mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
279d8ff5ec00b06a5dc9b90f3d00a5a5253aa95d
linux/net
History
Ziyang Xuan 44d8073200 net: qrtr: Fix a refcount bug in qrtr_recvmsg() 
Syzbot reported a bug as following:

refcount_t: addition on 0; use-after-free.
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
...
Call Trace:
 <TASK>
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 kref_get include/linux/kref.h:45 [inline]
 qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline]
 qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline]
 qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline]
 qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070
 sock_recvmsg_nosec net/socket.c:1017 [inline]
 sock_recvmsg+0xe2/0x160 net/socket.c:1038
 qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688
 process_one_work+0x991/0x15c0 kernel/workqueue.c:2390
 worker_thread+0x669/0x1090 kernel/workqueue.c:2537

It occurs in the concurrent scenario of qrtr_recvmsg() and
qrtr_endpoint_unregister() as following:

	cpu0					cpu1
qrtr_recvmsg				qrtr_endpoint_unregister
qrtr_send_resume_tx			qrtr_node_release
qrtr_node_lookup			mutex_lock(&qrtr_node_lock)
spin_lock_irqsave(&qrtr_nodes_lock, )	refcount_dec_and_test(&node->ref) [node->ref == 0]
radix_tree_lookup [node != NULL]	__qrtr_node_release
qrtr_node_acquire			spin_lock_irqsave(&qrtr_nodes_lock, )
kref_get(&node->ref) [WARNING]		...
					mutex_unlock(&qrtr_node_lock)

Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this
is actually improving the protection of node reference.

Fixes: 0a7e0d0ef0 ("net: qrtr: Migrate node lookup tree to spinlock")
Reported-by: syzbot+a7492efaa5d61b51db23@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=a7492efaa5d61b51db23
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-03-31 09:18:30 +01:00
..
6lowpan
9p
Merge tag '9p-6.3-for-linus-part1' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs
2023-03-01 08:52:49 -08:00
802
treewide: Convert del_timer*() to timer_shutdown*()
2022-12-25 13:38:09 -08:00
8021q
net: Remove the obsolte u64_stats_fetch_*_irq() users (net).
2022-10-28 20:13:54 -07:00
appletalk
atm
driver core: make struct class.dev_uevent() take a const *
2022-11-24 17:12:15 +01:00
ax25
ax25: af_ax25: Remove unnecessary (void*) conversions
2022-11-16 13:31:03 +00:00
batman-adv
batman-adv: tvlv: prepare for tvlv enabled multicast packet type
2023-01-21 19:01:59 +01:00
bluetooth
Bluetooth: HCI: Fix global-out-of-bounds
2023-03-23 13:09:38 -07:00
bpf
bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES
2023-03-06 11:15:54 -08:00
bpfilter
bridge
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
2023-02-22 21:25:23 -08:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-02 22:22:07 -08:00
can
can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
2023-03-27 14:40:45 +02:00
ceph
Merge tag 'net-next-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2023-02-21 18:24:12 -08:00
core
Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
2023-03-23 16:03:33 -07:00
dcb
net: dcb: add helper functions to retrieve PCP and DSCP rewrite maps
2023-01-20 09:33:22 +00:00
dccp
dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
2023-02-10 19:53:42 -08:00
devlink
devlink: drop leftover duplicate/unused code
2023-02-20 11:38:35 +00:00
dns_resolver
cred: Do not default to init_cred in prepare_kernel_cred()
2022-11-01 10:04:52 -07:00
dsa
net: dsa: sync unicast and multicast addresses for VLAN filters too
2023-03-30 11:32:46 -07:00
ethernet
net: ethernet: use sysfs_emit() to instead of scnprintf()
2022-12-07 20:02:44 -08:00
ethtool
net: ethtool: fix __ethtool_dev_mm_supported() implementation
2023-02-21 09:05:01 -08:00
hsr
hsr: ratelimit only when errors are printed
2023-03-16 21:11:03 -07:00
ieee802154
net: ieee802154: remove an unnecessary null pointer check
2023-03-17 09:13:53 +01:00
ife
ipv4
erspan: do not use skb_mac_header() in ndo_start_xmit()
2023-03-21 21:16:26 -07:00
ipv6
erspan: do not use skb_mac_header() in ndo_start_xmit()
2023-03-21 21:16:26 -07:00
iucv
net/iucv: Fix size of interrupt data
2023-03-16 17:34:40 -07:00
kcm
net/sock: Introduce trace_sk_data_ready()
2023-01-23 11:26:50 +00:00
key
af_key: Fix heap information leak
2023-02-13 09:30:14 +00:00
l2tp
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
2023-02-20 09:25:20 +00:00
l3mdev
lapb
llc
mac80211
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
2023-03-30 11:19:53 +02:00
mac802154
Merge tag 'ieee802154-for-net-next-2023-02-20' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next
2023-02-20 16:40:52 -08:00
mctp
net: mctp: purge receive queues on sk destruction
2023-01-28 00:26:09 -08:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-15 10:26:37 +00:00
mptcp
mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket()
2023-03-10 21:42:56 -08:00
ncsi
net: Use of_property_read_bool() for boolean properties
2023-03-16 17:41:28 +00:00
netfilter
netfilter: nft_redir: correct value of inet type .maxattrs
2023-03-08 12:26:42 +01:00
netlabel
netlink
genetlink: Use string_is_terminated() helper
2023-02-09 22:30:24 -08:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-01-30 07:30:47 +00:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-07 13:37:05 -08:00
nsh
openvswitch
Merge tag 'mm-nonmm-stable-2023-02-20-15-29' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-02-23 17:55:40 -08:00
packet
net: no longer support SOCK_REFCNT_DEBUG feature
2023-02-15 10:25:21 +00:00
phonet
net/sock: Introduce trace_sk_data_ready()
2023-01-23 11:26:50 +00:00
psample
qrtr
net: qrtr: Fix a refcount bug in qrtr_recvmsg()
2023-03-31 09:18:30 +01:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-02-13 09:33:39 +00:00
rfkill
rfkill: Use sysfs_emit() to instead of sprintf()
2023-02-14 12:21:14 +01:00
rose
net/rose: Fix to not accept on connected socket
2023-01-28 00:19:57 -08:00
rxrpc
Merge tag 'net-next-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2023-02-21 18:24:12 -08:00
sched
net/sched: act_api: add specific EXT_WARN_MSG for tc action
2023-03-16 21:25:45 -07:00
sctp
sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
2023-02-23 12:59:40 -08:00
smc
net/smc: Fix device de-init sequence
2023-03-15 08:15:19 +00:00
strparser
sunrpc
Merge tag 'nfsd-6.3-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
2023-03-25 13:32:43 -07:00
switchdev
tipc
Merge tag 'net-next-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2023-02-21 18:24:12 -08:00
tls
net: tls: fix device-offloaded sendpage straddling records
2023-03-06 13:26:16 -08:00
unix
af_unix: fix struct pid leaks in OOB support
2023-03-08 23:26:03 -08:00
vmw_vsock
virtio/vsock: fix leaks due to missing skb owner
2023-03-31 08:58:13 +01:00
wireless
Merge tag 'net-6.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2023-03-17 13:31:16 -07:00
x25
net/x25: Fix to not accept on connected socket
2023-01-25 09:51:04 +00:00
xdp
xsk: Add missing overflow check in xdp_umem_reg
2023-03-16 16:02:55 +01:00
xfrm
Merge tag 'ipsec-2023-03-15' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
2023-03-16 17:23:48 -07:00
compat.c
use less confusing names for iov_iter direction initializers
2022-11-25 13:01:55 -05:00
devres.c
Kconfig
Kconfig.debug
Makefile
devlink: move code to a dedicated directory
2023-01-05 22:12:00 -08:00
socket.c
net: avoid double iput when sock_alloc_file fails
2023-03-08 23:26:51 -08:00
sysctl_net.c