From: Simon Horman <horms@kernel.org>
To: Duoming Zhou <duoming@zju.edu.cn>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hams@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org,
edumazet@google.com, davem@davemloft.net, jreuter@yaina.de
Subject: Re: [PATCH net] ax25: fix use-after-free bugs caused by ax25_ds_del_timer
Date: Wed, 27 Mar 2024 19:10:25 +0000 [thread overview]
Message-ID: <20240327191025.GU403975@kernel.org> (raw)
In-Reply-To: <20240326142542.118058-1-duoming@zju.edu.cn>
On Tue, Mar 26, 2024 at 10:25:42PM +0800, Duoming Zhou wrote:
> When the ax25 device is detaching, the ax25_dev_device_down()
> calls ax25_ds_del_timer() to cleanup the slave_timer. When
> the timer handler is running, the ax25_ds_del_timer() that
> calls del_timer() in it will return directly. As a result,
> the use-after-free bugs could happen, one of the scenarios
> is shown below:
>
> (Thread 1) | (Thread 2)
> | ax25_ds_timeout()
> ax25_dev_device_down() |
> ax25_ds_del_timer() |
> del_timer() |
> ax25_dev_put() //FREE |
> | ax25_dev-> //USE
>
> In order to mitigate bugs, when the device is detaching, use
> timer_shutdown_sync() to stop the timer.
FWIIW, in my reading of things there is another failure mode whereby
ax25_ds_timeout may rearm the timer after the call to del_timer() but
before the call to ax25_dev_put().
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> ---
> net/ax25/ax25_ds_timer.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/net/ax25/ax25_ds_timer.c b/net/ax25/ax25_ds_timer.c
> index c4f8adbf814..5624c0d174c 100644
> --- a/net/ax25/ax25_ds_timer.c
> +++ b/net/ax25/ax25_ds_timer.c
> @@ -43,7 +43,12 @@ void ax25_ds_setup_timer(ax25_dev *ax25_dev)
>
> void ax25_ds_del_timer(ax25_dev *ax25_dev)
> {
> - if (ax25_dev)
> + if (!ax25_dev)
> + return;
> +
> + if (!ax25_dev->device_up)
> + timer_shutdown_sync(&ax25_dev->dama.slave_timer);
> + else
> del_timer(&ax25_dev->dama.slave_timer);
> }
I think that a) it is always correct to call timer_shutdown_sync,
and b) ax25_dev->device_up is always true. So a call to
timer_shutdown_sync can simply replace the call to del_timer.
Also, not strictly related, I think ax25_dev cannot be NULL,
so that check could be dropped. But perhaps that is better left alone.
Zooming out a bit, has removal of ax25 been considered.
I didn't check the logs thoroughly, but I'm not convinced it's been
maintained - other than clean-ups and by-inspection bug fixes - since git
history began.
next prev parent reply other threads:[~2024-03-27 19:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-26 14:25 [PATCH net] ax25: fix use-after-free bugs caused by ax25_ds_del_timer Duoming Zhou
2024-03-27 19:10 ` Simon Horman [this message]
2024-03-28 5:34 ` duoming
2024-03-28 18:12 ` Simon Horman
2024-03-29 1:54 ` duoming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240327191025.GU403975@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=duoming@zju.edu.cn \
--cc=edumazet@google.com \
--cc=jreuter@yaina.de \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.