lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f68f9f2df6
android_kernel_xiaomi_sm8350/net/batman-adv
History
Vladislav Efanov a3a99a069e batman-adv: Broken sync while rescheduling delayed work 
commit abac3ac97fe8734b620e7322a116450d7f90aa43 upstream.

Syzkaller got a lot of crashes like:
KASAN: use-after-free Write in *_timers*

All of these crashes point to the same memory area:

The buggy address belongs to the object at ffff88801f870000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 5320 bytes inside of
 8192-byte region [ffff88801f870000, ffff88801f872000)

This area belongs to :
        batadv_priv->batadv_priv_dat->delayed_work->timer_list

The reason for these issues is the lack of synchronization. Delayed
work (batadv_dat_purge) schedules new timer/work while the device
is being deleted. As the result new timer/delayed work is set after
cancel_delayed_work_sync() was called. So after the device is freed
the timer list contains pointer to already freed memory.

Found by Linux Verification Center (linuxtesting.org) with syzkaller.

Cc: stable@kernel.org
Fixes: 2f1dfbe185 ("batman-adv: Distributed ARP Table - implement local storage")
Signed-off-by: Vladislav Efanov <VEfanov@ispras.ru>
Acked-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-06-14 10:59:56 +02:00
..
bat_algo.c
bat_algo.h
bat_iv_ogm.c
bat_iv_ogm.h
bat_v_elp.c
bat_v_elp.h
bat_v_ogm.c
bat_v_ogm.h
bat_v.c
bat_v.h
bitarray.c
bitarray.h
bridge_loop_avoidance.c
bridge_loop_avoidance.h
debugfs.c
debugfs.h
distributed-arp-table.c batman-adv: Broken sync while rescheduling delayed work 2023-06-14 10:59:56 +02:00
distributed-arp-table.h
fragmentation.c batman-adv: Don't skb_split skbuffs with frag_list 2022-05-18 09:47:24 +02:00
fragmentation.h
gateway_client.c
gateway_client.h
gateway_common.c
gateway_common.h
hard-interface.c batman-adv: Don't expect inter-netns unique iflink indices 2022-03-08 19:07:47 +01:00
hard-interface.h
hash.c
hash.h
icmp_socket.c
icmp_socket.h
Kconfig
log.c
log.h
main.c
main.h
Makefile
multicast.c ipv6: make mc_forwarding atomic 2022-04-15 14:18:32 +02:00
multicast.h
netlink.c
netlink.h
network-coding.c
network-coding.h
originator.c
originator.h
routing.c
routing.h
send.c
send.h
soft-interface.c
soft-interface.h
sysfs.c
sysfs.h
tp_meter.c
tp_meter.h
trace.c
trace.h
translation-table.c
translation-table.h
tvlv.c
tvlv.h
types.h