Re: [PATCH] tun: avoid double free in tun_free_netdev

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: George Kennedy <george.kennedy@oracle.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] tun: avoid double free in tun_free_netdev
Date: Wed, 8 Dec 2021 16:40:44 +0100	[thread overview]
Message-ID: <YbDR/JStiIco3HQS@kroah.com> (raw)
In-Reply-To: <1638974605-24085-1-git-send-email-george.kennedy@oracle.com>

On Wed, Dec 08, 2021 at 09:43:25AM -0500, George Kennedy wrote:
> Avoid double free in tun_free_netdev() by clearing tun->security
> after free and using it to indicate that free has already been done.
> 
> BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
> 
> CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1
> Hardware name: Red Hat KVM, BIOS
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
>  print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
>  kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372
>  ____kasan_slab_free mm/kasan/common.c:346 [inline]
>  __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374
>  kasan_slab_free include/linux/kasan.h:235 [inline]
>  slab_free_hook mm/slub.c:1723 [inline]
>  slab_free_freelist_hook mm/slub.c:1749 [inline]
>  slab_free mm/slub.c:3513 [inline]
>  kfree+0xac/0x2d0 mm/slub.c:4561
>  selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
>  security_tun_dev_free_security+0x4f/0x90 security/security.c:2342
>  tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215
>  netdev_run_todo+0x4df/0x840 net/core/dev.c:10627
>  rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112
>  __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302
>  tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:874 [inline]
>  __se_sys_ioctl fs/ioctl.c:860 [inline]
>  __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Reported-by: syzkaller <syzkaller@googlegroups.com>
> Signed-off-by: George Kennedy <george.kennedy@oracle.com>
> ---
>  drivers/net/tun.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 1572878..617c71f 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2212,7 +2212,10 @@ static void tun_free_netdev(struct net_device *dev)
>  	dev->tstats = NULL;
>  
>  	tun_flow_uninit(tun);
> -	security_tun_dev_free_security(tun->security);
> +	if (tun->security) {
> +		security_tun_dev_free_security(tun->security);
> +		tun->security = NULL;
> +	}
>  	__tun_set_ebpf(tun, &tun->steering_prog, NULL);
>  	__tun_set_ebpf(tun, &tun->filter_prog, NULL);
>  }
> @@ -2779,7 +2782,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>  
>  err_free_flow:
>  	tun_flow_uninit(tun);
> -	security_tun_dev_free_security(tun->security);
> +	if (tun->security) {
> +		security_tun_dev_free_security(tun->security);
> +		/* Let tun_free_netdev() know the free has already been done. */
> +		tun->security = NULL;

What protects this from racing with tun_free_netdev()?

And why can't security_tun_dev_free_security() handle a NULL value?

thanks,

greg k-h

next prev parent reply	other threads:[~2021-12-08 15:40 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-08 14:43 [PATCH] tun: avoid double free in tun_free_netdev George Kennedy
2021-12-08 15:40 ` Greg KH [this message]
2021-12-08 16:29   ` George Kennedy
2021-12-08 16:33     ` Greg KH
2021-12-08 16:36     ` Stephen Hemminger
2021-12-08 16:44       ` George Kennedy
2021-12-08 23:58         ` Jakub Kicinski
2021-12-09 20:26           ` George Kennedy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YbDR/JStiIco3HQS@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=george.kennedy@oracle.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).