From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: YueHaibing <yuehaibing@huawei.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 32/33] mdio_bus: Fix use-after-free on device_register fails
Date: Wed, 13 Mar 2019 15:15:05 -0400 [thread overview]
Message-ID: <20190313191506.159677-32-sashal@kernel.org> (raw)
In-Reply-To: <20190313191506.159677-1-sashal@kernel.org>
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit 6ff7b060535e87c2ae14dd8548512abfdda528fb ]
KASAN has found use-after-free in fixed_mdio_bus_init,
commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call
put_device on device_register() failure") call put_device()
while device_register() fails,give up the last reference
to the device and allow mdiobus_release to be executed
,kfreeing the bus. However in most drives, mdiobus_free
be called to free the bus while mdiobus_register fails.
use-after-free occurs when access bus again, this patch
revert it to let mdiobus_free free the bus.
KASAN report details as below:
BUG: KASAN: use-after-free in mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
Read of size 4 at addr ffff8881dc824d78 by task syz-executor.0/3524
CPU: 1 PID: 3524 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xfa/0x1ce lib/dump_stack.c:113
print_address_description+0x65/0x270 mm/kasan/report.c:187
kasan_report+0x149/0x18d mm/kasan/report.c:317
mdiobus_free+0x85/0x90 drivers/net/phy/mdio_bus.c:482
fixed_mdio_bus_init+0x283/0x1000 [fixed_phy]
? 0xffffffffc0e40000
? 0xffffffffc0e40000
? 0xffffffffc0e40000
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6215c19c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6215c19c70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6215c1a6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
Allocated by task 3524:
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
kmalloc include/linux/slab.h:545 [inline]
kzalloc include/linux/slab.h:740 [inline]
mdiobus_alloc_size+0x54/0x1b0 drivers/net/phy/mdio_bus.c:143
fixed_mdio_bus_init+0x163/0x1000 [fixed_phy]
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3524:
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
slab_free_hook mm/slub.c:1409 [inline]
slab_free_freelist_hook mm/slub.c:1436 [inline]
slab_free mm/slub.c:2986 [inline]
kfree+0xe1/0x270 mm/slub.c:3938
device_release+0x78/0x200 drivers/base/core.c:919
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:67 [inline]
kobject_put+0x146/0x240 lib/kobject.c:708
put_device+0x1c/0x30 drivers/base/core.c:2060
__mdiobus_register+0x483/0x560 drivers/net/phy/mdio_bus.c:382
fixed_mdio_bus_init+0x26b/0x1000 [fixed_phy]
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881dc824c80
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 248 bytes inside of
2048-byte region [ffff8881dc824c80, ffff8881dc825480)
The buggy address belongs to the page:
page:ffffea0007720800 count:1 mapcount:0 mapping:ffff8881f6c02800 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 0000000000000000 0000000500000001 ffff8881f6c02800
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881dc824c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881dc824c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dc824d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881dc824d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881dc824e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mdio_bus.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index 1ece41277993..c545fb1f82bd 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -347,7 +347,6 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
err = device_register(&bus->dev);
if (err) {
pr_err("mii_bus %s failed to register\n", bus->id);
- put_device(&bus->dev);
return -EINVAL;
}
--
2.19.1
next prev parent reply other threads:[~2019-03-13 19:16 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 19:14 [PATCH AUTOSEL 4.14 01/33] clk: sunxi-ng: v3s: Fix TCON reset de-assert bit Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 02/33] clk: sunxi: A31: Fix wrong AHB gate number Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 03/33] esp: Skip TX bytes accounting when sending from a request socket Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 04/33] ARM: 8824/1: fix a migrating irq bug when hotplug cpu Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 05/33] af_key: unconditionally clone on broadcast Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 06/33] assoc_array: Fix shortcut creation Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 07/33] keys: Fix dependency loop between construction record and auth key Sasha Levin
2019-03-13 19:14 ` Sasha Levin
[not found] ` <20190313191506.159677-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 08/33] scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task Sasha Levin
2019-03-13 19:14 ` Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 09/33] scsi: core: reset host byte in DID_NEXUS_FAILURE case Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 10/33] net: systemport: Fix reception of BPDUs Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 11/33] pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins Sasha Levin
2019-03-13 19:14 ` Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 12/33] qmi_wwan: apply SET_DTR quirk to Sierra WP7607 Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 13/33] net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 14/33] mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 15/33] ASoC: topology: free created components in tplg load error Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 16/33] qed: Fix iWARP syn packet mac address validation Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 17/33] arm64: Relax GIC version check during early boot Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 18/33] net: marvell: mvneta: fix DMA debug warning Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 19/33] kasan, slub: move kasan_poison_slab hook before page_address Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 20/33] tmpfs: fix link accounting when a tmpfile is linked in Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 21/33] kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 22/33] kasan, slab: make freelist stored without tags Sasha Levin
2019-03-13 19:18 ` Andrey Konovalov
2019-03-19 19:54 ` Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 23/33] ixgbe: fix older devices that do not support IXGBE_MRQC_L3L4TXSWEN Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 24/33] ARCv2: lib: memcpy: fix doing prefetchw outside of buffer Sasha Levin
2019-03-13 19:14 ` Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 25/33] ARC: uacces: remove lp_start, lp_end from clobber list Sasha Levin
2019-03-13 19:14 ` Sasha Levin
2019-03-13 19:14 ` [PATCH AUTOSEL 4.14 26/33] ARCv2: support manual regfile save on interrupts Sasha Levin
2019-03-13 19:14 ` Sasha Levin
2019-03-13 19:15 ` [PATCH AUTOSEL 4.14 27/33] phonet: fix building with clang Sasha Levin
2019-03-13 19:15 ` [PATCH AUTOSEL 4.14 28/33] mac80211_hwsim: propagate genlmsg_reply return code Sasha Levin
2019-03-13 19:15 ` [PATCH AUTOSEL 4.14 29/33] net: thunderx: make CFG_DONE message to run through generic send-ack sequence Sasha Levin
2019-03-13 19:15 ` [PATCH AUTOSEL 4.14 30/33] nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K Sasha Levin
2019-03-13 19:15 ` [PATCH AUTOSEL 4.14 31/33] nfp: bpf: fix ALU32 high bits clearance bug Sasha Levin
2019-03-13 19:15 ` Sasha Levin [this message]
2019-03-13 19:15 ` [PATCH AUTOSEL 4.14 33/33] net: set static variable an initial value in atl2_probe() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190313191506.159677-32-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.