Xuan Zhuo 5acc7d3e8d xdp, net: Fix use-after-free in bpf_xdp_link_release ...

The problem occurs between dev_get_by_index() and dev_xdp_attach_link().
At this point, dev_xdp_uninstall() is called. Then xdp link will not be
detached automatically when dev is released. But link->dev already
points to dev, when xdp link is released, dev will still be accessed,
but dev has been released.

dev_get_by_index()        |
link->dev = dev           |
                          |      rtnl_lock()
                          |      unregister_netdevice_many()
                          |          dev_xdp_uninstall()
                          |      rtnl_unlock()
rtnl_lock();              |
dev_xdp_attach_link()     |
rtnl_unlock();            |
                          |      netdev_run_todo() // dev released
bpf_xdp_link_release()    |
    /* access dev.        |
       use-after-free */  |

[   45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0
[   45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732
[   45.968297]
[   45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22
[   45.969222] Hardware name: linux,dummy-virt (DT)
[   45.969795] Call trace:
[   45.970106]  dump_backtrace+0x0/0x4c8
[   45.970564]  show_stack+0x30/0x40
[   45.970981]  dump_stack_lvl+0x120/0x18c
[   45.971470]  print_address_description.constprop.0+0x74/0x30c
[   45.972182]  kasan_report+0x1e8/0x200
[   45.972659]  __asan_report_load8_noabort+0x2c/0x50
[   45.973273]  bpf_xdp_link_release+0x3b8/0x3d0
[   45.973834]  bpf_link_free+0xd0/0x188
[   45.974315]  bpf_link_put+0x1d0/0x218
[   45.974790]  bpf_link_release+0x3c/0x58
[   45.975291]  __fput+0x20c/0x7e8
[   45.975706]  ____fput+0x24/0x30
[   45.976117]  task_work_run+0x104/0x258
[   45.976609]  do_notify_resume+0x894/0xaf8
[   45.977121]  work_pending+0xc/0x328
[   45.977575]
[   45.977775] The buggy address belongs to the page:
[   45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998
[   45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)
[   45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000
[   45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   45.982259] page dumped because: kasan: bad access detected
[   45.982948]
[   45.983153] Memory state around the buggy address:
[   45.983753]  ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.984645]  ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   45.986419]                                               ^
[   45.987112]  ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   45.988006]  ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   45.988895] ==================================================================
[   45.989773] Disabling lock debugging due to kernel taint
[   45.990552] Kernel panic - not syncing: panic_on_warn set ...
[   45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G    B             5.13.0+ #22
[   45.991929] Hardware name: linux,dummy-virt (DT)
[   45.992448] Call trace:
[   45.992753]  dump_backtrace+0x0/0x4c8
[   45.993208]  show_stack+0x30/0x40
[   45.993627]  dump_stack_lvl+0x120/0x18c
[   45.994113]  dump_stack+0x1c/0x34
[   45.994530]  panic+0x3a4/0x7d8
[   45.994930]  end_report+0x194/0x198
[   45.995380]  kasan_report+0x134/0x200
[   45.995850]  __asan_report_load8_noabort+0x2c/0x50
[   45.996453]  bpf_xdp_link_release+0x3b8/0x3d0
[   45.997007]  bpf_link_free+0xd0/0x188
[   45.997474]  bpf_link_put+0x1d0/0x218
[   45.997942]  bpf_link_release+0x3c/0x58
[   45.998429]  __fput+0x20c/0x7e8
[   45.998833]  ____fput+0x24/0x30
[   45.999247]  task_work_run+0x104/0x258
[   45.999731]  do_notify_resume+0x894/0xaf8
[   46.000236]  work_pending+0xc/0x328
[   46.000697] SMP: stopping secondary CPUs
[   46.001226] Dumping ftrace buffer:
[   46.001663]    (ftrace buffer empty)
[   46.002110] Kernel Offset: disabled
[   46.002545] CPU features: 0x00000001,23202c00
[   46.003080] Memory Limit: none

Fixes: aa8d3a716b59db6c ("bpf, xdp: Add bpf_link-based XDP attachment API")
Reported-by: Abaci <abaci@linux.alibaba.com>
Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20210710031635.41649-1-xuanzhuo@linux.alibaba.com

2021-07-13 08:22:31 -07:00

..

bpf_sk_storage.c

bpf: Use struct_size() in kzalloc()

2021-05-13 15:58:00 -07:00

datagram.c

udp: fix skb_copy_and_csum_datagram with odd segment sizes

2021-02-04 18:56:56 -08:00

datagram.h

…

dev_addr_lists.c

net: core: Correct function name dev_uc_flush() in the kerneldoc

2021-03-28 17:56:56 -07:00

dev_ioctl.c

net: fix dev_ifsioc_locked() race condition

2021-02-11 18:14:19 -08:00

dev.c

xdp, net: Fix use-after-free in bpf_xdp_link_release

2021-07-13 08:22:31 -07:00

devlink.c

devlink: Protect rate list with lock while switching modes

2021-06-23 15:46:25 -07:00

drop_monitor.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2021-03-25 15:31:22 -07:00

dst_cache.c

…

dst.c

net, bpf: Fix ip6ip6 crash with collect_md populated skbs

2021-03-10 12:24:18 -08:00

failover.c

…

fib_notifier.c

net: fib_notifier: propagate extack down to the notifier block callback

2019-10-04 11:10:56 -07:00

fib_rules.c

fib: Return the correct errno code

2021-06-03 15:13:56 -07:00

filter.c

Networking changes for 5.14.

2021-06-30 15:51:09 -07:00

flow_dissector.c

net: flow_dissector: fix RPS on DSA masters

2021-06-14 13:15:22 -07:00

flow_offload.c

net: flow_offload: Fix memory leak for indirect flow block

2020-12-09 16:08:33 -08:00

gen_estimator.c

net_sched: gen_estimator: support large ewma log

2021-01-15 18:11:06 -08:00

gen_stats.c

docs: networking: convert gen_stats.txt to ReST

2020-04-28 14:39:46 -07:00

gro_cells.c

gro_cells: reduce number of synchronize_net() calls

2020-11-25 11:28:12 -08:00

hwbm.c

…

link_watch.c

net: Add IF_OPER_TESTING

2020-04-20 12:43:24 -07:00

lwt_bpf.c

lwt_bpf: Replace preempt_disable() with migrate_disable()

2020-12-07 11:53:40 -08:00

lwtunnel.c

net: ipv6: add rpl sr tunnel

2020-03-29 22:30:57 -07:00

Makefile

net: selftest: fix build issue if INET is disabled

2021-04-28 14:06:45 -07:00

neighbour.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2021-06-18 19:47:02 -07:00

net_namespace.c

net: inline function get_net_ns_by_fd if NET_NS is disabled

2021-06-15 11:00:45 -07:00

net-procfs.c

net: move the ptype_all and ptype_base declarations to include/linux/netdevice.h

2021-03-22 13:14:45 -07:00

net-sysfs.c

net-sysfs: remove possible sleep from an RCU read-side critical section

2021-03-22 13:28:13 -07:00

net-sysfs.h

net-sysfs: add netdev_change_owner()

2020-02-26 20:07:25 -08:00

net-traces.c

tcp: add tracepoint for checksum errors

2021-05-14 15:26:03 -07:00

netclassid_cgroup.c

net: Remove the err argument from sock_from_file

2020-12-04 22:32:40 +01:00

netevent.c

net: core: Correct function name netevent_unregister_notifier() in the kerneldoc

2021-03-28 17:56:56 -07:00

netpoll.c

netpoll: don't require irqs disabled in rt kernels

2021-06-01 15:15:11 -07:00

netprio_cgroup.c

net: Remove the err argument from sock_from_file

2020-12-04 22:32:40 +01:00

page_pool.c

page_pool: Allow drivers to hint on SKB recycling

2021-06-07 14:11:47 -07:00

pktgen.c

pktgen: add pktgen_handle_all_threads() for the same code

2021-06-07 13:15:31 -07:00

ptp_classifier.c

ptp: Add generic ptp v2 header parsing function

2020-08-19 16:07:49 -07:00

request_sock.c

tcp: add rcu protection around tp->fastopen_rsk

2019-10-13 10:13:08 -07:00

rtnetlink.c

net: say "local" instead of "static" addresses in ndo_dflt_fdb_{add,del}

2021-06-29 11:31:57 -07:00

scm.c

scm: fix a typo in put_cmsg()

2021-04-16 11:41:07 -07:00

secure_seq.c

crypto: lib/sha1 - remove unnecessary includes of linux/cryptohash.h

2020-05-08 15:32:17 +10:00

selftests.c

net: add generic selftest support

2021-04-20 16:08:02 -07:00

skbuff.c

skbuff: Release nfct refcount on napi stolen or re-used skbs

2021-07-06 10:26:29 -07:00

skmsg.c

skmsg: Increase sk->sk_drops when dropping packets

2021-06-21 16:48:44 +02:00

sock_diag.c

bpf, net: Rework cookie generator as per-cpu one

2020-09-30 11:50:35 -07:00

sock_map.c

bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc

2021-06-22 10:14:29 -07:00

sock_reuseport.c

tcp: Add stats for socket migration.

2021-06-23 12:56:08 -07:00

sock.c

sock: unlock on error in sock_setsockopt()

2021-07-07 20:49:12 -07:00

stream.c

tcp: make sure EPOLLOUT wont be missed

2019-08-19 13:07:43 -07:00

sysctl_net_core.c

net: change netdev_unregister_timeout_secs min value to 1

2021-03-25 17:24:06 -07:00

timestamping.c

net: Introduce a new MII time stamping interface.

2019-12-25 19:51:33 -08:00

tso.c

net: tso: add UDP segmentation support

2020-06-18 20:46:23 -07:00

utils.c

net: Fix skb->csum update in inet_proto_csum_replace16().

2020-01-24 20:54:30 +01:00

xdp.c

xdp: Move the rxq_info.mem clearing to unreg_mem_model()

2021-06-28 23:07:59 +02:00