mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-13 22:25:03 +00:00
10414014bc
syzbot reported that xt_LED may try to use the ledinternal->timer
without previously initializing it:
------------[ cut here ]------------
kernel BUG at kernel/time/timer.c:958!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 1826 Comm: kworker/1:2 Not tainted 4.15.0+ #306
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:__mod_timer kernel/time/timer.c:958 [inline]
RIP: 0010:mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102
RSP: 0018:ffff8801d24fe9f8 EFLAGS: 00010293
RAX: ffff8801d25246c0 RBX: ffff8801aec6cb50 RCX: ffffffff816052c6
RDX: 0000000000000000 RSI: 00000000fffbd14b RDI: ffff8801aec6cb68
RBP: ffff8801d24fec98 R08: 0000000000000000 R09: 1ffff1003a49fd6c
R10: ffff8801d24feb28 R11: 0000000000000005 R12: dffffc0000000000
R13: ffff8801d24fec70 R14: 00000000fffbd14b R15: ffff8801af608f90
FS: 0000000000000000(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000206d6fd0 CR3: 0000000006a22001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
led_tg+0x1db/0x2e0 net/netfilter/xt_LED.c:75
ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365
ip6table_raw_hook+0x65/0x80 net/ipv6/netfilter/ip6table_raw.c:42
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook.constprop.27+0x3f6/0x830 include/linux/netfilter.h:243
NF_HOOK include/linux/netfilter.h:286 [inline]
ndisc_send_skb+0xa51/0x1370 net/ipv6/ndisc.c:491
ndisc_send_ns+0x38a/0x870 net/ipv6/ndisc.c:633
addrconf_dad_work+0xb9e/0x1320 net/ipv6/addrconf.c:4008
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113
worker_thread+0x223/0x1990 kernel/workqueue.c:2247
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429
Code: 85 2a 0b 00 00 4d 8b 3c 24 4d 85 ff 75 9f 4c 8b bd 60 fd ff ff e8 bb
57 10 00 65 ff 0d 94 9a a1 7e e9 d9 fc ff ff e8 aa 57 10 00 <0f> 0b e8 a3
57 10 00 e9 14 fb ff ff e8 99 57 10 00 4c 89 bd 70
RIP: __mod_timer kernel/time/timer.c:958 [inline] RSP: ffff8801d24fe9f8
RIP: mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102 RSP: ffff8801d24fe9f8
---[ end trace f661ab06f5dd8b3d ]---
The ledinternal struct can be shared between several different
xt_LED targets, but the related timer is currently initialized only
if the first target requires it. Fix it by unconditionally
initializing the timer struct.
v1 -> v2: call del_timer_sync() unconditionally, too.
Fixes: 268cb38e18
("netfilter: x_tables: add LED trigger target")
Reported-by: syzbot+10c98dc5725c6c8fc7fb@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
216 lines
5.6 KiB
C
216 lines
5.6 KiB
C
/*
|
|
* xt_LED.c - netfilter target to make LEDs blink upon packet matches
|
|
*
|
|
* Copyright (C) 2008 Adam Nielsen <a.nielsen@shikadi.net>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; version 2 of the License.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301 USA.
|
|
*
|
|
*/
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
#include <linux/module.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/netfilter/x_tables.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/leds.h>
|
|
#include <linux/mutex.h>
|
|
|
|
#include <linux/netfilter/xt_LED.h>
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>");
|
|
MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match");
|
|
MODULE_ALIAS("ipt_LED");
|
|
MODULE_ALIAS("ip6t_LED");
|
|
|
|
static LIST_HEAD(xt_led_triggers);
|
|
static DEFINE_MUTEX(xt_led_mutex);
|
|
|
|
/*
|
|
* This is declared in here (the kernel module) only, to avoid having these
|
|
* dependencies in userspace code. This is what xt_led_info.internal_data
|
|
* points to.
|
|
*/
|
|
struct xt_led_info_internal {
|
|
struct list_head list;
|
|
int refcnt;
|
|
char *trigger_id;
|
|
struct led_trigger netfilter_led_trigger;
|
|
struct timer_list timer;
|
|
};
|
|
|
|
#define XT_LED_BLINK_DELAY 50 /* ms */
|
|
|
|
static unsigned int
|
|
led_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
|
{
|
|
const struct xt_led_info *ledinfo = par->targinfo;
|
|
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
|
|
unsigned long led_delay = XT_LED_BLINK_DELAY;
|
|
|
|
/*
|
|
* If "always blink" is enabled, and there's still some time until the
|
|
* LED will switch off, briefly switch it off now.
|
|
*/
|
|
if ((ledinfo->delay > 0) && ledinfo->always_blink &&
|
|
timer_pending(&ledinternal->timer))
|
|
led_trigger_blink_oneshot(&ledinternal->netfilter_led_trigger,
|
|
&led_delay, &led_delay, 1);
|
|
else
|
|
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL);
|
|
|
|
/* If there's a positive delay, start/update the timer */
|
|
if (ledinfo->delay > 0) {
|
|
mod_timer(&ledinternal->timer,
|
|
jiffies + msecs_to_jiffies(ledinfo->delay));
|
|
|
|
/* Otherwise if there was no delay given, blink as fast as possible */
|
|
} else if (ledinfo->delay == 0) {
|
|
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
|
|
}
|
|
|
|
/* else the delay is negative, which means switch on and stay on */
|
|
|
|
return XT_CONTINUE;
|
|
}
|
|
|
|
static void led_timeout_callback(struct timer_list *t)
|
|
{
|
|
struct xt_led_info_internal *ledinternal = from_timer(ledinternal, t,
|
|
timer);
|
|
|
|
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
|
|
}
|
|
|
|
static struct xt_led_info_internal *led_trigger_lookup(const char *name)
|
|
{
|
|
struct xt_led_info_internal *ledinternal;
|
|
|
|
list_for_each_entry(ledinternal, &xt_led_triggers, list) {
|
|
if (!strcmp(name, ledinternal->netfilter_led_trigger.name)) {
|
|
return ledinternal;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
static int led_tg_check(const struct xt_tgchk_param *par)
|
|
{
|
|
struct xt_led_info *ledinfo = par->targinfo;
|
|
struct xt_led_info_internal *ledinternal;
|
|
int err;
|
|
|
|
if (ledinfo->id[0] == '\0')
|
|
return -EINVAL;
|
|
|
|
mutex_lock(&xt_led_mutex);
|
|
|
|
ledinternal = led_trigger_lookup(ledinfo->id);
|
|
if (ledinternal) {
|
|
ledinternal->refcnt++;
|
|
goto out;
|
|
}
|
|
|
|
err = -ENOMEM;
|
|
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
|
|
if (!ledinternal)
|
|
goto exit_mutex_only;
|
|
|
|
ledinternal->trigger_id = kstrdup(ledinfo->id, GFP_KERNEL);
|
|
if (!ledinternal->trigger_id)
|
|
goto exit_internal_alloc;
|
|
|
|
ledinternal->refcnt = 1;
|
|
ledinternal->netfilter_led_trigger.name = ledinternal->trigger_id;
|
|
|
|
err = led_trigger_register(&ledinternal->netfilter_led_trigger);
|
|
if (err) {
|
|
pr_info_ratelimited("Trigger name is already in use.\n");
|
|
goto exit_alloc;
|
|
}
|
|
|
|
/* Since the letinternal timer can be shared between multiple targets,
|
|
* always set it up, even if the current target does not need it
|
|
*/
|
|
timer_setup(&ledinternal->timer, led_timeout_callback, 0);
|
|
|
|
list_add_tail(&ledinternal->list, &xt_led_triggers);
|
|
|
|
out:
|
|
mutex_unlock(&xt_led_mutex);
|
|
|
|
ledinfo->internal_data = ledinternal;
|
|
|
|
return 0;
|
|
|
|
exit_alloc:
|
|
kfree(ledinternal->trigger_id);
|
|
|
|
exit_internal_alloc:
|
|
kfree(ledinternal);
|
|
|
|
exit_mutex_only:
|
|
mutex_unlock(&xt_led_mutex);
|
|
|
|
return err;
|
|
}
|
|
|
|
static void led_tg_destroy(const struct xt_tgdtor_param *par)
|
|
{
|
|
const struct xt_led_info *ledinfo = par->targinfo;
|
|
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
|
|
|
|
mutex_lock(&xt_led_mutex);
|
|
|
|
if (--ledinternal->refcnt) {
|
|
mutex_unlock(&xt_led_mutex);
|
|
return;
|
|
}
|
|
|
|
list_del(&ledinternal->list);
|
|
|
|
del_timer_sync(&ledinternal->timer);
|
|
|
|
led_trigger_unregister(&ledinternal->netfilter_led_trigger);
|
|
|
|
mutex_unlock(&xt_led_mutex);
|
|
|
|
kfree(ledinternal->trigger_id);
|
|
kfree(ledinternal);
|
|
}
|
|
|
|
static struct xt_target led_tg_reg __read_mostly = {
|
|
.name = "LED",
|
|
.revision = 0,
|
|
.family = NFPROTO_UNSPEC,
|
|
.target = led_tg,
|
|
.targetsize = sizeof(struct xt_led_info),
|
|
.usersize = offsetof(struct xt_led_info, internal_data),
|
|
.checkentry = led_tg_check,
|
|
.destroy = led_tg_destroy,
|
|
.me = THIS_MODULE,
|
|
};
|
|
|
|
static int __init led_tg_init(void)
|
|
{
|
|
return xt_register_target(&led_tg_reg);
|
|
}
|
|
|
|
static void __exit led_tg_exit(void)
|
|
{
|
|
xt_unregister_target(&led_tg_reg);
|
|
}
|
|
|
|
module_init(led_tg_init);
|
|
module_exit(led_tg_exit);
|