| Message ID | 20220924021842.71754-1-duoming@zju.edu.cn (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [V3] mISDN: fix use-after-free bugs in l1oip timer handlers | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
On Sat, 24 Sep 2022 10:18:42 +0800 Duoming Zhou wrote: > + del_timer_sync(&hc->keep_tl); > + del_timer_sync(&hc->timeout_tl); > + cancel_work_sync(&hc->workq); > + del_timer_sync(&hc->keep_tl); > cancel_work_sync(&hc->workq); Why not add a bit which will indicate that the device is shutting down and check it in places which schedule the timer? I think that's much easier to reason about and we won't need to do this rep cancel procedure.
Hello, On Tue, 27 Sep 2022 17:26:18 -0700 Jakub Kicinski wrote: > On Sat, 24 Sep 2022 10:18:42 +0800 Duoming Zhou wrote: > > + del_timer_sync(&hc->keep_tl); > > + del_timer_sync(&hc->timeout_tl); > > + cancel_work_sync(&hc->workq); > > + del_timer_sync(&hc->keep_tl); > > cancel_work_sync(&hc->workq); > > Why not add a bit which will indicate that the device is shutting > down and check it in places which schedule the timer? > I think that's much easier to reason about and we won't need to do > this rep cancel procedure. Thank you for your time and suggestions! Best regards, Duoming Zhou
diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c index 2c40412466e..5939f1d8f08 100644 --- a/drivers/isdn/mISDN/l1oip_core.c +++ b/drivers/isdn/mISDN/l1oip_core.c @@ -762,6 +762,8 @@ l1oip_socket_close(struct l1oip *hc) wait_for_completion(&hc->socket_complete); } + del_timer_sync(&hc->timeout_tl); + /* if active, we send up a PH_DEACTIVATE and deactivate */ if (test_bit(FLG_ACTIVE, &dch->Flags)) { if (debug & (DEBUG_L1OIP_MSG | DEBUG_L1OIP_SOCKET)) @@ -1232,12 +1234,10 @@ release_card(struct l1oip *hc) { int ch; - if (timer_pending(&hc->keep_tl)) - del_timer(&hc->keep_tl); - - if (timer_pending(&hc->timeout_tl)) - del_timer(&hc->timeout_tl); - + del_timer_sync(&hc->keep_tl); + del_timer_sync(&hc->timeout_tl); + cancel_work_sync(&hc->workq); + del_timer_sync(&hc->keep_tl); cancel_work_sync(&hc->workq); if (hc->socket_thread)
The l1oip_cleanup() traverses the l1oip_ilist and calls release_card() to cleanup module and stack. However, release_card() calls del_timer() to delete the timers such as keep_tl and timeout_tl. If the timer handler is running, the del_timer() will not stop it and result in UAF bugs. One of the processes is shown below: (cleanup routine) | (timer handler) release_card() | l1oip_timeout() ... | del_timer() | ... ... | kfree(hc) //FREE | | hc->timeout_on = 0 //USE Fix by calling del_timer_sync() in release_card(), which makes sure the timer handlers have finished before the resources, such as l1oip and so on, have been deallocated. What's more, the hc->workq and hc->socket_thread can kick those timers right back in. We use del_timer_sync(&hc->keep_tl) and cancel_work_sync(&hc->workq) twice to stop keep_tl timer and hc->workq. Then, we add del_timer_sync(&hc->timeout_tl) inside l1oip_socket_close() to stop timeout_tl timer. Because the hc->socket_thread has been killed and the timeout_tl timer will not be rescheduled. Fixes: 3712b42d4b1b ("Add layer1 over IP support") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> --- Changes in v3: - Make commit messages more clearer. - Add del_timer_sync(&hc->timeout_tl) inside l1oip_socket_close(). drivers/isdn/mISDN/l1oip_core.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)