forked from mirrors/linux
5de7665e0a
Rose timers only acquire the socket spinlock, without
checking if the socket is owned by one user thread.
Add a check and rearm the timers if needed.
BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
Read of size 2 at addr ffff88802f09b82a by task swapper/0/0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
call_timer_fn+0x187/0x650 kernel/time/timer.c:1793
expire_timers kernel/time/timer.c:1844 [inline]
__run_timers kernel/time/timer.c:2418 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430
run_timer_base kernel/time/timer.c:2439 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449
handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250122180244.1861468-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
227 lines
5.1 KiB
C
227 lines
5.1 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
*
|
|
* Copyright (C) Jonathan Naylor G4KLX (g4klx@g4klx.demon.co.uk)
|
|
* Copyright (C) 2002 Ralf Baechle DO1GRB (ralf@gnu.org)
|
|
*/
|
|
#include <linux/errno.h>
|
|
#include <linux/types.h>
|
|
#include <linux/socket.h>
|
|
#include <linux/in.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/jiffies.h>
|
|
#include <linux/timer.h>
|
|
#include <linux/string.h>
|
|
#include <linux/sockios.h>
|
|
#include <linux/net.h>
|
|
#include <net/ax25.h>
|
|
#include <linux/inet.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/skbuff.h>
|
|
#include <net/sock.h>
|
|
#include <net/tcp_states.h>
|
|
#include <linux/fcntl.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/interrupt.h>
|
|
#include <net/rose.h>
|
|
|
|
static void rose_heartbeat_expiry(struct timer_list *t);
|
|
static void rose_timer_expiry(struct timer_list *);
|
|
static void rose_idletimer_expiry(struct timer_list *);
|
|
|
|
void rose_start_heartbeat(struct sock *sk)
|
|
{
|
|
sk_stop_timer(sk, &sk->sk_timer);
|
|
|
|
sk->sk_timer.function = rose_heartbeat_expiry;
|
|
sk->sk_timer.expires = jiffies + 5 * HZ;
|
|
|
|
sk_reset_timer(sk, &sk->sk_timer, sk->sk_timer.expires);
|
|
}
|
|
|
|
void rose_start_t1timer(struct sock *sk)
|
|
{
|
|
struct rose_sock *rose = rose_sk(sk);
|
|
|
|
sk_stop_timer(sk, &rose->timer);
|
|
|
|
rose->timer.function = rose_timer_expiry;
|
|
rose->timer.expires = jiffies + rose->t1;
|
|
|
|
sk_reset_timer(sk, &rose->timer, rose->timer.expires);
|
|
}
|
|
|
|
void rose_start_t2timer(struct sock *sk)
|
|
{
|
|
struct rose_sock *rose = rose_sk(sk);
|
|
|
|
sk_stop_timer(sk, &rose->timer);
|
|
|
|
rose->timer.function = rose_timer_expiry;
|
|
rose->timer.expires = jiffies + rose->t2;
|
|
|
|
sk_reset_timer(sk, &rose->timer, rose->timer.expires);
|
|
}
|
|
|
|
void rose_start_t3timer(struct sock *sk)
|
|
{
|
|
struct rose_sock *rose = rose_sk(sk);
|
|
|
|
sk_stop_timer(sk, &rose->timer);
|
|
|
|
rose->timer.function = rose_timer_expiry;
|
|
rose->timer.expires = jiffies + rose->t3;
|
|
|
|
sk_reset_timer(sk, &rose->timer, rose->timer.expires);
|
|
}
|
|
|
|
void rose_start_hbtimer(struct sock *sk)
|
|
{
|
|
struct rose_sock *rose = rose_sk(sk);
|
|
|
|
sk_stop_timer(sk, &rose->timer);
|
|
|
|
rose->timer.function = rose_timer_expiry;
|
|
rose->timer.expires = jiffies + rose->hb;
|
|
|
|
sk_reset_timer(sk, &rose->timer, rose->timer.expires);
|
|
}
|
|
|
|
void rose_start_idletimer(struct sock *sk)
|
|
{
|
|
struct rose_sock *rose = rose_sk(sk);
|
|
|
|
sk_stop_timer(sk, &rose->idletimer);
|
|
|
|
if (rose->idle > 0) {
|
|
rose->idletimer.function = rose_idletimer_expiry;
|
|
rose->idletimer.expires = jiffies + rose->idle;
|
|
|
|
sk_reset_timer(sk, &rose->idletimer, rose->idletimer.expires);
|
|
}
|
|
}
|
|
|
|
void rose_stop_heartbeat(struct sock *sk)
|
|
{
|
|
sk_stop_timer(sk, &sk->sk_timer);
|
|
}
|
|
|
|
void rose_stop_timer(struct sock *sk)
|
|
{
|
|
sk_stop_timer(sk, &rose_sk(sk)->timer);
|
|
}
|
|
|
|
void rose_stop_idletimer(struct sock *sk)
|
|
{
|
|
sk_stop_timer(sk, &rose_sk(sk)->idletimer);
|
|
}
|
|
|
|
static void rose_heartbeat_expiry(struct timer_list *t)
|
|
{
|
|
struct sock *sk = from_timer(sk, t, sk_timer);
|
|
struct rose_sock *rose = rose_sk(sk);
|
|
|
|
bh_lock_sock(sk);
|
|
if (sock_owned_by_user(sk)) {
|
|
sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ/20);
|
|
goto out;
|
|
}
|
|
switch (rose->state) {
|
|
case ROSE_STATE_0:
|
|
/* Magic here: If we listen() and a new link dies before it
|
|
is accepted() it isn't 'dead' so doesn't get removed. */
|
|
if (sock_flag(sk, SOCK_DESTROY) ||
|
|
(sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
|
|
bh_unlock_sock(sk);
|
|
rose_destroy_socket(sk);
|
|
sock_put(sk);
|
|
return;
|
|
}
|
|
break;
|
|
|
|
case ROSE_STATE_3:
|
|
/*
|
|
* Check for the state of the receive buffer.
|
|
*/
|
|
if (atomic_read(&sk->sk_rmem_alloc) < (sk->sk_rcvbuf / 2) &&
|
|
(rose->condition & ROSE_COND_OWN_RX_BUSY)) {
|
|
rose->condition &= ~ROSE_COND_OWN_RX_BUSY;
|
|
rose->condition &= ~ROSE_COND_ACK_PENDING;
|
|
rose->vl = rose->vr;
|
|
rose_write_internal(sk, ROSE_RR);
|
|
rose_stop_timer(sk); /* HB */
|
|
break;
|
|
}
|
|
break;
|
|
}
|
|
|
|
rose_start_heartbeat(sk);
|
|
out:
|
|
bh_unlock_sock(sk);
|
|
sock_put(sk);
|
|
}
|
|
|
|
static void rose_timer_expiry(struct timer_list *t)
|
|
{
|
|
struct rose_sock *rose = from_timer(rose, t, timer);
|
|
struct sock *sk = &rose->sock;
|
|
|
|
bh_lock_sock(sk);
|
|
if (sock_owned_by_user(sk)) {
|
|
sk_reset_timer(sk, &rose->timer, jiffies + HZ/20);
|
|
goto out;
|
|
}
|
|
switch (rose->state) {
|
|
case ROSE_STATE_1: /* T1 */
|
|
case ROSE_STATE_4: /* T2 */
|
|
rose_write_internal(sk, ROSE_CLEAR_REQUEST);
|
|
rose->state = ROSE_STATE_2;
|
|
rose_start_t3timer(sk);
|
|
break;
|
|
|
|
case ROSE_STATE_2: /* T3 */
|
|
rose->neighbour->use--;
|
|
rose_disconnect(sk, ETIMEDOUT, -1, -1);
|
|
break;
|
|
|
|
case ROSE_STATE_3: /* HB */
|
|
if (rose->condition & ROSE_COND_ACK_PENDING) {
|
|
rose->condition &= ~ROSE_COND_ACK_PENDING;
|
|
rose_enquiry_response(sk);
|
|
}
|
|
break;
|
|
}
|
|
out:
|
|
bh_unlock_sock(sk);
|
|
sock_put(sk);
|
|
}
|
|
|
|
static void rose_idletimer_expiry(struct timer_list *t)
|
|
{
|
|
struct rose_sock *rose = from_timer(rose, t, idletimer);
|
|
struct sock *sk = &rose->sock;
|
|
|
|
bh_lock_sock(sk);
|
|
if (sock_owned_by_user(sk)) {
|
|
sk_reset_timer(sk, &rose->idletimer, jiffies + HZ/20);
|
|
goto out;
|
|
}
|
|
rose_clear_queues(sk);
|
|
|
|
rose_write_internal(sk, ROSE_CLEAR_REQUEST);
|
|
rose_sk(sk)->state = ROSE_STATE_2;
|
|
|
|
rose_start_t3timer(sk);
|
|
|
|
sk->sk_state = TCP_CLOSE;
|
|
sk->sk_err = 0;
|
|
sk->sk_shutdown |= SEND_SHUTDOWN;
|
|
|
|
if (!sock_flag(sk, SOCK_DEAD)) {
|
|
sk->sk_state_change(sk);
|
|
sock_set_flag(sk, SOCK_DEAD);
|
|
}
|
|
out:
|
|
bh_unlock_sock(sk);
|
|
sock_put(sk);
|
|
}
|