--- /dev/null
+From cascardo@canonical.com Tue May 10 13:13:09 2022
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Mon, 2 May 2022 17:49:24 -0300
+Subject: net: sched: prevent UAF on tc_ctl_tfilter when temporarily dropping rtnl_lock
+To: stable@vger.kernel.org
+Cc: netdev@vger.kernel.org, kuba@kernel.org, davem@davemloft.net, jiri@resnulli.us, xiyou.wangcong@gmail.com, jhs@mojatatu.com, vladbu@mellanox.com, cascardo@canonical.com
+Message-ID: <20220502204924.3456590-1-cascardo@canonical.com>
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+When dropping the rtnl_lock for looking up for a module, the device may be
+removed, releasing the qdisc and class memory. Right after trying to load
+the module, cl_ops->put is called, leading to a potential use-after-free.
+
+Though commit e368fdb61d8e ("net: sched: use Qdisc rcu API instead of
+relying on rtnl lock") fixes this, it involves a lot of refactoring of the
+net/sched/ code, complicating its backport.
+
+This fix calls cl_ops->put before dropping rtnl_lock as it will be called
+either way, and zeroes it out so it won't be called again on the exit path.
+
+This has been shown to stop the following KASAN report with the reproducer:
+
+[ 256.609111] ==================================================================
+[ 256.609585] BUG: KASAN: use-after-free in cbq_put+0x20/0xd0 at addr ffff880021daaba0
+[ 256.610078] Read of size 4 by task total_cbq/11184
+[ 256.610380] CPU: 0 PID: 11184 Comm: total_cbq Not tainted 4.9.311 #78
+[ 256.610778] ffff8800215875a8 ffffffff96e18735 ffff880024803080 ffff880021daaa80
+[ 256.611274] ffff8800215875d0 ffffffff96334841 ffffed00043b5574 ffffed00043b5574
+[ 256.611768] ffff880024803080 ffff880021587658 ffffffff96334af8 0000000000000000
+[ 256.612186] Call Trace:
+[ 256.612344] [<ffffffff96e18735>] dump_stack+0x6d/0x8b
+[ 256.612632] [<ffffffff96334841>] kasan_object_err+0x21/0x70
+[ 256.612973] [<ffffffff96334af8>] kasan_report.part.1+0x218/0x4f0
+[ 256.613349] [<ffffffff96c5a2e0>] ? cbq_put+0x20/0xd0
+[ 256.613634] [<ffffffff96333cd6>] ? kasan_unpoison_shadow+0x36/0x50
+[ 256.613993] [<ffffffff96335105>] kasan_report+0x25/0x30
+[ 256.614288] [<ffffffff96333701>] __asan_load4+0x61/0x80
+[ 256.614580] [<ffffffff96c5a2e0>] cbq_put+0x20/0xd0
+[ 256.614862] [<ffffffff96c53184>] tc_ctl_tfilter+0x4f4/0xb80
+[ 256.615151] [<ffffffff96c52c90>] ? tfilter_notify+0x140/0x140
+[ 256.615478] [<ffffffff960056ef>] ? do_syscall_64+0xef/0x190
+[ 256.615799] [<ffffffff96e28a8e>] ? entry_SYSCALL_64_after_swapgs+0x58/0xc6
+[ 256.616190] [<ffffffff96bce3f6>] ? sock_sendmsg+0x76/0x80
+[ 256.616484] [<ffffffff96bce53f>] ? sock_write_iter+0x13f/0x1f0
+[ 256.616833] [<ffffffff96367b02>] ? __vfs_write+0x262/0x3c0
+[ 256.617152] [<ffffffff96369dc9>] ? vfs_write+0xf9/0x260
+[ 256.617451] [<ffffffff9636c009>] ? SyS_write+0xc9/0x1b0
+[ 256.617754] [<ffffffff960decda>] ? ns_capable_common+0x5a/0xa0
+[ 256.618067] [<ffffffff960ded33>] ? ns_capable+0x13/0x20
+[ 256.618334] [<ffffffff96c9125d>] ? __netlink_ns_capable+0x6d/0x80
+[ 256.618666] [<ffffffff96c2750f>] rtnetlink_rcv_msg+0x1af/0x410
+[ 256.618969] [<ffffffff96c90d6b>] ? netlink_compare+0x5b/0x70
+[ 256.619295] [<ffffffff96c27360>] ? rtnl_newlink+0xc60/0xc60
+[ 256.619587] [<ffffffff96c94214>] ? __netlink_lookup+0x1a4/0x240
+[ 256.619885] [<ffffffff96c94070>] ? netlink_broadcast+0x20/0x20
+[ 256.620179] [<ffffffff96c97815>] netlink_rcv_skb+0x155/0x190
+[ 256.620463] [<ffffffff96c27360>] ? rtnl_newlink+0xc60/0xc60
+[ 256.620748] [<ffffffff96c1e758>] rtnetlink_rcv+0x28/0x30
+[ 256.621015] [<ffffffff96c96d11>] netlink_unicast+0x2f1/0x3b0
+[ 256.621354] [<ffffffff96c96a20>] ? netlink_attachskb+0x340/0x340
+[ 256.621765] [<ffffffff96c9733e>] netlink_sendmsg+0x56e/0x6f0
+[ 256.622181] [<ffffffff96c96dd0>] ? netlink_unicast+0x3b0/0x3b0
+[ 256.622578] [<ffffffff96c96dd0>] ? netlink_unicast+0x3b0/0x3b0
+[ 256.622893] [<ffffffff96bce3f6>] sock_sendmsg+0x76/0x80
+[ 256.623157] [<ffffffff96bce53f>] sock_write_iter+0x13f/0x1f0
+[ 256.623440] [<ffffffff96bce400>] ? sock_sendmsg+0x80/0x80
+[ 256.623729] [<ffffffff966a8032>] ? iov_iter_init+0x82/0xc0
+[ 256.624006] [<ffffffff96367b02>] __vfs_write+0x262/0x3c0
+[ 256.624274] [<ffffffff963678a0>] ? default_llseek+0x120/0x120
+[ 256.624566] [<ffffffff965e8c02>] ? common_file_perm+0x92/0x170
+[ 256.624925] [<ffffffff96369a58>] ? rw_verify_area+0x78/0x140
+[ 256.625277] [<ffffffff96369dc9>] vfs_write+0xf9/0x260
+[ 256.625593] [<ffffffff9636c009>] SyS_write+0xc9/0x1b0
+[ 256.625891] [<ffffffff9636bf40>] ? SyS_read+0x1b0/0x1b0
+[ 256.626154] [<ffffffff9636bf40>] ? SyS_read+0x1b0/0x1b0
+[ 256.626422] [<ffffffff960056ef>] do_syscall_64+0xef/0x190
+[ 256.626697] [<ffffffff96e28a8e>] entry_SYSCALL_64_after_swapgs+0x58/0xc6
+[ 256.627033] Object at ffff880021daaa80, in cache kmalloc-512 size: 512
+[ 256.627415] Allocated:
+[ 256.627563] PID = 164
+[ 256.627711] save_stack_trace+0x1b/0x20
+[ 256.627947] save_stack+0x46/0xd0
+[ 256.628151] kasan_kmalloc+0xad/0xe0
+[ 256.628362] kmem_cache_alloc_trace+0xe8/0x1e0
+[ 256.628637] cbq_change_class+0x8b6/0xde0
+[ 256.628896] tc_ctl_tclass+0x56a/0x5b0
+[ 256.629129] rtnetlink_rcv_msg+0x1af/0x410
+[ 256.629380] netlink_rcv_skb+0x155/0x190
+[ 256.629621] rtnetlink_rcv+0x28/0x30
+[ 256.629840] netlink_unicast+0x2f1/0x3b0
+[ 256.630066] netlink_sendmsg+0x56e/0x6f0
+[ 256.630263] sock_sendmsg+0x76/0x80
+[ 256.630456] sock_write_iter+0x13f/0x1f0
+[ 256.630698] __vfs_write+0x262/0x3c0
+[ 256.630918] vfs_write+0xf9/0x260
+[ 256.631123] SyS_write+0xc9/0x1b0
+[ 256.631327] do_syscall_64+0xef/0x190
+[ 256.631553] entry_SYSCALL_64_after_swapgs+0x58/0xc6
+[ 256.631827] Freed:
+[ 256.631931] PID = 164
+[ 256.632048] save_stack_trace+0x1b/0x20
+[ 256.632241] save_stack+0x46/0xd0
+[ 256.632408] kasan_slab_free+0x71/0xb0
+[ 256.632597] kfree+0x8c/0x1a0
+[ 256.632751] cbq_destroy_class+0x85/0xa0
+[ 256.632948] cbq_destroy+0xfa/0x120
+[ 256.633125] qdisc_destroy+0xa1/0x140
+[ 256.633309] dev_shutdown+0x12d/0x190
+[ 256.633497] rollback_registered_many+0x43c/0x5b0
+[ 256.633753] unregister_netdevice_many+0x2c/0x130
+[ 256.634041] rtnl_delete_link+0xb3/0x100
+[ 256.634283] rtnl_dellink+0x19c/0x360
+[ 256.634509] rtnetlink_rcv_msg+0x1af/0x410
+[ 256.634760] netlink_rcv_skb+0x155/0x190
+[ 256.635001] rtnetlink_rcv+0x28/0x30
+[ 256.635221] netlink_unicast+0x2f1/0x3b0
+[ 256.635463] netlink_sendmsg+0x56e/0x6f0
+[ 256.635700] sock_sendmsg+0x76/0x80
+[ 256.635915] sock_write_iter+0x13f/0x1f0
+[ 256.636156] __vfs_write+0x262/0x3c0
+[ 256.636376] vfs_write+0xf9/0x260
+[ 256.636580] SyS_write+0xc9/0x1b0
+[ 256.636787] do_syscall_64+0xef/0x190
+[ 256.637013] entry_SYSCALL_64_after_swapgs+0x58/0xc6
+[ 256.637316] Memory state around the buggy address:
+[ 256.637610] ffff880021daaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 256.638047] ffff880021daab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 256.638487] >ffff880021daab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 256.638924] ^
+[ 256.639186] ffff880021daac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 256.639624] ffff880021daac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+---
+ net/sched/cls_api.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -268,10 +268,13 @@ replay:
+ err = -ENOENT;
+ tp_ops = tcf_proto_lookup_ops(tca[TCA_KIND]);
+ if (tp_ops == NULL) {
+-#ifdef CONFIG_MODULES
+ struct nlattr *kind = tca[TCA_KIND];
+ char name[IFNAMSIZ];
+
++ if (cl)
++ cops->put(q, cl);
++ cl = 0;
++#ifdef CONFIG_MODULES
+ if (kind != NULL &&
+ nla_strlcpy(name, kind, IFNAMSIZ) < IFNAMSIZ) {
+ rtnl_unlock();
projects / thirdparty / kernel / stable-queue.git / commitdiff
