Re: [syzbot] [net?] KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Hillf Danton <hdanton@sina.com>
To: Eric Dumazet <edumazet@google.com>
Cc: Denis Kirjanov <dkirjanov@suse.de>,
	syzbot <syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com>,
	linux-kernel@vger.kernel.org,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Boqun Feng <boqun.feng@gmail.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings
Date: Mon, 30 Sep 2024 20:27:38 +0800	[thread overview]
Message-ID: <20240930122738.1668-1-hdanton@sina.com> (raw)
In-Reply-To: <CANn89iJwe-Q2Ve3O1OP4WTVuD6eawFvV+3eDvuvs4Xk=+j5yBg@mail.gmail.com>

On Mon, 30 Sep 2024 10:32:32 +0200 Eric Dumazet <edumazet@google.com>
> On Sun, Sep 29, 2024 at 1:46 PM Hillf Danton <hdanton@sina.com> wrote:
> > On Sat, 28 Sep 2024 20:21:12 +0800 Hillf Danton <hdanton@sina.com>
> > > On Mon, 25 Mar 2024 14:08:36 +0100 Eric Dumazet <edumazet@google.com>
> > > > On Mon, Mar 25, 2024 at 1:10 PM Denis Kirjanov <dkirjanov@suse.de> wrote:
> > > > >
> > > > > Hmm, report says that we have a net_device freed even that we have a dev_hold()
> > > > > before __ethtool_get_link_ksettings()
> > > >
> > > > dev_hold(dev) might be done too late, the device is already being dismantled.
> > > >
> > > > ib_device_get_netdev() should probably be done under RTNL locking,
> > > > otherwise the final part is racy :
> > > >
> > > > if (res && res->reg_state != NETREG_REGISTERED) {
> > > >      dev_put(res);
> > > >      return NULL;
> > > > }
> > >
> > > Given paranoia in netdev_run_todo(),
> > >
> > >               /* paranoia */
> > >               BUG_ON(netdev_refcnt_read(dev) != 1);
> > >
> > > the claim that dev_hold(dev) might be done too late could not explain
> > > the success of checking NETREG_REGISTERED, because of checking
> > > NETREG_UNREGISTERING after rcu barrier.
> > >
> > >       /* Wait for rcu callbacks to finish before next phase */
> > >       if (!list_empty(&list))
> > >               rcu_barrier();
> > >
> > >       list_for_each_entry_safe(dev, tmp, &list, todo_list) {
> > >               if (unlikely(dev->reg_state != NETREG_UNREGISTERING)) {
> > >                       netdev_WARN(dev, "run_todo but not unregistering\n");
> > >                       list_del(&dev->todo_list);
> > >                       continue;
> > >               }
> > >
> > As simply bumping kref up could survive the syzbot reproducer [1], Eric's reclaim
> > is incorrect.
> 
> I have about 50 different syzbot reports all pointing to netdevsim and
> sysfs buggy interaction.
> 
> We will see if you can fix all of them :)
>
Looks like something I know
[1] https://lore.kernel.org/all/20220819220827.1639-1-hdanton@sina.com/
[2] https://lore.kernel.org/all/20231011211846.1345-1-hdanton@sina.com/
[3] https://lore.kernel.org/all/20240719112012.1562-1-hdanton@sina.com/

BTW I won the 2020 google OSPB Award (How many cents did you donate that year?).

And my current target is the Independent Observer at the 2025 Linux Plumbers
Conference if the LT king thinks observers are welcome.

Now turn to uaf. As the netdev_hold() in ib_device_set_netdev() matches the
netdev_put() in free_netdevs(), in combination with the dev_hold() in
ib_device_get_netdev(), the syz report discovers a valid case where kref fails
to prevent netdev from being freed under feet, even given the paranoia
in netdev_run_todo().

Hillf

next prev parent reply	other threads:[~2024-09-30 12:33 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-22 20:10 [syzbot] [net?] KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings syzbot
2024-03-25 12:09 ` Denis Kirjanov
2024-03-25 13:08   ` Eric Dumazet
2024-09-28 12:21     ` Hillf Danton
2024-09-29 11:46       ` Hillf Danton
2024-09-30  8:32         ` Eric Dumazet
2024-09-30 12:27           ` Hillf Danton [this message]
2024-09-27 18:26 ` syzbot
2024-10-08  1:44 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240930122738.1668-1-hdanton@sina.com \
    --to=hdanton@sina.com \
    --cc=boqun.feng@gmail.com \
    --cc=dkirjanov@suse.de \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzbot+5fe14f2ff4ccbace9a26@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).