From: Stefan Schmidt <stefan@datenfreihafen.org>
To: Fedor Pchelkin <pchelkin@ispras.ru>,
Alexander Aring <alex.aring@gmail.com>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>,
linux-wpan@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
lvc-project@linuxtesting.org, stable@vger.kernel.org
Subject: Re: [PATCH wpan] mac802154: fix llsec key resources release in mac802154_llsec_key_del
Date: Wed, 6 Mar 2024 22:19:34 +0100 [thread overview]
Message-ID: <4c716d9f-fe03-44f7-8cc7-211a64aae94c@datenfreihafen.org> (raw)
In-Reply-To: <20240228163840.6667-1-pchelkin@ispras.ru>
Hello.
On 28.02.24 17:38, Fedor Pchelkin wrote:
> mac802154_llsec_key_del() can free resources of a key directly without
> following the RCU rules for waiting before the end of a grace period. This
> may lead to use-after-free in case llsec_lookup_key() is traversing the
> list of keys in parallel with a key deletion:
>
> refcount_t: addition on 0; use-after-free.
> WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0
> Modules linked in:
> CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> RIP: 0010:refcount_warn_saturate+0x162/0x2a0
> Call Trace:
> <TASK>
> llsec_lookup_key.isra.0+0x890/0x9e0
> mac802154_llsec_encrypt+0x30c/0x9c0
> ieee802154_subif_start_xmit+0x24/0x1e0
> dev_hard_start_xmit+0x13e/0x690
> sch_direct_xmit+0x2ae/0xbc0
> __dev_queue_xmit+0x11dd/0x3c20
> dgram_sendmsg+0x90b/0xd60
> __sys_sendto+0x466/0x4c0
> __x64_sys_sendto+0xe0/0x1c0
> do_syscall_64+0x45/0xf0
> entry_SYSCALL_64_after_hwframe+0x6e/0x76
>
> Also, ieee802154_llsec_key_entry structures are not freed by
> mac802154_llsec_key_del():
>
> unreferenced object 0xffff8880613b6980 (size 64):
> comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s)
> hex dump (first 32 bytes):
> 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......".......
> 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................
> backtrace:
> [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0
> [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0
> [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0
> [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80
> [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0
> [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0
> [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0
> [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440
> [<ffffffff86ff1d88>] genl_rcv+0x28/0x40
> [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820
> [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60
> [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0
> [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0
> [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0
> [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0
> [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
>
> Handle the proper resource release in the RCU callback function
> mac802154_llsec_key_del_rcu().
>
> Note that if llsec_lookup_key() finds a key, it gets a refcount via
> llsec_key_get() and locally copies key id from key_entry (which is a
> list element). So it's safe to call llsec_key_put() and free the list
> entry after the RCU grace period elapses.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: 5d637d5aabd8 ("mac802154: add llsec structures and mutators")
> Cc: stable@vger.kernel.org
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
This patch has been applied to the wpan-next tree and will be
part of the next pull request to net-next. Thanks!
regards
Stefan Schmidt
prev parent reply other threads:[~2024-03-06 21:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-28 16:38 [PATCH wpan] mac802154: fix llsec key resources release in mac802154_llsec_key_del Fedor Pchelkin
2024-03-03 23:19 ` Alexander Aring
2024-03-04 7:24 ` Fedor Pchelkin
2024-03-06 13:51 ` Alexander Aring
2024-03-06 21:19 ` Stefan Schmidt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4c716d9f-fe03-44f7-8cc7-211a64aae94c@datenfreihafen.org \
--to=stefan@datenfreihafen.org \
--cc=alex.aring@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=khoroshilov@ispras.ru \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=miquel.raynal@bootlin.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pchelkin@ispras.ru \
--cc=phoebe.buckheister@itwm.fraunhofer.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).