hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8UZTK CVE: NA
--------------------------------
Get a UAF problem as following:
======================================================== BUG: KASAN: use-after-free in run_timer_softirq+0x526/0x750 ... Call Trace: <IRQ> dump_stack+0x8b/0xbb print_address_description+0x6a/0x270 kasan_report+0x179/0x2c0 ? run_timer_softirq+0x526/0x750 run_timer_softirq+0x526/0x750 ? pvclock_clocksource_read+0xd1/0x180 ? init_timer_key+0xc0/0xc0 ? kvm_sched_clock_read+0xd/0x20 ? sched_clock+0x5/0x10 ? sched_clock_cpu+0x18/0x100 __do_softirq+0x119/0x3a2 irq_exit+0x153/0x160 smp_apic_timer_interrupt+0x92/0x1a0 apic_timer_interrupt+0xf/0x20 ... Allocated by task 11277: kasan_kmalloc+0xa0/0xd0 __kmalloc_node+0x190/0x2b0 kvmalloc_node+0x43/0x70 alloc_netdev_mqs+0x6a/0x660 rtnl_create_link+0x12a/0x420 rtnl_newlink+0x832/0xab0 rtnetlink_rcv_msg+0x424/0x500 netlink_rcv_skb+0xcd/0x200 netlink_unicast+0x2e9/0x3a0 netlink_sendmsg+0x4d7/0x670 sock_sendmsg+0x6d/0x80 ____sys_sendmsg+0x36a/0x3d0 ___sys_sendmsg+0x10a/0x190 __sys_sendmsg+0xd2/0x150 do_syscall_64+0x77/0x2c0 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Freed by task 11313: __kasan_slab_free+0x130/0x180 kfree+0x90/0x1a0 device_release+0x47/0xe0 kobject_release+0x98/0x200 netdev_run_todo+0x36d/0x490 rtnetlink_rcv_msg+0x42c/0x500 netlink_rcv_skb+0xcd/0x200 netlink_unicast+0x2e9/0x3a0 netlink_sendmsg+0x4d7/0x670 sock_sendmsg+0x6d/0x80 ____sys_sendmsg+0x36a/0x3d0 ___sys_sendmsg+0x10a/0x190 __sys_sendmsg+0xd2/0x150 do_syscall_64+0x77/0x2c0 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Under closed state of bridge netdev, try to activate ip6_own_query.timer of bridge netdev by br_multicast_set_querier(), and delete bridge netdev immediately afterwards. Because the timer will not be deleted during bridge netdev deleting process. When the timer is not activated before bridge netdev is released, UAF will be triggered to access the timer in run_timer_softirq().
Add br_multicast_stop() in br_multicast_dev_del() to delete the timer during bridge netdev deleting process as done in commit 613d61dbef8e ("net: bridge: vlan: add global and per-port multicast context").
Fixes: cc0fdd802859 ("bridge: separate querier and query timer into IGMP/IPv4 and MLD/IPv6 ones") Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com -- v2: - Remove "Offering" item. --- net/bridge/br_multicast.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 1dc32cbd20bb..d84abee1d24c 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -2068,6 +2068,7 @@ void br_multicast_dev_del(struct net_bridge *br)
out: spin_unlock_bh(&br->multicast_lock); + br_multicast_stop(br); }
int br_multicast_set_router(struct net_bridge *br, unsigned long val)