CVE-2021-47299

In the Linux kernel, the following vulnerability has been resolved:

xdp, net: Fix use-after-free in bpfxdplink_release

The problem occurs between devgetbyindex() and devxdpattachlink(). At this point, devxdpuninstall() is called. Then xdp link will not be detached automatically when dev is released. But link->dev already points to dev, when xdp link is released, dev will still be accessed, but dev has been released.

devgetbyindex() | link->dev = dev | | rtnllock() | unregisternetdevicemany() | devxdpuninstall() | rtnlunlock() rtnllock(); | devxdpattachlink() | rtnlunlock(); | | netdevruntodo() // dev released bpfxdplink_release() | /* access dev. | use-after-free */ |

[ 45.966867] BUG: KASAN: use-after-free in bpfxdplinkrelease+0x3b8/0x3d0 [ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732 [ 45.968297] [ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22 [ 45.969222] Hardware name: linux,dummy-virt (DT) [ 45.969795] Call trace: [ 45.970106] dumpbacktrace+0x0/0x4c8 [ 45.970564] showstack+0x30/0x40 [ 45.970981] dumpstacklvl+0x120/0x18c [ 45.971470] printaddressdescription.constprop.0+0x74/0x30c [ 45.972182] kasanreport+0x1e8/0x200 [ 45.972659] __asanreportload8noabort+0x2c/0x50 [ 45.973273] bpfxdplinkrelease+0x3b8/0x3d0 [ 45.973834] bpflinkfree+0xd0/0x188 [ 45.974315] bpflinkput+0x1d0/0x218 [ 45.974790] bpflinkrelease+0x3c/0x58 [ 45.975291] __fput+0x20c/0x7e8 [ 45.975706] ____fput+0x24/0x30 [ 45.976117] taskworkrun+0x104/0x258 [ 45.976609] donotifyresume+0x894/0xaf8 [ 45.977121] workpending+0xc/0x328 [ 45.977575] [ 45.977775] The buggy address belongs to the page: [ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998 [ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff) [ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000 [ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 45.982259] page dumped because: kasan: bad access detected [ 45.982948] [ 45.983153] Memory state around the buggy address: [ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.986419] ^ [ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.988895] ================================================================== [ 45.989773] Disabling lock debugging due to kernel taint [ 45.990552] Kernel panic - not syncing: paniconwarn set ... [ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22 [ 45.991929] Hardware name: linux,dummy-virt (DT) [ 45.992448] Call trace: [ 45.992753] dumpbacktrace+0x0/0x4c8 [ 45.993208] showstack+0x30/0x40 [ 45.993627] dumpstacklvl+0x120/0x18c [ 45.994113] dumpstack+0x1c/0x34 [ 45.994530] panic+0x3a4/0x7d8 [ 45.994930] endreport+0x194/0x198 [ 45.995380] kasanreport+0x134/0x200 [ 45.995850] __asanreportload8noabort+0x2c/0x50 [ 45.996453] bpfxdplinkrelease+0x3b8/0x3d0 [ 45.997007] bpflinkfree+0xd0/0x188 [ 45.997474] bpflinkput+0x1d0/0x218 [ 45.997942] bpflinkrelease+0x3c/0x58 [ 45.998429] __fput+0x20c/0x7e8 [ 45.998833] ___fput+0x24/0x30 [ 45.999247] taskworkrun+0x104/0x258 [ 45.999731] donotifyresume+0x894/0xaf8 [ 46.000236] workpending ---truncated---