linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00

History

Shigeru Yoshida 5f442e1d40 net: tun: Fix use-after-free in tun_detach() [ Upstream commit `5daadc86f2` ] syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done. Fixes: `83c1f36f98` ("tun: send netlink notification when the device is modified") Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1] Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-12-08 11:23:56 +01:00
..
accessibility	speakup: fix a segfault caused by switching consoles	2022-11-25 17:45:50 +01:00
acpi	ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()	2022-11-10 18:14:22 +01:00
amba
android	binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0	2022-12-02 17:40:04 +01:00
ata	ata: libata-core: do not issue non-internal commands once EH is pending	2022-12-02 17:39:57 +01:00
atm	atm: idt77252: fix use-after-free bugs caused by tst_timer	2022-08-25 11:38:02 +02:00
auxdisplay
base	PM: domains: Fix handling of unavailable/disabled idle states	2022-11-03 23:57:53 +09:00
bcma
block	drbd: use after free in drbd_create_device()	2022-11-25 17:45:47 +01:00
bluetooth	Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure	2022-10-26 13:25:21 +02:00
bus	bus: sunxi-rsb: Support atomic transfers	2022-12-02 17:39:59 +01:00
cdrom
char	hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear()	2022-10-26 13:25:41 +02:00
clk	ARM: at91: rm9200: fix usb device clock id	2022-12-08 11:23:54 +01:00
clocksource	clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup()	2022-07-07 17:52:23 +02:00
connector
counter	counter: microchip-tcb-capture: Handle Signal1 read and Synapse	2022-11-03 23:57:50 +09:00
cpufreq	cpufreq: qcom: fix memory leak in error path	2022-10-30 09:41:15 +01:00
cpuidle
crypto	crypto: cavium - prevent integer overflow loading firmware	2022-10-26 13:25:43 +02:00
dax	devdax: Fix soft-reservation memory description	2022-09-28 11:10:41 +02:00
dca
devfreq	PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events	2022-07-07 17:52:18 +02:00
dio
dma	dmaengine: at_hdmac: Check return code of dma_async_device_register	2022-11-16 09:57:20 +01:00
dma-buf	dma-buf: fix racing conflict of dma_heap_add()	2022-12-02 17:40:01 +01:00
edac	EDAC/ghes: Set the DIMM label unconditionally	2022-08-03 12:00:50 +02:00
eisa
extcon	extcon: Modify extcon device to be created after driver data is set	2022-06-14 18:32:43 +02:00
firewire	firewire: core: extend card->lock in fw_core_handle_bus_reset	2022-05-12 12:25:32 +02:00
firmware	firmware: coreboot: Register bus in module init	2022-11-25 17:45:53 +01:00
fpga	fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()	2022-10-26 13:25:33 +02:00
fsi	fsi: core: Check error number after calling ida_simple_get	2022-10-26 13:25:38 +02:00
gnss
gpio	gpiolib: cdev: Set lineevent_state::irq after IRQ register successfully	2022-09-28 11:10:27 +02:00
gpu	drm/amdgpu: Partially revert "drm/amdgpu: update drm_display_info correctly when the edid is read"	2022-12-08 11:23:54 +01:00
greybus
hid	HID: hyperv: fix possible memory leak in mousevsc_probe()	2022-11-16 09:57:08 +01:00
hsi	HSI: omap_ssi_port: Fix dma_map_sg error check	2022-10-26 13:25:32 +02:00
hv	Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register()	2022-12-02 17:40:00 +01:00
hwmon	hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails	2022-12-08 11:23:55 +01:00
hwspinlock	hwspinlock: qcom: correct MMIO max register for newer SoCs	2022-11-16 09:57:07 +01:00
hwtracing	coresight: cti: Fix hang in cti_disable_hw()	2022-11-10 18:14:25 +01:00
i2c	i2c: i801: add lis3lv02d's I2C address for Vostro 5568	2022-11-25 17:45:40 +01:00
i3c
ide
idle	intel_idle: Disable IBRS during long idle	2022-07-25 11:26:43 +02:00
iio	iio: light: rpr0521: add missing Kconfig dependencies	2022-12-08 11:23:54 +01:00
infiniband	RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()	2022-11-10 18:14:17 +01:00
input	Input: soc_button_array - add Acer Switch V 10 to dmi_use_low_level_irq[]	2022-12-02 17:40:05 +01:00
interconnect	interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate	2022-09-28 11:10:28 +02:00
iommu	iommu/vt-d: Set SRE bit only when hardware has SRS cap	2022-11-25 17:45:53 +01:00
ipack
irqchip	irqchip/gic-v3: Always trust the managed affinity provided by the core code	2022-12-02 17:40:06 +01:00
isdn	mISDN: fix misuse of put_device() in mISDN_register_device()	2022-11-25 17:45:46 +01:00
leds	leds: lm3601x: Don't use mutex after it was destroyed	2022-10-26 13:25:18 +02:00
lightnvm	lightnvm: disable the subsystem	2022-05-09 09:04:56 +02:00
macintosh	macintosh/adb: fix oob read in do_adb_query() function	2022-08-11 13:06:47 +02:00
mailbox	mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg	2022-10-26 13:25:40 +02:00
mcb
md	dm integrity: clear the journal on suspend	2022-12-02 17:40:05 +01:00
media	media: dvb-frontends/drxk: initialize err to 0	2022-11-10 18:14:22 +01:00
memory	memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()	2022-10-26 13:25:28 +02:00
memstick	memstick/ms_block: Fix a memory leak	2022-08-21 15:15:58 +02:00
message
mfd	mtd: spi-nor: intel-spi: Disable write protection only if asked	2022-11-25 17:45:41 +01:00
misc	misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()	2022-11-25 17:45:54 +01:00
mmc	mmc: sdhci-brcmstb: Fix SDHCI_RESET_ALL for CQHCI	2022-12-02 17:40:03 +01:00
most
mtd	spi: intel: Use correct mask for flash and protected regions	2022-11-25 17:45:41 +01:00
mux
net	net: tun: Fix use-after-free in tun_detach()	2022-12-08 11:23:56 +01:00
nfc	nfc: st-nci: fix memory leaks in EVT_TRANSACTION	2022-12-02 17:40:02 +01:00
ntb	NTB: ntb_tool: uninitialized heap data in tool_fn_write()	2022-08-25 11:38:01 +02:00
nubus
nvdimm	nvdimm: Fix badblocks clear off-by-one error	2022-07-07 17:52:15 +02:00
nvme	nvme-pci: add NVME_QUIRK_BOGUS_NID for Micron Nitro	2022-12-02 17:39:57 +01:00
nvmem
of	of: property: decrement node refcount in of_fwnode_get_reference_args()	2022-12-08 11:23:55 +01:00
opp	opp: Fix error check in dev_pm_opp_attach_genpd()	2022-08-21 15:16:04 +02:00
oprofile
parisc	parisc: Export iosapic_serial_irq() symbol for serial port driver	2022-11-10 18:14:27 +01:00
parport	parport_pc: Avoid FIFO port location truncation	2022-11-25 17:45:44 +01:00
pci	PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge	2022-10-26 13:25:11 +02:00
pcmcia	pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards	2022-06-14 18:32:30 +02:00
perf	perf/arm_pmu_platform: fix tests for platform_get_irq() failure	2022-09-20 12:38:32 +02:00
phy	phy: stm32: fix an error code in probe	2022-11-16 09:57:08 +01:00
pinctrl	pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map	2022-11-25 17:45:44 +01:00
platform	platform/x86: hp-wmi: Ignore Smart Experience App event	2022-12-02 17:40:05 +01:00
pnp
power	power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()	2022-10-26 13:25:52 +02:00
powercap	powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue	2022-10-26 13:25:44 +02:00
pps
ps3
ptp
pwm	pwm: lpc18xx-sct: Convert to devm_platform_ioremap_resource()	2022-08-21 15:15:37 +02:00
rapidio
ras
regulator	regulator: twl6030: re-add TWL6032_SUBCLASS	2022-12-02 17:40:01 +01:00
remoteproc	remoteproc: sysmon: Wait for SSCTL service to come up	2022-08-21 15:16:08 +02:00
reset	reset: imx7: Fix the iMX8MP PCIe PHY PERST support	2022-10-05 10:38:40 +02:00
rpmsg	rpmsg: qcom: glink: replace strncpy() with strscpy_pad()	2022-10-15 07:55:54 +02:00
rtc	rtc: mt6397: check return value after calling platform_get_resource()	2022-06-14 18:32:33 +02:00
s390	s390/dasd: fix no record found for raw_track_access	2022-12-02 17:40:02 +01:00
sbus
scsi	scsi: storvsc: Fix handling of srb_status and capacity change events	2022-12-02 17:39:59 +01:00
sfi
sh
siox	siox: fix possible memory leak in siox_device_add()	2022-11-25 17:45:44 +01:00
slimbus	slimbus: stream: correct presence rate frequencies	2022-11-25 17:45:50 +01:00
soc	soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA	2022-10-26 13:25:29 +02:00
soundwire	soundwire: intel: fix error handling on dai registration issues	2022-10-26 13:25:53 +02:00
spi	spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock	2022-12-08 11:23:54 +01:00
spmi	spmi: pmic-arb: correct duplicate APID to PPID mapping logic	2022-10-26 13:25:39 +02:00
ssb
staging	media: meson: vdec: fix possible refcount leak in vdec_probe()	2022-11-10 18:14:22 +01:00
target	scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus()	2022-11-25 17:45:55 +01:00
tc
tee	tee: optee: fix possible memory leak in optee_register_device()	2022-12-02 17:39:59 +01:00
thermal	thermal: intel_powerclamp: Use first online CPU as control_cpu	2022-10-26 13:25:56 +02:00
thunderbolt	thunderbolt: Explicitly enable lane adapter hotplug events at startup	2022-10-26 13:25:16 +02:00
tty	serial: 8250: 8250_omap: Avoid RS485 RTS glitch on ->set_termios()	2022-12-02 17:40:05 +01:00
uio
usb	usb: dwc3: gadget: Clear ep descriptor last	2022-12-02 17:40:04 +01:00
vdpa	vdpasim: allow to enable a vq repeatedly	2022-06-09 10:21:29 +02:00
vfio	vfio/type1: fix vaddr_get_pfns() return in vfio_pin_page_external()	2022-09-28 11:10:38 +02:00
vhost	vhost/vsock: Use kvmalloc/kvfree for larger packets.	2022-10-26 13:25:22 +02:00
video	fbdev: stifb: Fall back to cfb_fillrect() on 32-bit HCRX cards	2022-11-10 18:14:21 +01:00
virt	vboxguest: Do not use devm for irq	2022-08-25 11:38:14 +02:00
virtio	virtio_mmio: Restore guest page size on resume	2022-07-21 21:20:13 +02:00
visorbus
vlynq
vme
w1
watchdog	watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe()	2022-08-21 15:16:10 +02:00
xen	xen/platform-pci: add missing free_irq() in error path	2022-12-02 17:40:05 +01:00
zorro
Kconfig
Makefile