AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
f67a140078
kernel_optimize_test/drivers
History
Duoming Zhou f67a140078 drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() 
commit efe4186e6a1b54bf38b9e05450d43b0da1fd7739 upstream.

When a 6pack device is detaching, the sixpack_close() will act to cleanup
necessary resources. Although del_timer_sync() in sixpack_close()
won't return if there is an active timer, one could use mod_timer() in
sp_xmit_on_air() to wake up timer again by calling userspace syscall such
as ax25_sendmsg(), ax25_connect() and ax25_ioctl().

This unexpected waked handler, sp_xmit_on_air(), realizes nothing about
the undergoing cleanup and may still call pty_write() to use driver layer
resources that have already been released.

One of the possible race conditions is shown below:

      (USE)                      |      (FREE)
ax25_sendmsg()                   |
 ax25_queue_xmit()               |
  ...                            |
  sp_xmit()                      |
   sp_encaps()                   | sixpack_close()
    sp_xmit_on_air()             |  del_timer_sync(&sp->tx_t)
     mod_timer(&sp->tx_t,...)    |  ...
                                 |  unregister_netdev()
                                 |  ...
     (wait a while)              | tty_release()
                                 |  tty_release_struct()
                                 |   release_tty()
    sp_xmit_on_air()             |    tty_kref_put(tty_struct) //FREE
     pty_write(tty_struct) //USE |    ...

The corresponding fail log is shown below:
===============================================================
BUG: KASAN: use-after-free in __run_timers.part.0+0x170/0x470
Write of size 8 at addr ffff88800a652ab8 by task swapper/2/0
...
Call Trace:
  ...
  queue_work_on+0x3f/0x50
  pty_write+0xcd/0xe0pty_write+0xcd/0xe0
  sp_xmit_on_air+0xb2/0x1f0
  call_timer_fn+0x28/0x150
  __run_timers.part.0+0x3c2/0x470
  run_timer_softirq+0x3b/0x80
  __do_softirq+0xf1/0x380
  ...

This patch reorders the del_timer_sync() after the unregister_netdev()
to avoid UAF bugs. Because the unregister_netdev() is well synchronized,
it flushs out any pending queues, waits the refcount of net_device
decreases to zero and removes net_device from kernel. There is not any
running routines after executing unregister_netdev(). Therefore, we could
not arouse timer from userspace again.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-08 14:39:55 +02:00
..
accessibility speakup-dectlk: Restore pitch setting 2022-02-16 12:54:30 +01:00
acpi ACPI: properties: Consistently return -ENOENT if there are no more references 2022-04-08 14:39:55 +02:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:10:09 +01:00
android binder: fix handling of error during copy 2022-01-27 10:54:06 +01:00
ata ata: pata_hpt37x: fix PCI clock detection 2022-03-08 19:09:31 +01:00
atm atm: eni: Add check for dma_map_single 2022-03-23 09:13:27 +01:00
auxdisplay auxdisplay: ht16k33: Fix frame buffer device blanking 2021-11-18 14:04:24 +01:00
base driver core: Free DMA range map when device is released 2022-03-02 11:42:56 +01:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-15 09:50:45 +02:00
block drbd: fix potential silent data corruption 2022-04-08 14:39:54 +02:00
bluetooth Bluetooth: vhci: Set HCI_QUIRK_VALID_LE_STATES 2022-01-27 10:54:18 +01:00
bus Revert "drivers: bus: simple-pm-bus: Add support for probing simple bus only devices" 2022-02-05 12:37:55 +01:00
cdrom
char tpm: fix reference counting for struct tpm_chip 2022-04-08 14:39:48 +02:00
clk clk: uniphier: Fix fixed-rate initialization 2022-04-08 14:39:50 +02:00
clocksource ARM: dts: Use 32KiHz oscillator on devkit8000 2022-03-08 19:09:36 +01:00
connector
counter counter: stm32-lptimer-cnt: remove iio counter abi 2022-01-27 10:54:08 +01:00
cpufreq cpufreq: Fix initialization of min and max frequency QoS requests 2022-01-27 10:54:17 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 14:04:05 +01:00
crypto crypto: qat - disable registration of algorithms 2022-03-28 09:57:10 +02:00
dax
dca
devfreq
dio
dma dmaengine: shdma: Fix runtime PM imbalance on error 2022-03-08 19:09:30 +01:00
dma-buf dma-buf: heaps: Fix potential spectre v1 gadget 2022-02-08 18:30:36 +01:00
edac EDAC: Fix calculation of returned address and next offset in edac_align_ptr() 2022-02-23 12:01:07 +01:00
eisa
extcon
firewire
firmware firmware: stratix10-svc: add missing callback parameter on RSU 2022-04-08 14:39:50 +02:00
fpga fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() 2021-09-30 10:11:04 +02:00
fsi
gnss
gpio Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)" 2022-04-08 14:39:48 +02:00
gpu drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings 2022-03-23 09:13:28 +01:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-04-08 14:39:50 +02:00
hid HID: intel-ish-hid: Use dma_alloc_coherent for firmware update 2022-04-08 14:39:50 +02:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-01-27 10:54:12 +01:00
hv hv: utils: add PTP_1588_CLOCK to Kconfig to fix build 2022-04-08 14:39:46 +02:00
hwmon hwmon: (pmbus) Clear pmbus fault/warning bits after read 2022-03-16 14:16:00 +01:00
hwspinlock
hwtracing coresight: Fix TRCCONFIGR.QE sysfs interface 2022-04-08 14:39:49 +02:00
i2c i2c: qup: allow COMPILE_TEST 2022-03-08 19:09:30 +01:00
i3c
ide
idle
iio iio: inkern: make a best effort on offset calculation 2022-04-08 14:39:50 +02:00
infiniband RDMA/cma: Do not change route.addr.src_addr outside state checks 2022-03-02 11:42:56 +01:00
input Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" 2022-04-08 14:39:53 +02:00
interconnect treewide: Change list_sort to use const pointers 2021-09-30 10:11:04 +02:00
iommu iommu/iova: Improve 32-bit free space estimate 2022-04-08 14:39:48 +02:00
ipack ipack: ipoctal: fix module reference leak 2021-10-06 15:56:01 +02:00
irqchip irqchip/sifive-plic: Add missing thead,c900-plic match string 2022-02-23 12:01:05 +01:00
isdn isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-16 14:15:57 +01:00
leds leds: trigger: audio: Add an activate callback to ensure the initial brightness is set 2021-09-15 09:50:36 +02:00
lightnvm
macintosh
mailbox soc: mediatek: cmdq: add address shift in jump 2021-09-18 13:40:16 +02:00
mcb mcb: fix error handling in mcb_alloc_bus() 2021-09-30 10:11:00 +02:00
md dm integrity: set journal entry unused when shrinking device 2022-04-08 14:39:54 +02:00
media media: venus: core: Drop second v4l2 device unregister 2022-02-01 17:25:38 +01:00
memory memory: renesas-rpc-if: Return error in case devm_ioremap_resource() fails 2022-01-27 10:53:48 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 14:04:07 +01:00
message
mfd mfd: atmel-flexcom: Use .resume_noirq 2022-01-27 10:53:51 +01:00
misc mei: avoid iterator usage outside of list_for_each_entry 2022-04-08 14:39:49 +02:00
mmc mmc: meson: Fix usage of meson_mmc_post_req() 2022-03-16 14:16:01 +01:00
most most: fix control-message timeouts 2021-11-18 14:03:51 +01:00
mtd mtd: rawnand: protect access to rawnand devices while in suspend 2022-04-08 14:39:51 +02:00
mux
net drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() 2022-04-08 14:39:55 +02:00
nfc nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION 2022-03-28 09:57:07 +02:00
ntb ntb: intel: fix port config status offset for SPR 2022-03-08 19:09:32 +01:00
nubus
nvdimm libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind 2021-09-18 13:40:36 +02:00
nvme nvme-rdma: fix possible use-after-free in transport error_recovery work 2022-02-23 12:01:00 +01:00
nvmem nvmem: core: set size for sysfs bin file 2022-01-27 10:54:22 +01:00
of of: base: Improve argument length mismatch error 2022-01-27 10:54:28 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 14:04:22 +01:00
oprofile
parisc parisc: Fix sglist access in ccio-dma.c 2022-02-23 12:00:57 +01:00
parport parport: remove non-zero check on count 2021-09-18 13:40:34 +02:00
pci PCI: hv: Fix NUMA node assignment when kernel boots with custom NUMA topology 2022-02-23 12:00:57 +01:00
pcmcia pcmcia: fix setting of kthread task states 2022-01-27 10:54:03 +01:00
perf
phy phy: usb: Leave some clocks running during suspend 2022-02-23 12:01:05 +01:00
pinctrl pinctrl: samsung: drop pin banks references on error paths 2022-04-08 14:39:51 +02:00
platform surface: surface3_power: Fix battery readings on batteries without a serial number 2022-03-02 11:42:51 +01:00
pnp
power power: reset: mt6397: Check for null res pointer 2022-01-27 10:54:00 +01:00
powercap
pps
ps3
ptp ptp_pch: Load module automatically if ID matches 2021-10-13 10:04:27 +02:00
pwm pwm: stm32-lp: Don't modify HW state in .remove() callback 2021-09-26 14:09:01 +02:00
rapidio
ras
regulator regulator: core: fix false positive in regulator_late_cleanup() 2022-03-08 19:09:29 +01:00
remoteproc remoteproc: Fix count check in rproc_coredump_write() 2022-04-08 14:39:51 +02:00
reset reset: socfpga: add empty driver allowing consumers to probe 2021-11-18 14:03:42 +01:00
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:25:43 +01:00
rtc rtc: cmos: Evaluate century appropriate 2022-02-08 18:30:39 +01:00
s390 scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices 2022-02-01 17:25:39 +01:00
sbus
scsi scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands 2022-04-08 14:39:52 +02:00
sfi
sh maple: fix wrong return value of maple_bus_init(). 2021-11-26 10:39:12 +01:00
siox
slimbus slimbus: ngd: reset dma setup during runtime pm 2021-08-26 08:35:55 -04:00
soc soc: fsl: qe: Check of ioremap return value 2022-03-08 19:09:37 +01:00
soundwire soundwire: debugfs: use controller id and link_id for debugfs 2021-11-18 14:04:16 +01:00
spi spi: mxic: Fix the transmit path 2022-04-08 14:39:51 +02:00
spmi
ssb
staging staging: fbtft: fb_st7789v: reset display before initialization 2022-03-28 09:57:08 +02:00
target scsi: target: iscsi: Make sure the np under each tpg is unique 2022-02-16 12:54:19 +01:00
tc
tee optee: use driver internal tee_context for some rpc 2022-03-02 11:42:47 +01:00
thermal thermal: core: Fix TZ_GET_TRIP NULL pointer dereference 2022-03-08 19:09:32 +01:00
thunderbolt thunderbolt: Runtime PM activate both ends of the device link 2022-01-27 10:54:14 +01:00
tty serial: stm32: prevent TDR register overwrite when sending x_char 2022-03-08 19:09:30 +01:00
uio
usb xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() 2022-04-08 14:39:49 +02:00
vdpa vdpa/mlx5: should verify CTRL_VQ feature exists for MQ 2022-04-08 14:39:47 +02:00
vfio vfio: Use config not menuconfig for VFIO_NOIOMMU 2021-09-18 13:40:12 +02:00
vhost vsock: each transport cycles only on its own sockets 2022-03-23 09:13:27 +01:00
video fbcon: Add option to enable legacy hardware acceleration 2022-02-08 18:30:40 +01:00
virt
virtio virtio: acknowledge all features before access 2022-03-16 14:16:02 +01:00
visorbus
vlynq
vme
w1 w1: Misuse of get_user()/put_user() reported by sparse 2022-01-27 10:54:22 +01:00
watchdog ar7: fix kernel builds for compiler test 2021-11-18 14:04:24 +01:00
xen xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-11 12:11:54 +01:00
zorro
Kconfig
Makefile