linux/net/batman-adv
Vladislav Efanov abac3ac97f batman-adv: Broken sync while rescheduling delayed work
Syzkaller got a lot of crashes like:
KASAN: use-after-free Write in *_timers*

All of these crashes point to the same memory area:

The buggy address belongs to the object at ffff88801f870000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 5320 bytes inside of
 8192-byte region [ffff88801f870000, ffff88801f872000)

This area belongs to :
        batadv_priv->batadv_priv_dat->delayed_work->timer_list

The reason for these issues is the lack of synchronization. Delayed
work (batadv_dat_purge) schedules new timer/work while the device
is being deleted. As the result new timer/delayed work is set after
cancel_delayed_work_sync() was called. So after the device is freed
the timer list contains pointer to already freed memory.

Found by Linux Verification Center (linuxtesting.org) with syzkaller.

Cc: stable@kernel.org
Fixes: 2f1dfbe185 ("batman-adv: Distributed ARP Table - implement local storage")
Signed-off-by: Vladislav Efanov <VEfanov@ispras.ru>
Acked-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
2023-05-26 23:14:49 +02:00
..
bat_algo.c batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bat_algo.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bat_iv_ogm.c batman-adv: Drop prandom.h includes 2023-01-06 08:43:02 +01:00
bat_iv_ogm.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bat_v_elp.c batman-adv: Drop prandom.h includes 2023-01-06 08:43:02 +01:00
bat_v_elp.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bat_v_ogm.c batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
bat_v_ogm.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bat_v.c batman-adv: Drop NULL check before dropping references 2021-08-08 20:21:40 +02:00
bat_v.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bitarray.c batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bitarray.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
bridge_loop_avoidance.c batman-adv: remove unnecessary type castings 2022-04-22 11:23:46 +02:00
bridge_loop_avoidance.h batman-adv: Remove the repeated declaration 2021-05-30 13:38:27 +02:00
distributed-arp-table.c batman-adv: Broken sync while rescheduling delayed work 2023-05-26 23:14:49 +02:00
distributed-arp-table.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
fragmentation.c batman-adv: Don't skb_split skbuffs with frag_list 2022-04-17 23:41:44 +02:00
fragmentation.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
gateway_client.c batman-adv: Migrate to linux/container_of.h 2022-03-02 09:00:13 +01:00
gateway_client.h batman-adv: Check ptr for NULL before reducing its refcnt 2021-08-08 20:21:40 +02:00
gateway_common.c batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
gateway_common.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
hard-interface.c batman-adv: Fix hang up with small MTU hard-interface 2022-08-20 14:17:45 +02:00
hard-interface.h batman-adv: Check ptr for NULL before reducing its refcnt 2021-08-08 20:21:40 +02:00
hash.c batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
hash.h batman-adv: Fix spelling mistakes 2021-06-02 08:46:03 +02:00
Kconfig This feature/cleanup patchset is an updated version of the pull request 2021-02-08 11:32:40 -08:00
log.c isystem: ship and use stdarg.h 2021-08-19 09:02:55 +09:00
log.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
main.c batman-adv: Migrate to linux/container_of.h 2022-03-02 09:00:13 +01:00
main.h batman-adv: Start new development cycle 2023-01-06 08:42:59 +01:00
Makefile batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
multicast.c batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
multicast.h batman-adv: mcast: remove now redundant single ucast forwarding 2023-01-21 19:01:59 +01:00
netlink.c genetlink: introduce split op representation 2022-11-07 12:30:16 +00:00
netlink.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
network-coding.c batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
network-coding.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
originator.c batman-adv: Migrate to linux/container_of.h 2022-03-02 09:00:13 +01:00
originator.h batman-adv: Check ptr for NULL before reducing its refcnt 2021-08-08 20:21:40 +02:00
routing.c batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
routing.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
send.c batman-adv: Migrate to linux/container_of.h 2022-03-02 09:00:13 +01:00
send.h batman-adv: bcast: queue per interface, if needed 2021-05-17 12:00:44 +02:00
soft-interface.c net: vlan: introduce skb_vlan_eth_hdr() 2023-04-23 14:16:44 +01:00
soft-interface.h batman-adv: Check ptr for NULL before reducing its refcnt 2021-08-08 20:21:40 +02:00
tp_meter.c batman-adv: Migrate to linux/container_of.h 2022-03-02 09:00:13 +01:00
tp_meter.h batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
trace.c batman-adv: Drop publication years from copyright info 2021-02-06 09:22:10 +01:00
trace.h batman-adv: Drop unused headers in trace.h 2022-08-17 12:10:43 +02:00
translation-table.c batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
translation-table.h batman-adv: Check ptr for NULL before reducing its refcnt 2021-08-08 20:21:40 +02:00
tvlv.c batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
tvlv.h batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00
types.h batman-adv: tvlv: prepare for tvlv enabled multicast packet type 2023-01-21 19:01:59 +01:00