev_port_add+0xaf/0x5c0
+[ 59.239627] nsim_dev_probe+0x4fc/0x1140
+[ 59.240550] really_probe+0x264/0xc00
+[ 59.241418] driver_probe_device+0x208/0x2e0
+[ 59.242255] __device_attach_driver+0x215/0x2d0
+[ 59.243150] bus_for_each_drv+0x154/0x1d0
+[ 59.243944] __device_attach+0x1ba/0x2b0
+[ 59.244923] bus_probe_device+0x1dd/0x290
+[ 59.245805] device_add+0xbac/0x1550
+[ 59.246528] new_device_store+0x1f4/0x400
+[ 59.247306] bus_attr_store+0x7b/0xa0
+[ 59.248047] sysfs_kf_write+0x10f/0x170
+[ 59.248941] kernfs_fop_write+0x283/0x430
+[ 59.249843] __vfs_write+0x81/0x100
+[ 59.250546] vfs_write+0x1ce/0x510
+[ 59.251190] ksys_write+0x104/0x200
+[ 59.251873] do_syscall_64+0xa4/0x4e0
+[ 59.252642] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 59.253837]
+[ 59.254203] Freed by task 187:
+[ 59.254811] save_stack+0x19/0x80
+[ 59.255463] __kasan_slab_free+0x125/0x170
+[ 59.256265] kfree+0x100/0x440
+[ 59.256870] nsim_dev_remove+0x98/0x100
+[ 59.257651] nsim_bus_remove+0x16/0x20
+[ 59.258382] device_release_driver_internal+0x20b/0x4d0
+[ 59.259588] bus_remove_device+0x2e9/0x5a0
+[ 59.260551] device_del+0x410/0xad0
+[ 59.263777] device_unregister+0x26/0xc0
+[ 59.264616] nsim_bus_dev_del+0x16/0x60
+[ 59.265381] del_device_store+0x2d6/0x3c0
+[ 59.266295] bus_attr_store+0x7b/0xa0
+[ 59.267192] sysfs_kf_write+0x10f/0x170
+[ 59.267960] kernfs_fop_write+0x283/0x430
+[ 59.268800] __vfs_write+0x81/0x100
+[ 59.269551] vfs_write+0x1ce/0x510
+[ 59.270252] ksys_write+0x104/0x200
+[ 59.270910] do_syscall_64+0xa4/0x4e0
+[ 59.271680] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 59.272812]
+[ 59.273211] The buggy address belongs to the object at ffff8883cbdd3200
+[ 59.273211] which belongs to the cache kmalloc-512 of size 512
+[ 59.275838] The buggy address is located 408 bytes inside of
+[ 59.275838] 512-byte region [ffff8883cbdd3200, ffff8883cbdd3400)
+[ 59.278151] The buggy address belongs to the page:
+[ 59.279215] page:ffffea000f2f7400 refcount:1 mapcount:0 mapping:ffff8883ecc0ce00 index:0x0 compound_mapcount: 0
+[ 59.281449] flags: 0x200000000010200(slab|head)
+[ 59.282356] raw: 0200000000010200 ffffea000f2f3a08 ffffea000f2fd608 ffff8883ecc0ce00
+[ 59.283949] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
+[ 59.285608] page dumped because: kasan: bad access detected
+[ 59.286981]
+[ 59.287337] Memory state around the buggy address:
+[ 59.288310] ffff8883cbdd3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 59.289763] ffff8883cbdd3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 59.291452] >ffff8883cbdd3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 59.292945] ^
+[ 59.293815] ffff8883cbdd3400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 59.295220] ffff8883cbdd3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 59.296872] ==================================================================
+
+Fixes: da58f90f11f5 ("netdevsim: Add devlink-trap support")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: syzbot+9ed8f68ab30761f3678e@syzkaller.appspotmail.com
+Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/net/netdevsim/dev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -806,9 +806,11 @@ static void nsim_dev_port_del_all(struct
+ {
+ struct nsim_dev_port *nsim_dev_port, *tmp;
+
++ mutex_lock(&nsim_dev->port_list_lock);
+ list_for_each_entry_safe(nsim_dev_port, tmp,
+ &nsim_dev->port_list, list)
+ __nsim_dev_port_del(nsim_dev_port);
++ mutex_unlock(&nsim_dev->port_list_lock);
+ }
+
+ int nsim_dev_probe(struct nsim_bus_dev *nsim_bus_dev)
+@@ -822,14 +824,17 @@ int nsim_dev_probe(struct nsim_bus_dev *
+ return PTR_ERR(nsim_dev);
+ dev_set_drvdata(&nsim_bus_dev->dev, nsim_dev);
+
++ mutex_lock(&nsim_dev->port_list_lock);
+ for (i = 0; i < nsim_bus_dev->port_count; i++) {
+ err = __nsim_dev_port_add(nsim_dev, i);
+ if (err)
+ goto err_port_del_all;
+ }
++ mutex_unlock(&nsim_dev->port_list_lock);
+ return 0;
+
+ err_port_del_all:
++ mutex_unlock(&nsim_dev->port_list_lock);
+ nsim_dev_port_del_all(nsim_dev);
+ nsim_dev_destroy(nsim_dev);
+ return err;
diff --git a/series.conf b/series.conf
index e31ac7869a..56d65f0df4 100644
--- a/series.conf
+++ b/series.conf
@@ -2888,6 +2888,7 @@
patches.suse/net-annotate-accesses-to-sk-sk_incoming_cpu.patch
patches.suse/net-annotate-lockless-accesses-to-sk-sk_napi_id.patch
patches.suse/cxgb4-fix-panic-when-attaching-to-ULD-fail.patch
+ patches.suse/netdevsim-Fix-use-after-free-during-device-dismantle.patch
patches.suse/powerpc-powernv-Fix-CPU-idle-to-be-called-with-IRQs-.patch
patches.suse/scsi-qla2xxx-fixup-incorrect-usage-of-host_byte.patch
patches.suse/scsi-lpfc-Check-queue-pointer-before-use.patch