mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-08-15 06:22:54 +00:00
a433791aea
syzbot reported a warning below during atm_dev_register(). [0]
Before creating a new device and procfs/sysfs for it, atm_dev_register()
looks up a duplicated device by __atm_dev_lookup(). These operations are
done under atm_dev_mutex.
However, when removing a device in atm_dev_deregister(), it releases the
mutex just after removing the device from the list that __atm_dev_lookup()
iterates over.
So, there will be a small race window where the device does not exist on
the device list but procfs/sysfs are still not removed, triggering the
splat.
Let's hold the mutex until procfs/sysfs are removed in
atm_dev_deregister().
[0]:
proc_dir_entry 'atm/atmtcp:0' already registered
WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377
Modules linked in:
CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377
Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48
RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248
RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001
RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140
R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444
FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
proc_create_data+0xbe/0x110 fs/proc/generic.c:585
atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361
atm_dev_register+0x46d/0x890 net/atm/resources.c:113
atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369
atmtcp_attach drivers/atm/atmtcp.c:403 [inline]
atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464
do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159
sock_do_ioctl+0x115/0x280 net/socket.c:1190
sock_ioctl+0x227/0x6b0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f38b3b74459
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459
RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005
RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac
R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b
</TASK>
Fixes: 64bf69ddff ("[ATM]: deregistration removes device from atm_devs list immediately")
Reported-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/685316de.050a0220.216029.0087.GAE@google.com/
Tested-by: syzbot+8bd335d2ad3b93e80715@syzkaller.appspotmail.com
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250624214505.570679-1-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
419 lines
8.9 KiB
C
419 lines
8.9 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/* net/atm/resources.c - Statically allocated resources */
|
|
|
|
/* Written 1995-2000 by Werner Almesberger, EPFL LRC/ICA */
|
|
|
|
/* Fixes
|
|
* Arnaldo Carvalho de Melo <acme@conectiva.com.br>
|
|
* 2002/01 - don't free the whole struct sock on sk->destruct time,
|
|
* use the default destruct function initialized by sock_init_data */
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ":%s: " fmt, __func__
|
|
|
|
#include <linux/ctype.h>
|
|
#include <linux/string.h>
|
|
#include <linux/atmdev.h>
|
|
#include <linux/sonet.h>
|
|
#include <linux/kernel.h> /* for barrier */
|
|
#include <linux/module.h>
|
|
#include <linux/bitops.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/delay.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/slab.h>
|
|
|
|
#include <net/sock.h> /* for struct sock */
|
|
|
|
#include "common.h"
|
|
#include "resources.h"
|
|
#include "addr.h"
|
|
|
|
|
|
LIST_HEAD(atm_devs);
|
|
DEFINE_MUTEX(atm_dev_mutex);
|
|
|
|
static struct atm_dev *__alloc_atm_dev(const char *type)
|
|
{
|
|
struct atm_dev *dev;
|
|
|
|
dev = kzalloc(sizeof(*dev), GFP_KERNEL);
|
|
if (!dev)
|
|
return NULL;
|
|
dev->type = type;
|
|
dev->signal = ATM_PHY_SIG_UNKNOWN;
|
|
dev->link_rate = ATM_OC3_PCR;
|
|
spin_lock_init(&dev->lock);
|
|
INIT_LIST_HEAD(&dev->local);
|
|
INIT_LIST_HEAD(&dev->lecs);
|
|
|
|
return dev;
|
|
}
|
|
|
|
static struct atm_dev *__atm_dev_lookup(int number)
|
|
{
|
|
struct atm_dev *dev;
|
|
|
|
list_for_each_entry(dev, &atm_devs, dev_list) {
|
|
if (dev->number == number) {
|
|
atm_dev_hold(dev);
|
|
return dev;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
struct atm_dev *atm_dev_lookup(int number)
|
|
{
|
|
struct atm_dev *dev;
|
|
|
|
mutex_lock(&atm_dev_mutex);
|
|
dev = __atm_dev_lookup(number);
|
|
mutex_unlock(&atm_dev_mutex);
|
|
return dev;
|
|
}
|
|
EXPORT_SYMBOL(atm_dev_lookup);
|
|
|
|
struct atm_dev *atm_dev_register(const char *type, struct device *parent,
|
|
const struct atmdev_ops *ops, int number,
|
|
unsigned long *flags)
|
|
{
|
|
struct atm_dev *dev, *inuse;
|
|
|
|
dev = __alloc_atm_dev(type);
|
|
if (!dev) {
|
|
pr_err("no space for dev %s\n", type);
|
|
return NULL;
|
|
}
|
|
mutex_lock(&atm_dev_mutex);
|
|
if (number != -1) {
|
|
inuse = __atm_dev_lookup(number);
|
|
if (inuse) {
|
|
atm_dev_put(inuse);
|
|
mutex_unlock(&atm_dev_mutex);
|
|
kfree(dev);
|
|
return NULL;
|
|
}
|
|
dev->number = number;
|
|
} else {
|
|
dev->number = 0;
|
|
while ((inuse = __atm_dev_lookup(dev->number))) {
|
|
atm_dev_put(inuse);
|
|
dev->number++;
|
|
}
|
|
}
|
|
|
|
dev->ops = ops;
|
|
if (flags)
|
|
dev->flags = *flags;
|
|
else
|
|
memset(&dev->flags, 0, sizeof(dev->flags));
|
|
memset(&dev->stats, 0, sizeof(dev->stats));
|
|
refcount_set(&dev->refcnt, 1);
|
|
|
|
if (atm_proc_dev_register(dev) < 0) {
|
|
pr_err("atm_proc_dev_register failed for dev %s\n", type);
|
|
goto out_fail;
|
|
}
|
|
|
|
if (atm_register_sysfs(dev, parent) < 0) {
|
|
pr_err("atm_register_sysfs failed for dev %s\n", type);
|
|
atm_proc_dev_deregister(dev);
|
|
goto out_fail;
|
|
}
|
|
|
|
list_add_tail(&dev->dev_list, &atm_devs);
|
|
|
|
out:
|
|
mutex_unlock(&atm_dev_mutex);
|
|
return dev;
|
|
|
|
out_fail:
|
|
kfree(dev);
|
|
dev = NULL;
|
|
goto out;
|
|
}
|
|
EXPORT_SYMBOL(atm_dev_register);
|
|
|
|
void atm_dev_deregister(struct atm_dev *dev)
|
|
{
|
|
BUG_ON(test_bit(ATM_DF_REMOVED, &dev->flags));
|
|
set_bit(ATM_DF_REMOVED, &dev->flags);
|
|
|
|
/*
|
|
* if we remove current device from atm_devs list, new device
|
|
* with same number can appear, such we need deregister proc,
|
|
* release async all vccs and remove them from vccs list too
|
|
*/
|
|
mutex_lock(&atm_dev_mutex);
|
|
list_del(&dev->dev_list);
|
|
atm_dev_release_vccs(dev);
|
|
atm_unregister_sysfs(dev);
|
|
atm_proc_dev_deregister(dev);
|
|
mutex_unlock(&atm_dev_mutex);
|
|
|
|
atm_dev_put(dev);
|
|
}
|
|
EXPORT_SYMBOL(atm_dev_deregister);
|
|
|
|
static void copy_aal_stats(struct k_atm_aal_stats *from,
|
|
struct atm_aal_stats *to)
|
|
{
|
|
#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
|
|
__AAL_STAT_ITEMS
|
|
#undef __HANDLE_ITEM
|
|
}
|
|
|
|
static void subtract_aal_stats(struct k_atm_aal_stats *from,
|
|
struct atm_aal_stats *to)
|
|
{
|
|
#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
|
|
__AAL_STAT_ITEMS
|
|
#undef __HANDLE_ITEM
|
|
}
|
|
|
|
static int fetch_stats(struct atm_dev *dev, struct atm_dev_stats __user *arg,
|
|
int zero)
|
|
{
|
|
struct atm_dev_stats tmp;
|
|
int error = 0;
|
|
|
|
copy_aal_stats(&dev->stats.aal0, &tmp.aal0);
|
|
copy_aal_stats(&dev->stats.aal34, &tmp.aal34);
|
|
copy_aal_stats(&dev->stats.aal5, &tmp.aal5);
|
|
if (arg)
|
|
error = copy_to_user(arg, &tmp, sizeof(tmp));
|
|
if (zero && !error) {
|
|
subtract_aal_stats(&dev->stats.aal0, &tmp.aal0);
|
|
subtract_aal_stats(&dev->stats.aal34, &tmp.aal34);
|
|
subtract_aal_stats(&dev->stats.aal5, &tmp.aal5);
|
|
}
|
|
return error ? -EFAULT : 0;
|
|
}
|
|
|
|
int atm_getnames(void __user *buf, int __user *iobuf_len)
|
|
{
|
|
int error, len, size = 0;
|
|
struct atm_dev *dev;
|
|
struct list_head *p;
|
|
int *tmp_buf, *tmp_p;
|
|
|
|
if (get_user(len, iobuf_len))
|
|
return -EFAULT;
|
|
mutex_lock(&atm_dev_mutex);
|
|
list_for_each(p, &atm_devs)
|
|
size += sizeof(int);
|
|
if (size > len) {
|
|
mutex_unlock(&atm_dev_mutex);
|
|
return -E2BIG;
|
|
}
|
|
tmp_buf = kmalloc(size, GFP_ATOMIC);
|
|
if (!tmp_buf) {
|
|
mutex_unlock(&atm_dev_mutex);
|
|
return -ENOMEM;
|
|
}
|
|
tmp_p = tmp_buf;
|
|
list_for_each_entry(dev, &atm_devs, dev_list) {
|
|
*tmp_p++ = dev->number;
|
|
}
|
|
mutex_unlock(&atm_dev_mutex);
|
|
error = ((copy_to_user(buf, tmp_buf, size)) ||
|
|
put_user(size, iobuf_len))
|
|
? -EFAULT : 0;
|
|
kfree(tmp_buf);
|
|
return error;
|
|
}
|
|
|
|
int atm_dev_ioctl(unsigned int cmd, void __user *buf, int __user *sioc_len,
|
|
int number, int compat)
|
|
{
|
|
int error, len, size = 0;
|
|
struct atm_dev *dev;
|
|
|
|
if (get_user(len, sioc_len))
|
|
return -EFAULT;
|
|
|
|
dev = try_then_request_module(atm_dev_lookup(number), "atm-device-%d",
|
|
number);
|
|
if (!dev)
|
|
return -ENODEV;
|
|
|
|
switch (cmd) {
|
|
case ATM_GETTYPE:
|
|
size = strlen(dev->type) + 1;
|
|
if (copy_to_user(buf, dev->type, size)) {
|
|
error = -EFAULT;
|
|
goto done;
|
|
}
|
|
break;
|
|
case ATM_GETESI:
|
|
size = ESI_LEN;
|
|
if (copy_to_user(buf, dev->esi, size)) {
|
|
error = -EFAULT;
|
|
goto done;
|
|
}
|
|
break;
|
|
case ATM_SETESI:
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < ESI_LEN; i++)
|
|
if (dev->esi[i]) {
|
|
error = -EEXIST;
|
|
goto done;
|
|
}
|
|
}
|
|
fallthrough;
|
|
case ATM_SETESIF:
|
|
{
|
|
unsigned char esi[ESI_LEN];
|
|
|
|
if (!capable(CAP_NET_ADMIN)) {
|
|
error = -EPERM;
|
|
goto done;
|
|
}
|
|
if (copy_from_user(esi, buf, ESI_LEN)) {
|
|
error = -EFAULT;
|
|
goto done;
|
|
}
|
|
memcpy(dev->esi, esi, ESI_LEN);
|
|
error = ESI_LEN;
|
|
goto done;
|
|
}
|
|
case ATM_GETSTATZ:
|
|
if (!capable(CAP_NET_ADMIN)) {
|
|
error = -EPERM;
|
|
goto done;
|
|
}
|
|
fallthrough;
|
|
case ATM_GETSTAT:
|
|
size = sizeof(struct atm_dev_stats);
|
|
error = fetch_stats(dev, buf, cmd == ATM_GETSTATZ);
|
|
if (error)
|
|
goto done;
|
|
break;
|
|
case ATM_GETCIRANGE:
|
|
size = sizeof(struct atm_cirange);
|
|
if (copy_to_user(buf, &dev->ci_range, size)) {
|
|
error = -EFAULT;
|
|
goto done;
|
|
}
|
|
break;
|
|
case ATM_GETLINKRATE:
|
|
size = sizeof(int);
|
|
if (copy_to_user(buf, &dev->link_rate, size)) {
|
|
error = -EFAULT;
|
|
goto done;
|
|
}
|
|
break;
|
|
case ATM_RSTADDR:
|
|
if (!capable(CAP_NET_ADMIN)) {
|
|
error = -EPERM;
|
|
goto done;
|
|
}
|
|
atm_reset_addr(dev, ATM_ADDR_LOCAL);
|
|
break;
|
|
case ATM_ADDADDR:
|
|
case ATM_DELADDR:
|
|
case ATM_ADDLECSADDR:
|
|
case ATM_DELLECSADDR:
|
|
{
|
|
struct sockaddr_atmsvc addr;
|
|
|
|
if (!capable(CAP_NET_ADMIN)) {
|
|
error = -EPERM;
|
|
goto done;
|
|
}
|
|
|
|
if (copy_from_user(&addr, buf, sizeof(addr))) {
|
|
error = -EFAULT;
|
|
goto done;
|
|
}
|
|
if (cmd == ATM_ADDADDR || cmd == ATM_ADDLECSADDR)
|
|
error = atm_add_addr(dev, &addr,
|
|
(cmd == ATM_ADDADDR ?
|
|
ATM_ADDR_LOCAL : ATM_ADDR_LECS));
|
|
else
|
|
error = atm_del_addr(dev, &addr,
|
|
(cmd == ATM_DELADDR ?
|
|
ATM_ADDR_LOCAL : ATM_ADDR_LECS));
|
|
goto done;
|
|
}
|
|
case ATM_GETADDR:
|
|
case ATM_GETLECSADDR:
|
|
error = atm_get_addr(dev, buf, len,
|
|
(cmd == ATM_GETADDR ?
|
|
ATM_ADDR_LOCAL : ATM_ADDR_LECS));
|
|
if (error < 0)
|
|
goto done;
|
|
size = error;
|
|
/* may return 0, but later on size == 0 means "don't
|
|
write the length" */
|
|
error = put_user(size, sioc_len) ? -EFAULT : 0;
|
|
goto done;
|
|
case ATM_SETLOOP:
|
|
if (__ATM_LM_XTRMT((int) (unsigned long) buf) &&
|
|
__ATM_LM_XTLOC((int) (unsigned long) buf) >
|
|
__ATM_LM_XTRMT((int) (unsigned long) buf)) {
|
|
error = -EINVAL;
|
|
goto done;
|
|
}
|
|
fallthrough;
|
|
case ATM_SETCIRANGE:
|
|
case SONET_GETSTATZ:
|
|
case SONET_SETDIAG:
|
|
case SONET_CLRDIAG:
|
|
case SONET_SETFRAMING:
|
|
if (!capable(CAP_NET_ADMIN)) {
|
|
error = -EPERM;
|
|
goto done;
|
|
}
|
|
fallthrough;
|
|
default:
|
|
if (IS_ENABLED(CONFIG_COMPAT) && compat) {
|
|
#ifdef CONFIG_COMPAT
|
|
if (!dev->ops->compat_ioctl) {
|
|
error = -EINVAL;
|
|
goto done;
|
|
}
|
|
size = dev->ops->compat_ioctl(dev, cmd, buf);
|
|
#endif
|
|
} else {
|
|
if (!dev->ops->ioctl) {
|
|
error = -EINVAL;
|
|
goto done;
|
|
}
|
|
size = dev->ops->ioctl(dev, cmd, buf);
|
|
}
|
|
if (size < 0) {
|
|
error = (size == -ENOIOCTLCMD ? -ENOTTY : size);
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
if (size)
|
|
error = put_user(size, sioc_len) ? -EFAULT : 0;
|
|
else
|
|
error = 0;
|
|
done:
|
|
atm_dev_put(dev);
|
|
return error;
|
|
}
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
void *atm_dev_seq_start(struct seq_file *seq, loff_t *pos)
|
|
{
|
|
mutex_lock(&atm_dev_mutex);
|
|
return seq_list_start_head(&atm_devs, *pos);
|
|
}
|
|
|
|
void atm_dev_seq_stop(struct seq_file *seq, void *v)
|
|
{
|
|
mutex_unlock(&atm_dev_mutex);
|
|
}
|
|
|
|
void *atm_dev_seq_next(struct seq_file *seq, void *v, loff_t *pos)
|
|
{
|
|
return seq_list_next(v, &atm_devs, pos);
|
|
}
|
|
#endif
|