linux-stable

History

Fedor Pchelkin 49c8951680 mac802154: fix llsec key resources release in mac802154_llsec_key_del [ Upstream commit `e8a1e58345` ] mac802154_llsec_key_del() can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case llsec_lookup_key() is traversing the list of keys in parallel with a key deletion: refcount_t: addition on 0; use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x162/0x2a0 Call Trace: <TASK> llsec_lookup_key.isra.0+0x890/0x9e0 mac802154_llsec_encrypt+0x30c/0x9c0 ieee802154_subif_start_xmit+0x24/0x1e0 dev_hard_start_xmit+0x13e/0x690 sch_direct_xmit+0x2ae/0xbc0 __dev_queue_xmit+0x11dd/0x3c20 dgram_sendmsg+0x90b/0xd60 __sys_sendto+0x466/0x4c0 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x45/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Also, ieee802154_llsec_key_entry structures are not freed by mac802154_llsec_key_del(): unreferenced object 0xffff8880613b6980 (size 64): comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s) hex dump (first 32 bytes): 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x......."....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................ backtrace: [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0 [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0 [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0 [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80 [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0 [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0 [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0 [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440 [<ffffffff86ff1d88>] genl_rcv+0x28/0x40 [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820 [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60 [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0 [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0 [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0 [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0 [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 Handle the proper resource release in the RCU callback function mac802154_llsec_key_del_rcu(). Note that if llsec_lookup_key() finds a key, it gets a refcount via llsec_key_get() and locally copies key id from key_entry (which is a list element). So it's safe to call llsec_key_put() and free the list entry after the RCU grace period elapses. Found by Linux Verification Center (linuxtesting.org). Fixes: `5d637d5aab` ("mac802154: add llsec structures and mutators") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Acked-by: Alexander Aring <aahringo@redhat.com> Message-ID: <20240228163840.6667-1-pchelkin@ispras.ru> Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-04-03 15:32:15 +02:00
..
6lowpan	net: fill in MODULE_DESCRIPTION()s for 6LoWPAN	2024-02-09 14:12:01 -08:00
9p	net: 9p: avoid freeing uninit memory in p9pdu_vreadf	2023-12-13 05:44:30 +09:00
802	…
8021q	vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING	2024-01-19 21:25:06 -08:00
appletalk	net: remove SOCK_DEBUG leftovers	2023-12-26 20:31:01 +00:00
atm	net: fill in MODULE_DESCRIPTION()s for mpoa	2024-02-09 14:12:01 -08:00
ax25	…
batman-adv	batman-adv: mcast: fix memory leak on deleting a batman-adv interface	2024-01-27 09:13:39 +01:00
bluetooth	Bluetooth: Fix eir name length	2024-03-26 18:16:56 -04:00
bpf	bpf: Fix dtor CFI	2023-12-15 16:25:55 -08:00
bridge	netfilter: bridge: confirm multicast packets before passing them up the stack	2024-02-29 00:22:44 +01:00
caif	net: fill in MODULE_DESCRIPTION()s for CAIF	2024-01-05 08:06:35 -08:00
can	can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)	2024-02-14 13:53:03 +01:00
ceph	libceph: init the cursor when preparing sparse read in msgr2	2024-03-06 12:43:01 +01:00
core	net: report RCU QS on threaded NAPI repolling	2024-03-26 18:17:38 -04:00
dcb	…
dccp	net: remove SOCK_DEBUG leftovers	2023-12-26 20:31:01 +00:00
devlink	devlink: fix port new reply cmd type	2024-03-26 18:17:36 -04:00
dns_resolver	Networking changes for 6.8.	2024-01-11 10:07:29 -08:00
dsa	net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events	2024-01-11 16:33:52 -08:00
ethernet	…
ethtool	ethtool: netlink: Add missing ethnl_ops_begin/complete	2024-01-18 13:21:06 +01:00
handshake	net/handshake: Fix handshake_req_destroy_test1	2024-02-08 18:32:29 -08:00
hsr	hsr: Handle failures in module init	2024-03-26 18:17:36 -04:00
ieee802154	mac802154: Avoid new associations while disassociating	2023-12-15 11:14:57 +01:00
ife	net: sched: ife: fix potential use-after-free	2023-12-15 10:50:18 +00:00
ipv4	ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels	2024-03-26 18:17:36 -04:00
ipv6	ipv6: fib6_rules: flush route cache when rule is changed	2024-03-26 18:16:55 -04:00
iucv	net/iucv: fix the allocation size of iucv_path_table array	2024-02-16 09:25:09 +00:00
kcm	net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function	2024-03-26 18:16:57 -04:00
key	net: fill in MODULE_DESCRIPTION()s for af_key	2024-02-09 14:12:01 -08:00
l2tp	l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function	2024-03-26 18:16:57 -04:00
l3mdev	…
lapb	…
llc	llc: call sock_orphan() at release time	2024-01-30 13:49:09 +01:00
mac80211	wifi: mac80211: track capability/opmode NSS separately	2024-04-03 15:32:11 +02:00
mac802154	mac802154: fix llsec key resources release in mac802154_llsec_key_del	2024-04-03 15:32:15 +02:00
mctp	net: mctp: copy skb ext data when fragmenting	2024-03-26 18:16:49 -04:00
mpls	…
mptcp	mptcp: fix possible deadlock in subflow diag	2024-02-26 18:41:56 -08:00
ncsi	…
netfilter	netfilter: nf_tables: Fix a memory leak in nf_tables_updchain	2024-03-26 18:17:38 -04:00
netlabel	calipso: fix memory leak in netlbl_calipso_add_pass()	2023-12-07 14:23:12 -05:00
netlink	netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter	2024-02-22 18:56:09 -08:00
netrom	netrom: Fix data-races around sysctl_net_busy_read	2024-03-07 10:36:58 +01:00
nfc	nfc: nci: free rx_data_reassembly skb on NCI device cleanup	2024-01-29 12:05:31 +00:00
nsh	…
openvswitch	net: openvswitch: limit the number of recursions from action sets	2024-02-09 12:54:38 -08:00
packet	packet: annotate data-races around ignore_outgoing	2024-03-26 18:17:34 -04:00
phonet	phonet/pep: fix racy skb_queue_empty() use	2024-02-22 09:05:50 +01:00
psample	genetlink: Use internal flags for multicast groups	2023-12-29 08:43:59 +00:00
qrtr	net: qrtr: ns: Return 0 if server port is not present	2024-01-01 18:41:29 +00:00
rds	rds: introduce acquire/release ordering in acquire/release_in_xmit()	2024-03-26 18:17:35 -04:00
rfkill	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2023-12-21 22:17:23 +01:00
rose	net/rose: fix races in rose_kill_by_device()	2023-12-15 11:59:53 +00:00
rxrpc	rxrpc: Fix counting of new acks and nacks	2024-02-05 12:34:07 +00:00
sched	net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check	2024-03-26 18:17:32 -04:00
sctp	net: sctp: fix skb leak in sctp_inq_free()	2024-02-15 07:34:52 -08:00
smc	net: smc: fix spurious error message from __sock_release()	2024-02-14 10:56:02 +00:00
strparser	…
sunrpc	net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()	2024-03-26 18:17:24 -04:00
switchdev	net: bridge: switchdev: Skip MDB replays of deferred events on offload	2024-02-16 09:36:37 +00:00
tipc	tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()	2024-02-06 08:49:26 +01:00
tls	tls: fix use-after-free on failed backlog decryption	2024-02-29 09:07:16 -08:00
unix	af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().	2024-03-26 18:16:34 -04:00
vmw_vsock	vsock/virtio: use skb_frag_*() helpers	2024-01-03 18:37:16 -08:00
wireless	wifi: cfg80211: set correct param change count in ML element	2024-03-26 18:16:46 -04:00
x25	net/x25: fix incorrect parameter validation in the x25_getsockopt() function	2024-03-26 18:16:57 -04:00
xdp	xsk: Add truesize to skb_add_rx_frag().	2024-02-13 23:10:29 +01:00
xfrm	xfrm: Allow UDP encapsulation only in offload modes	2024-03-26 18:17:34 -04:00
Kconfig	bpfilter: remove bpfilter	2024-01-04 10:23:10 -08:00
Kconfig.debug	…
Makefile	bpfilter: remove bpfilter	2024-01-04 10:23:10 -08:00
compat.c	file: stop exposing receive_fd_user()	2023-12-12 14:24:14 +01:00
devres.c	…
socket.c	vfs-6.8.iov_iter	2024-01-08 11:43:04 -08:00
sysctl_net.c	…