Re: [PATCH] wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces

From: Kalle Valo
Date: Thu Feb 15 2024 - 06:10:28 EST

Next message: John Garry: "Re: [PATCH 1/6] fs: iomap: Atomic write support"
Previous message: Vlastimil Babka: "Re: [PATCH v9 4/7] mm,page_owner: Implement the tracking of the stacks count"
In reply to: Alexis Lothoré: "[PATCH] wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alexis Lothoré <alexis.lothore@xxxxxxxxxxx> wrote:

> wilc_netdev_cleanup currently triggers a KASAN warning, which can be
> observed on interface registration error path, or simply by
> removing the module/unbinding device from driver:
>
> echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc
> Read of size 4 at addr c54d1ce8 by task sh/86
>
> CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117
> Hardware name: Atmel SAMA5
> unwind_backtrace from show_stack+0x18/0x1c
> show_stack from dump_stack_lvl+0x34/0x58
> dump_stack_lvl from print_report+0x154/0x500
> print_report from kasan_report+0xac/0xd8
> kasan_report from wilc_netdev_cleanup+0x508/0x5cc
> wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec
> wilc_bus_remove from spi_remove+0x8c/0xac
> spi_remove from device_release_driver_internal+0x434/0x5f8
> device_release_driver_internal from unbind_store+0xbc/0x108
> unbind_store from kernfs_fop_write_iter+0x398/0x584
> kernfs_fop_write_iter from vfs_write+0x728/0xf88
> vfs_write from ksys_write+0x110/0x1e4
> ksys_write from ret_fast_syscall+0x0/0x1c
>
> [...]
>
> Allocated by task 1:
> kasan_save_track+0x30/0x5c
> __kasan_kmalloc+0x8c/0x94
> __kmalloc_node+0x1cc/0x3e4
> kvmalloc_node+0x48/0x180
> alloc_netdev_mqs+0x68/0x11dc
> alloc_etherdev_mqs+0x28/0x34
> wilc_netdev_ifc_init+0x34/0x8ec
> wilc_cfg80211_init+0x690/0x910
> wilc_bus_probe+0xe0/0x4a0
> spi_probe+0x158/0x1b0
> really_probe+0x270/0xdf4
> __driver_probe_device+0x1dc/0x580
> driver_probe_device+0x60/0x140
> __driver_attach+0x228/0x5d4
> bus_for_each_dev+0x13c/0x1a8
> bus_add_driver+0x2a0/0x608
> driver_register+0x24c/0x578
> do_one_initcall+0x180/0x310
> kernel_init_freeable+0x424/0x484
> kernel_init+0x20/0x148
> ret_from_fork+0x14/0x28
>
> Freed by task 86:
> kasan_save_track+0x30/0x5c
> kasan_save_free_info+0x38/0x58
> __kasan_slab_free+0xe4/0x140
> kfree+0xb0/0x238
> device_release+0xc0/0x2a8
> kobject_put+0x1d4/0x46c
> netdev_run_todo+0x8fc/0x11d0
> wilc_netdev_cleanup+0x1e4/0x5cc
> wilc_bus_remove+0xc8/0xec
> spi_remove+0x8c/0xac
> device_release_driver_internal+0x434/0x5f8
> unbind_store+0xbc/0x108
> kernfs_fop_write_iter+0x398/0x584
> vfs_write+0x728/0xf88
> ksys_write+0x110/0x1e4
> ret_fast_syscall+0x0/0x1c
> [...]
>
> David Mosberger-Tan initial investigation [1] showed that this
> use-after-free is due to netdevice unregistration during vif list
> traversal. When unregistering a net device, since the needs_free_netdev has
> been set to true during registration, the netdevice object is also freed,
> and as a consequence, the corresponding vif object too, since it is
> attached to it as private netdevice data. The next occurrence of the loop
> then tries to access freed vif pointer to the list to move forward in the
> list.
>
> Fix this use-after-free thanks to two mechanisms:
> - navigate in the list with list_for_each_entry_safe, which allows to
> safely modify the list as we go through each element. For each element,
> remove it from the list with list_del_rcu
> - make sure to wait for RCU grace period end after each vif removal to make
> sure it is safe to free the corresponding vif too (through
> unregister_netdev)
>
> Since we are in a RCU "modifier" path (not a "reader" path), and because
> such path is expected not to be concurrent to any other modifier (we are
> using the vif_mutex lock), we do not need to use RCU list API, that's why
> we can benefit from list_for_each_entry_safe.
>
> [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@xxxxxxxxxx/
>
> Fixes: 8399918f3056 ("staging: wilc1000: use RCU list to maintain vif interfaces list")
> Signed-off-by: Alexis Lothoré <alexis.lothore@xxxxxxxxxxx>

Patch applied to wireless-next.git, thanks.

cb5942b77c05 wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces

--
https://patchwork.kernel.org/project/linux-wireless/patch/20240212-wilc_rework_deinit-v1-1-9203ae56c27f@xxxxxxxxxxx/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Next message: John Garry: "Re: [PATCH 1/6] fs: iomap: Atomic write support"
Previous message: Vlastimil Babka: "Re: [PATCH v9 4/7] mm,page_owner: Implement the tracking of the stacks count"
In reply to: Alexis Lothoré: "[PATCH] wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]