From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com,
Ziyang Xuan <william.xuanziyang@huawei.com>,
Oleksij Rempel <o.rempel@pengutronix.de>,
Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [PATCH 5.10 40/95] can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
Date: Mon, 25 Oct 2021 21:14:37 +0200 [thread overview]
Message-ID: <20211025191002.609165845@linuxfoundation.org> (raw)
In-Reply-To: <20211025190956.374447057@linuxfoundation.org>
From: Ziyang Xuan <william.xuanziyang@huawei.com>
commit d9d52a3ebd284882f5562c88e55991add5d01586 upstream.
It will trigger UAF for rx_kref of j1939_priv as following.
cpu0 cpu1
j1939_sk_bind(socket0, ndev0, ...)
j1939_netdev_start
j1939_sk_bind(socket1, ndev0, ...)
j1939_netdev_start
j1939_priv_set
j1939_priv_get_by_ndev_locked
j1939_jsk_add
.....
j1939_netdev_stop
kref_put_lock(&priv->rx_kref, ...)
kref_get(&priv->rx_kref, ...)
REFCOUNT_WARN("addition on 0;...")
====================================================
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0
RIP: 0010:refcount_warn_saturate+0x169/0x1e0
Call Trace:
j1939_netdev_start+0x68b/0x920
j1939_sk_bind+0x426/0xeb0
? security_socket_bind+0x83/0xb0
The rx_kref's kref_get() and kref_put() should use j1939_netdev_lock to
protect.
Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/all/20210926104757.2021540-1-william.xuanziyang@huawei.com
Cc: stable@vger.kernel.org
Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/main.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -249,11 +249,14 @@ struct j1939_priv *j1939_netdev_start(st
struct j1939_priv *priv, *priv_new;
int ret;
- priv = j1939_priv_get_by_ndev(ndev);
+ spin_lock(&j1939_netdev_lock);
+ priv = j1939_priv_get_by_ndev_locked(ndev);
if (priv) {
kref_get(&priv->rx_kref);
+ spin_unlock(&j1939_netdev_lock);
return priv;
}
+ spin_unlock(&j1939_netdev_lock);
priv = j1939_priv_create(ndev);
if (!priv)
@@ -269,10 +272,10 @@ struct j1939_priv *j1939_netdev_start(st
/* Someone was faster than us, use their priv and roll
* back our's.
*/
+ kref_get(&priv_new->rx_kref);
spin_unlock(&j1939_netdev_lock);
dev_put(ndev);
kfree(priv);
- kref_get(&priv_new->rx_kref);
return priv_new;
}
j1939_priv_set(ndev, priv);
next prev parent reply other threads:[~2021-10-25 19:35 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-25 19:13 [PATCH 5.10 00/95] 5.10.76-rc1 review Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 01/95] parisc: math-emu: Fix fall-through warnings Greg Kroah-Hartman
2021-10-25 19:13 ` [PATCH 5.10 02/95] xhci: add quirk for host controllers that dont update endpoint DCS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 03/95] io_uring: fix splice_fd_in checks backport typo Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 04/95] arm: dts: vexpress-v2p-ca9: Fix the SMB unit-address Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 05/95] ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 06/95] block: decode QUEUE_FLAG_HCTX_ACTIVE in debugfs output Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 07/95] xen/x86: prevent PVH type from getting clobbered Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 08/95] drm/amdgpu/display: fix dependencies for DRM_AMD_DC_SI Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 09/95] xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 10/95] xtensa: xtfpga: Try software restart before simulating CPU reset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 11/95] NFSD: Keep existing listeners on portlist error Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 12/95] netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 13/95] dma-debug: fix sg checks in debug_dma_map_sg() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 14/95] ASoC: wm8960: Fix clock configuration on slave mode Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 15/95] ice: fix getting UDP tunnel entry Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 16/95] netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 17/95] netfilter: ipvs: make global sysctl readonly in non-init netns Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 18/95] lan78xx: select CRC32 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 19/95] tcp: md5: Fix overlap between vrf and non-vrf keys Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 20/95] ipv6: When forwarding count rx stats on the orig netdev Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 21/95] net: dsa: lantiq_gswip: fix register definition Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 22/95] NIOS2: irqflags: rename a redefined register name Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 23/95] powerpc/smp: do not decrement idle task preempt count in CPU offline Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 24/95] net: hns3: reset DWRR of unused tc to zero Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 25/95] net: hns3: add limit ets dwrr bandwidth cannot be 0 Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 26/95] net: hns3: schedule the polling again when allocation fails Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 27/95] net: hns3: fix vf reset workqueue cannot exit Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 28/95] net: hns3: disable sriov before unload hclge layer Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 29/95] net: stmmac: Fix E2E delay mechanism Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 30/95] e1000e: Fix packet loss on Tiger Lake and later Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 31/95] ice: Add missing E810 device ids Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 32/95] drm/panel: ilitek-ili9881c: Fix sync for Feixin K101-IM2BYL02 panel Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 33/95] net: enetc: fix ethtool counter name for PM0_TERR Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 34/95] can: rcar_can: fix suspend/resume Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 35/95] can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 36/95] can: peak_pci: peak_pci_remove(): fix UAF Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 37/95] can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 38/95] can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 39/95] can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer Greg Kroah-Hartman
2021-10-25 19:14 ` Greg Kroah-Hartman [this message]
2021-10-25 19:14 ` [PATCH 5.10 41/95] can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with error length Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 42/95] can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 43/95] ceph: skip existing superblocks that are blocklisted or shut down when mounting Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 44/95] ceph: fix handling of "meta" errors Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 45/95] ocfs2: fix data corruption after conversion from inline format Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 46/95] ocfs2: mount fails with buffer overflow in strlen Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 47/95] userfaultfd: fix a race between writeprotect and exit_mmap() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 48/95] elfcore: correct reference to CONFIG_UML Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 49/95] vfs: check fd has read access in kernel_read_file_from_fd() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 50/95] ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 51/95] ALSA: hda/realtek: Add quirk for Clevo PC50HS Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 52/95] ASoC: DAPM: Fix missing kctl change notifications Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 53/95] audit: fix possible null-pointer dereference in audit_filter_rules Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 54/95] net: dsa: mt7530: correct ds->num_ports Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 55/95] powerpc64/idle: Fix SP offsets when saving GPRs Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 56/95] KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 57/95] KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 58/95] powerpc/idle: Dont corrupt back chain when going idle Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 59/95] mm, slub: fix mismatch between reconstructed freelist depth and cnt Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 60/95] mm, slub: fix potential memoryleak in kmem_cache_open() Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 61/95] mm, slub: fix incorrect memcg slab count for bulk free Greg Kroah-Hartman
2021-10-25 19:14 ` [PATCH 5.10 62/95] KVM: nVMX: promptly process interrupts delivered while in guest mode Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 63/95] nfc: nci: fix the UAF of rf_conn_info object Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 64/95] isdn: cpai: check ctr->cnr to avoid array index out of bound Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 65/95] netfilter: Kconfig: use default y instead of m for bool config option Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 66/95] selftests: netfilter: remove stray bash debug line Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 67/95] net: bridge: mcast: use multicast_membership_interval for IGMPv3 Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 68/95] drm: mxsfb: Fix NULL pointer dereference crash on unload Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 69/95] net: hns3: fix the max tx size according to user manual Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 70/95] gcc-plugins/structleak: add makefile var for disabling structleak Greg Kroah-Hartman
2021-10-25 20:56 ` Pavel Machek
2021-10-25 21:07 ` Brendan Higgins
2021-10-25 21:40 ` Pavel Machek
2021-10-25 19:15 ` [PATCH 5.10 71/95] ALSA: hda: intel: Allow repeatedly probing on codec configuration errors Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 72/95] btrfs: deal with errors when checking if a dir entry exists during log replay Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 73/95] net: stmmac: add support for dwmac 3.40a Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 74/95] ARM: dts: spear3xx: Fix gmac node Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 75/95] isdn: mISDN: Fix sleeping function called from invalid context Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 76/95] platform/x86: intel_scu_ipc: Update timeout value in comment Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 77/95] ALSA: hda: avoid write to STATESTS if controller is in reset Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 78/95] libperf tests: Fix test_stat_cpu Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 79/95] perf/x86/msr: Add Sapphire Rapids CPU support Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 80/95] Input: snvs_pwrkey - add clk handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 81/95] scsi: iscsi: Fix set_param() handling Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 82/95] scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 83/95] sched/scs: Reset the shadow stack when idle_task_exit Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 84/95] net: hns3: fix for miscalculation of rx unused desc Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 85/95] scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 86/95] can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg() Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 87/95] s390/pci: fix zpci_zdev_put() on reserve Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 88/95] bpf, test, cgroup: Use sk_{alloc,free} for test cases Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 89/95] usbnet: sanity check for maxpacket Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 90/95] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 91/95] tracing: Have all levels of checks prevent recursion Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 92/95] e1000e: Separate TGP board type from SPT Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 93/95] selftests: bpf: fix backported ASSERT_FALSE Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 94/95] ARM: 9122/1: select HAVE_FUTEX_CMPXCHG Greg Kroah-Hartman
2021-10-25 19:15 ` [PATCH 5.10 95/95] pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume() Greg Kroah-Hartman
2021-10-25 21:09 ` [PATCH 5.10 00/95] 5.10.76-rc1 review Florian Fainelli
2021-10-25 21:37 ` Pavel Machek
2021-10-26 0:59 ` Shuah Khan
2021-10-26 1:14 ` Fox Chen
2021-10-26 7:17 ` Naresh Kamboju
2021-10-26 9:16 ` Jon Hunter
2021-10-26 18:27 ` Sudip Mukherjee
2021-10-26 19:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211025191002.609165845@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=o.rempel@pengutronix.de \
--cc=stable@vger.kernel.org \
--cc=syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com \
--cc=william.xuanziyang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox