mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include/net
History
Schspa Shi 98f53e5919 mrp: introduce active flags to prevent UAF when applicant uninit 
[ Upstream commit ab0377803d ]

The caller of del_timer_sync must prevent restarting of the timer, If
we have no this synchronization, there is a small probability that the
cancellation will not be successful.

And syzbot report the fellowing crash:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
Write at addr f9ff000024df6058 by task syz-fuzzer/2256
Pointer tag: [f9], memory tag: [fe]

CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
ge01d50cbd6ee #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
 show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x1a8/0x4a0 mm/kasan/report.c:395
 kasan_report+0x94/0xb4 mm/kasan/report.c:495
 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
 do_bad_area arch/arm64/mm/fault.c:473 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
 hlist_add_head include/linux/list.h:929 [inline]
 enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
 mod_timer+0x14/0x20 kernel/time/timer.c:1161
 mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
 mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
 expire_timers+0x98/0xc4 kernel/time/timer.c:1519

To fix it, we can introduce a new active flags to make sure the timer will
not restart.

Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com

Signed-off-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-01-07 12:07:32 +01:00
..
9p
bluetooth Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put 2022-08-25 11:09:20 +02:00
caif net: caif: add proper error handling 2021-06-10 12:42:36 +02:00
irda
iucv
netfilter netfilter: nf_queue: fix possible use-after-free 2022-03-08 19:00:57 +01:00
netns inet: switch IP ID generator to siphash 2019-08-25 10:51:42 +02:00
nfc NFC: add NCI_UNREG flag to eliminate the race 2021-12-08 08:45:04 +01:00
phonet phonet: fix building with clang 2019-03-23 13:19:44 +01:00
sctp sctp: validate from_addr_param return 2021-09-26 13:36:19 +02:00
tc_act net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used 2018-08-24 13:12:37 +02:00
6lowpan.h
Space.h
act_api.h net sched: fix reporting the first-time use timestamp 2020-06-03 08:16:25 +02:00
addrconf.h ipv6: fix memory leaks on IPV6_ADDRFORM path 2020-08-21 11:01:55 +02:00
af_ieee802154.h
af_rxrpc.h
af_unix.h net: split out functions related to registering inflight socket files 2021-08-04 11:58:01 +02:00
af_vsock.h vsock: split dwork to avoid reinitializations 2018-08-22 07:47:13 +02:00
ah.h
arp.h ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled 2019-06-11 12:22:49 +02:00
atmclip.h
ax25.h ax25: fix possible use-after-free 2019-02-23 09:05:59 +01:00
ax88796.h
bond_3ad.h
bond_alb.h
bond_options.h
bonding.h bonding: wait for sysfs kobject destruction before freeing struct slave 2020-12-11 13:37:57 +01:00
busy_poll.h net: Fix a data-race around sysctl_net_busy_poll. 2022-09-05 10:23:55 +02:00
calipso.h
cfg80211-wext.h
cfg80211.h mac80211: properly handle A-MSDUs that start with an RFC 1042 header 2021-06-03 08:23:28 +02:00
cfg802154.h
checksum.h openvswitch: Fix setting ipv6 fields causing hw csum failure 2022-03-02 11:32:02 +01:00
cipso_ipv4.h
cls_cgroup.h
codel.h
codel_impl.h
codel_qdisc.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h
dn.h
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dsa.h
dsfield.h
dst.h net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb 2020-07-22 09:10:48 +02:00
dst_cache.h
dst_metadata.h net: fix a memleak when uncloning an skb dst and its metadata 2022-02-16 12:43:54 +01:00
dst_ops.h
esp.h
ethoc.h
fib_rules.h fib: add missing attribute validation for tun_id 2020-03-20 09:07:39 +01:00
firewire.h
flow.h
flow_dissector.h net: sched: correct flower port blocking 2020-03-11 07:53:05 +01:00
flowcache.h
fou.h
fq.h net/flow_dissector: switch to siphash 2019-11-10 11:23:31 +01:00
fq_impl.h net/flow_dissector: switch to siphash 2019-11-10 11:23:31 +01:00
garp.h
gen_stats.h
genetlink.h genetlink: remove genl_bind 2020-07-22 09:10:48 +02:00
geneve.h
gre.h
gro_cells.h gro_cells: make sure device is up in gro_cells_receive() 2019-03-19 13:14:10 +01:00
gtp.h
gue.h
hwbm.h
icmp.h net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-03 17:44:46 +01:00
ieee80211_radiotap.h
ieee802154_netdev.h net: ieee802154: return -EINVAL for unknown addr type 2022-10-26 13:15:48 +02:00
if_inet6.h
ila.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h net: refactor bind_bucket fastreuse into helper 2020-09-12 11:47:38 +02:00
inet_ecn.h vlan: consolidate VLAN parsing code and limit max parsing depth 2020-12-11 13:37:58 +01:00
inet_frag.h net: IP defrag: encapsulate rbtree defrag code into callable functions 2019-05-02 09:32:06 +02:00
inet_hashtables.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-06-25 11:45:19 +02:00
inet_sock.h tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. 2022-07-29 17:05:45 +02:00
inet_timewait_sock.h soreuseport: initialise timewait reuseport field 2018-05-16 10:08:41 +02:00
inetpeer.h net: ipv4: use a dedicated counter for icmp_v4 redirect packets 2019-02-23 09:05:59 +01:00
ip.h ip: Fix a data-race around sysctl_fwmark_reflect. 2022-07-29 17:05:45 +02:00
ip6_checksum.h
ip6_fib.h ipv6: fix sparse warning on rt6i_node 2017-09-20 08:19:53 +02:00
ip6_route.h net: ipv6: fix return value of ip6_skb_dst_mtu 2021-07-28 09:14:25 +02:00
ip6_tunnel.h ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL 2019-07-21 09:05:57 +02:00
ip_fib.h net: ipv4: Fix memory leak in network namespace dismantle 2019-01-31 08:12:33 +01:00
ip_tunnels.h
ip_vs.h ipvs: move old_secure_tcp into struct netns_ipvs 2019-11-12 19:15:57 +01:00
ipcomp.h
ipconfig.h
ipv6.h net: ipv6: add net argument to ip6_dst_lookup_flow 2020-05-20 08:15:30 +02:00
ipv6_frag.h ip6: fix skb leak in ip6frag_expire_frag_queue() 2019-09-16 08:19:33 +02:00
ipx.h
iw_handler.h wext: handle NULL extra data in iwe_stream_add_point better 2017-08-11 08:49:34 -07:00
kcm.h
l3mdev.h ipvlan, l3mdev: fix broken l3s mode wrt local routes 2019-02-06 17:33:27 +01:00
lapb.h
lib80211.h
llc.h llc: fix out-of-bound array index in llc_sk_dev_hash() 2021-11-26 11:48:39 +01:00
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: fix sk_buff leak in llc_conn_service() 2019-11-06 12:18:24 +01:00
llc_if.h
llc_pdu.h net: llc: fix skb_over_panic 2021-08-04 11:58:03 +02:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
lwtunnel.h
mac80211.h mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 2018-05-30 07:50:28 +02:00
mac802154.h
mip6.h
mld.h
mpls.h
mpls_iptunnel.h
mrp.h mrp: introduce active flags to prevent UAF when applicant uninit 2023-01-07 12:07:32 +01:00
ncsi.h
ndisc.h
neighbour.h net: add annotations on hh->hh_len lockless accesses 2020-01-12 11:24:19 +01:00
net_namespace.h netns: provide pure entropy for net_hash_mix() 2019-04-17 08:36:46 +02:00
net_ratelimit.h
netevent.h
netlabel.h
netlink.h netlink: fix nla_put_{u8,u16,u32} for KASAN 2017-10-12 11:51:25 +02:00
netprio_cgroup.h
netrom.h
nexthop.h net: fix rtnh_ok() 2018-05-16 10:08:41 +02:00
nl802154.h net: ieee802154: handle iftypes as u32 2021-12-08 08:45:03 +01:00
p8022.h
ping.h
pkt_cls.h
pkt_sched.h
pptp.h
protocol.h
psnap.h
raw.h
rawv6.h
red.h sch_red: fix off-by-one checks in red_check_params() 2021-04-16 11:59:07 +02:00
regulatory.h regulatory: add NUL to request alpha2 2018-05-30 07:50:30 +02:00
request_sock.h
rose.h
route.h ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu 2018-05-30 07:50:36 +02:00
rtnetlink.h can: dev: Move device back to init netns on owning netns delete 2021-03-30 14:41:42 +02:00
sch_generic.h net_sched: restore "mpu xxx" handling 2022-01-27 08:47:42 +01:00
scm.h
secure_seq.h secure_seq: use the 64 bits of the siphash for port offset calculation 2022-06-25 11:45:19 +02:00
slhc_vj.h slip: Check if rstate is initialized before uncompressing 2018-04-20 08:21:07 +02:00
snmp.h
sock.h inet: fully convert sk->sk_rx_dst to RCU rules 2022-10-26 13:15:48 +02:00
sock_reuseport.h
stp.h
strparser.h
switchdev.h
tcp.h tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited 2022-10-26 13:15:40 +02:00
tcp_states.h
timewait_sock.h
transp_v6.h
tso.h
udp.h
udp_tunnel.h
udplite.h udplite: fix partial checksum initialization 2018-03-11 16:21:32 +01:00
vsock_addr.h
vxlan.h vxlan: fix hlist corruption 2017-07-21 07:42:18 +02:00
wext.h
wimax.h
x25.h net: x25: fix one potential use-after-free issue 2018-04-13 19:48:00 +02:00
x25device.h
xfrm.h xfrm: policy: match with both mark and mask on user interfaces 2022-04-20 09:06:44 +02:00