[PATCH v2] genirq: Fix uaf issue in irq_find_at_or_after

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: dicken.ding <dicken.ding@mediatek.com>
To: Thomas Gleixner <tglx@linutronix.de>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	AngeloGioacchino Del Regno
	<angelogioacchino.delregno@collabora.com>
Cc: <wsd_upstream@mediatek.com>, <hanks.chen@mediatek.com>,
	<ivan.tseng@mediatek.com>, <cheng-jui.wang@mediatek.com>,
	<linux-kernel@vger.kernel.org>,
	<linux-arm-kernel@lists.infradead.org>,
	<linux-mediatek@lists.infradead.org>,
	dicken.ding <dicken.ding@mediatek.com>
Subject: [PATCH v2] genirq: Fix uaf issue in irq_find_at_or_after
Date: Fri, 24 May 2024 17:17:39 +0800	[thread overview]
Message-ID: <20240524091739.31611-1-dicken.ding@mediatek.com> (raw)

irq_find_at_or_after() is at the risk of use-after-free due to lack of
any locks. irq_find_at_or_after() dereferences the interrupt descriptor
which is returned by mt_find() while neither holding sparse_irq_lock nor
RCU read lock, which means the descriptor can be freed between mt_find()
and the deference. Here is an example::

    CPU0                            CPU1
    mt_find()
                                    delayed_free_desc()
    irq_desc_get_irq()

The use-after-free issue is reported by KASAN, as shown in the following
log::

    Call trace:
     dump_backtrace+0xec/0x138
     show_stack+0x18/0x24
     dump_stack_lvl+0x50/0x6c
     print_report+0x1b0/0x714
     kasan_report+0xc4/0x124
     __do_kernel_fault+0xc0/0x368
     do_bad_area+0x30/0xdc
     do_tag_check_fault+0x20/0x34
     do_mem_abort+0x58/0x118
     el1_abort+0x3c/0x5c
     el1h_64_sync_handler+0x54/0x90
     el1h_64_sync+0x68/0x6c
     irq_get_next_irq+0x58/0x84
     show_stat+0x638/0x824
     seq_read_iter+0x158/0x4ec
     proc_reg_read_iter+0x94/0x12c
     vfs_read+0x1e0/0x2c8
     __arm64_sys_pread64+0x84/0xcc
     invoke_syscall+0x58/0x114
     el0_svc_common+0x80/0xe0
     do_el0_svc+0x1c/0x28
     el0_svc+0x38/0x68
     el0t_64_sync_handler+0x68/0xbc
     el0t_64_sync+0x1a8/0x1ac

    Freed by task 4471:
     kasan_save_stack+0x40/0x70
     save_stack_info+0x34/0x128
     kasan_save_free_info+0x18/0x28
     ____kasan_slab_free+0x254/0x25c
     __kasan_slab_free+0x10/0x20
     slab_free_freelist_hook+0x174/0x1e0
     __kmem_cache_free+0xa4/0x1dc
     kfree+0x64/0x128
     irq_kobj_release+0x28/0x3c
     kobject_put+0xcc/0x1e0
     delayed_free_desc+0x14/0x2c
     rcu_do_batch+0x214/0x720
     rcu_core+0x1b0/0x408
     rcu_core_si+0x10/0x20
     __do_softirq+0x154/0x470

Guard the access with a RCU read lock section.

Fixes: 721255b9826b ("genirq: Use a maple tree for interrupt descriptor management")
Signed-off-by: dicken.ding <dicken.ding@mediatek.com>
---
Changes since v1:
- Use guard(rcu)() to guard the access based on Thomas Gleixner's suggestion.
- Modify the commit message.
---
 kernel/irq/irqdesc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
index 88ac3652fcf2..07e99c936ba5 100644
--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -160,7 +160,10 @@ static int irq_find_free_area(unsigned int from, unsigned int cnt)
 static unsigned int irq_find_at_or_after(unsigned int offset)
 {
 	unsigned long index = offset;
-	struct irq_desc *desc = mt_find(&sparse_irqs, &index, nr_irqs);
+	struct irq_desc *desc;
+
+	guard(rcu)();
+	desc = mt_find(&sparse_irqs, &index, nr_irqs);
 
 	return desc ? irq_desc_get_irq(desc) : nr_irqs;
 }
-- 
2.18.0

next             reply	other threads:[~2024-05-24  9:17 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-24  9:17 dicken.ding [this message]
2024-05-24 10:57 ` [tip: irq/urgent] genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() tip-bot2 for dicken.ding
2024-05-25 10:22   ` Markus Elfring

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:88ac3652fcf dfblob:07e99c936ba )
 OR (
bs:"[PATCH v2] genirq: Fix uaf issue in irq_find_at_or_after" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240524091739.31611-1-dicken.ding@mediatek.com \
    --to=dicken.ding@mediatek.com \
    --cc=angelogioacchino.delregno@collabora.com \
    --cc=cheng-jui.wang@mediatek.com \
    --cc=hanks.chen@mediatek.com \
    --cc=ivan.tseng@mediatek.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=matthias.bgg@gmail.com \
    --cc=tglx@linutronix.de \
    --cc=wsd_upstream@mediatek.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox