iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers
History
Ziyang Xuan 196a888ca6 macsec: fix UAF bug for real_dev 
Create a new macsec device but not get reference to real_dev. That can
not ensure that real_dev is freed after macsec. That will trigger the
UAF bug for real_dev as following:

==================================================================
BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
Call Trace:
 ...
 macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
 dev_get_iflink+0x73/0xe0 net/core/dev.c:637
 default_operstate net/core/link_watch.c:42 [inline]
 rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54
 linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161

Allocated by task 22209:
 ...
 alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549
 rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235
 veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748

Freed by task 8:
 ...
 kfree+0xd6/0x4d0 mm/slub.c:4552
 kvfree+0x42/0x50 mm/util.c:615
 device_release+0x9f/0x240 drivers/base/core.c:2229
 kobject_cleanup lib/kobject.c:673 [inline]
 kobject_release lib/kobject.c:704 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c8/0x540 lib/kobject.c:721
 netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327

After commit faab39f63c1f ("net: allow out-of-order netdev unregistration")
and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we
can add dev_hold_track() in macsec_dev_init() and dev_put_track() in
macsec_free_netdev() to fix the problem.

Fixes: 2bce1ebed17d ("macsec: fix refcnt leak in module exit routine")
Reported-by: syzbot+d0e94b65ac259c29ce7a@syzkaller.appspotmail.com
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/r/20220531074500.1272846-1-william.xuanziyang@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2022-06-01 12:01:47 +02:00
..
accessibility
acpi
Device properties framework updates for 5.19-rc1
2022-05-24 16:34:14 -07:00
amba
ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
2022-05-20 12:32:31 +01:00
android
binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0
2022-04-22 17:22:51 +02:00
ata
ata changes for 5.19-rc1
2022-05-23 14:14:50 -07:00
atm
net: atm: remove support for ZeitNet ZN122x ATM devices
2022-04-27 12:22:56 +01:00
auxdisplay
auxdisplay: lcd2s: Use array size explicitly in lcd2s_gotoxy()
2022-03-18 20:31:14 +01:00
base
Device properties framework updates for 5.19-rc1
2022-05-24 16:34:14 -07:00
bcma
bcma: gpio: Switch to use fwnode instead of of_node
2022-05-09 14:41:43 +03:00
block
xen: branch for v5.19-rc1
2022-05-23 20:49:45 -07:00
bluetooth
Bluetooth: btmtksdio: fix the reset takes too long
2022-05-13 13:19:01 +02:00
bus
- Fix locking when accessing device MSI descriptors
2022-05-01 09:30:47 -07:00
cdrom
cdrom: remove obsolete TODO list
2022-05-15 18:31:28 -06:00
char
Fixes for IPMI
2022-05-24 14:50:54 -07:00
clk
clk: at91: generated: consider range when calculating best rate
2022-05-17 12:41:07 -07:00
clocksource
clocksource/drivers: Add a goldfish-timer clocksource
2022-04-11 11:48:01 +02:00
comedi
connector
counter
Char/Misc and other driver updates for 5.18-rc1
2022-03-28 12:27:35 -07:00
cpufreq
Merge branches 'pm-em' and 'pm-cpuidle'
2022-05-23 19:18:51 +02:00
cpuidle
Merge branches 'pm-em' and 'pm-cpuidle'
2022-05-23 19:18:51 +02:00
crypto
crypto: caam - add in-kernel interface for blob generator
2022-05-23 18:47:50 +03:00
cxl
cxl/pci: Drop shadowed variable
2022-04-08 12:59:43 -07:00
dax
dax for 5.18
2022-03-24 18:12:09 -07:00
dca
devfreq
PM / devfreq: passive: Return non-error when not-supported event is required
2022-05-19 19:32:19 +02:00
dio
dma
dmaengine: idxd: skip clearing device context when device is read-only
2022-04-20 17:24:43 +05:30
dma-buf
dma-buf: ensure unique directory name for dmabuf stats
2022-05-13 13:35:10 +02:00
edac
- A gargen variety of fixes which don't fit any other tip bucket:
2022-05-23 19:32:59 -07:00
eisa
extcon
firewire
firewire: core: extend card->lock in fw_core_handle_bus_reset
2022-04-25 08:01:09 +02:00
firmware
Networking changes for 5.19.
2022-05-25 12:22:58 -07:00
fpga
fsi
gnss
gpio
Updates for interrupt core and drivers:
2022-05-23 16:58:49 -07:00
gpu
Page cache changes for 5.19
2022-05-24 19:55:07 -07:00
greybus
hid
for-linus-2022052401
2022-05-24 15:21:15 -07:00
hsi
hv
hyperv-fixes for 5.18-rc2
2022-04-07 06:35:34 -10:00
hwmon
hwmon: (aquacomputer_d5next) Fix an error handling path in aqc_probe()
2022-05-22 12:25:55 -07:00
hwspinlock
hwspinlock: sprd: Use struct_size() helper in devm_kzalloc()
2022-03-11 14:56:57 -06:00
hwtracing
Char/Misc and other driver updates for 5.18-rc1
2022-03-28 12:27:35 -07:00
i2c
drivers: i2c: thunderx: Allow driver to work with ACPI defined TWSI controllers
2022-05-21 13:41:28 +02:00
i3c
idle
intel_idle: Add AlderLake support
2022-04-28 14:50:09 +02:00
iio
Thermal control updates for 5.19-rc1
2022-05-24 16:19:30 -07:00
infiniband
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2022-05-12 16:15:30 -07:00
input
Input updates for v5.18-rc7
2022-05-21 13:58:43 -10:00
interconnect
interconnect: Restore sync state by ignoring ipa-virt in provider count
2022-05-03 22:24:21 +03:00
iommu
iommu: Make sysfs robust for non-API groups
2022-05-04 15:13:39 +02:00
ipack
irqchip
irqchip updates for 5.19:
2022-05-20 18:48:54 +02:00
isdn
net: remove noblock parameter from skb_recv_datagram()
2022-04-06 13:45:26 +01:00
leds
LED updates for 5.18-rc1. Nothing major here, there are two drivers
2022-03-27 14:09:48 -07:00
macintosh
mailbox
mailbox: ti-msgmgr: Operate mailbox in polled mode during system suspend
2022-03-12 19:33:30 -06:00
mcb
md
for-5.19/drivers-2022-05-22
2022-05-23 14:04:14 -07:00
media
Networking changes for 5.19.
2022-05-25 12:22:58 -07:00
memory
memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode
2022-04-21 17:00:24 +02:00
memstick
message
scsi: message: fusion: Remove redundant variable dmp
2022-04-06 22:28:07 -04:00
mfd
- New Drivers
2022-03-25 13:56:18 -07:00
misc
kernel-hardening updates for v5.19-rc1
2022-05-24 12:27:09 -07:00
mmc
MMC core:
2022-05-24 14:56:38 -07:00
most
mtd
spi: Updates for v5.19
2022-05-24 15:13:30 -07:00
mux
net
macsec: fix UAF bug for real_dev
2022-06-01 12:01:47 +02:00
nfc
NFC: hci: fix sleep in atomic context bugs in nfc_hci_hcp_message_tx
2022-05-19 17:54:02 -07:00
ntb
nubus
nvdimm
libnvdimm for 5.18
2022-03-30 10:04:11 -07:00
nvme
for-5.19/drivers-2022-05-22
2022-05-23 14:04:14 -07:00
nvmem
nvmem: brcm_nvram: parse NVRAM content into NVMEM cells
2022-03-18 14:08:36 +01:00
of
Device properties framework updates for 5.19-rc1
2022-05-24 16:34:14 -07:00
opp
PM: EM: Change the order of arguments in the .active_power() callback
2022-04-13 16:26:17 +02:00
parisc
parisc: Fix CPU affinity for Lasi, WAX and Dino chips
2022-03-29 21:37:12 +02:00
parport
parport_pc: Also enable driver for PCI systems
2022-03-18 14:01:41 +01:00
pci
ACPI updates for 5.19-rc1
2022-05-24 15:46:55 -07:00
pcmcia
peci
perf
arm64 updates for 5.19:
2022-05-23 21:06:11 -07:00
phy
phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe()
2022-04-20 14:42:44 +05:30
pinctrl
Updates for interrupt core and drivers:
2022-05-23 16:58:49 -07:00
platform
platform/x86/intel/ifs: Add CPU_SUP_INTEL dependency
2022-05-19 19:46:25 +02:00
pnp
PNP update for 5.18-rc1
2022-03-21 14:46:01 -07:00
power
power: supply: Reset err after not finding static battery
2022-04-13 12:05:22 +02:00
powercap
Merge branches 'pm-em' and 'pm-cpuidle'
2022-05-23 19:18:51 +02:00
pps
pps: generators: pps_gen_parport: Switch to use module_parport_driver()
2022-03-18 14:01:19 +01:00
ps3
ptp
ptp: ptp_clockmatrix: fix is_single_shot
2022-05-25 21:51:32 -07:00
pwm
rapidio
ras
regulator
Merge remote-tracking branch 'regulator/for-5.19' into regulator-next
2022-05-17 16:59:05 +01:00
remoteproc
remoteproc updates for v5.18
2022-03-30 10:50:48 -07:00
reset
reset: tegra-bpmp: Restore Handle errors in BPMP response
2022-04-04 11:14:13 +02:00
rpmsg
rpmsg: ctrl: Introduce new RPMSG_CREATE/RELEASE_DEV_IOCTL controls
2022-03-13 11:49:53 -05:00
rtc
m68k updates for v5.19
2022-05-23 20:56:17 -07:00
s390
Networking changes for 5.19.
2022-05-25 12:22:58 -07:00
sbus
scsi
Networking changes for 5.19.
2022-05-25 12:22:58 -07:00
sh
siox
slimbus
slimbus: qcom: Fix IRQ check in qcom_slim_probe
2022-05-09 16:00:20 +02:00
soc
Update devfreq next for v5.19
2022-05-18 20:55:34 +02:00
soundwire
Char/Misc and other driver updates for 5.18-rc1
2022-03-28 12:27:35 -07:00
spi
spi: Updates for v5.19
2022-05-24 15:13:30 -07:00
spmi
ssb
ssb: remove unreachable code
2022-05-11 08:29:11 +03:00
staging
Networking changes for 5.19.
2022-05-25 12:22:58 -07:00
target
for-5.19/block-2022-05-22
2022-05-23 13:56:39 -07:00
tc
tee
tee: optee: add missing mutext_destroy in optee_ffa_probe
2022-04-05 08:56:26 +02:00
thermal
Thermal control updates for 5.19-rc1
2022-05-24 16:19:30 -07:00
thunderbolt
thunderbolt: test: use NULL macros
2022-04-04 14:29:13 -06:00
tty
printk changes for 5.19
2022-05-25 10:32:08 -07:00
uio
usb
xen/usbfront: use xenbus_setup_ring() and xenbus_teardown_ring()
2022-05-19 14:22:05 +02:00
vdpa
vdpa/mlx5: Use consistent RQT size
2022-05-18 12:31:31 -04:00
vfio
vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used
2022-04-13 11:37:44 -06:00
vhost
Fix double fget() in vhost_net_set_backend()
2022-05-18 12:33:51 -04:00
video
Merge remote-tracking branch 'drm/drm-fixes' into drm-misc-fixes
2022-05-11 20:22:22 +02:00
virt
AMD SEV-SNP support
2022-05-23 17:38:01 -07:00
virtio
virtio: fixes, cleanups
2022-04-05 10:40:52 -07:00
visorbus
vlynq
vme
w1
w1: w1_therm: Add support for Maxim MAX31850 thermoelement IF.
2022-03-18 14:07:09 +01:00
watchdog
linux-watchdog 5.18-rc1 tag
2022-03-31 14:14:03 -07:00
xen
xen: add support for initializing xenstore later as HVM domain
2022-05-19 14:44:08 +02:00
zorro
Kconfig
Makefile