CVE-2022-49892

In the Linux kernel, the following vulnerability has been resolved:

ftrace: Fix use-after-free for dynamic ftrace_ops

KASAN reported a use-after-free with ftrace ops [1]. It was found from vmcore that perf had registered two ops with the same content successively, both dynamic. After unregistering the second ops, a use-after-free occurred.

In ftraceshutdown(), when the second ops is unregistered, the FTRACEUPDATECALLS command is not set because there is another enabled ops with the same content. Also, both ops are dynamic and the ftrace callback function is ftraceopslistfunc, so the FTRACEUPDATETRACEFUNC command will not be set. Eventually the value of 'command' will be 0 and ftraceshutdown() will skip the rcu synchronization.

However, ftrace may be activated. When the ops is released, another CPU may be accessing the ops. Add the missing synchronization to fix this problem.

[1] BUG: KASAN: use-after-free in _ftraceopslistfunc kernel/trace/ftrace.c:7020 [inline] BUG: KASAN: use-after-free in ftraceopslist_func+0x2b0/0x31c kernel/trace/ftrace.c:7049 Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468

CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132 showstack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196 _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x1b4/0x248 lib/dumpstack.c:118 printaddressdescription.constprop.0+0x28/0x48c mm/kasan/report.c:387 _kasanreport mm/kasan/report.c:547 [inline] kasanreport+0x118/0x210 mm/kasan/report.c:564 checkmemoryregioninline mm/kasan/generic.c:187 [inline] _asanload8+0x98/0xc0 mm/kasan/generic.c:253 _ftraceopslistfunc kernel/trace/ftrace.c:7020 [inline] ftraceopslistfunc+0x2b0/0x31c kernel/trace/ftrace.c:7049 ftracegraphcall+0x0/0x4 _mightsleep+0x8/0x100 include/linux/perfevent.h:1170 _mightfault mm/memory.c:5183 [inline] _mightfault+0x58/0x70 mm/memory.c:5171 dostrncpyfromuser lib/strncpyfromuser.c:41 [inline] strncpyfromuser+0x1f4/0x4b0 lib/strncpyfromuser.c:139 getname_flags+0xb0/0x31c fs/namei.c:149 getname+0x2c/0x40 fs/namei.c:209 [...]

Allocated by task 14445: kasansavestack+0x24/0x50 mm/kasan/common.c:48 kasansettrack mm/kasan/common.c:56 [inline] _kasankmalloc mm/kasan/common.c:479 [inline] _kasankmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449 kasankmalloc+0xc/0x14 mm/kasan/common.c:493 kmemcachealloctrace+0x440/0x924 mm/slub.c:2950 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:675 [inline] perfeventalloc.part.0+0xb4/0x1350 kernel/events/core.c:11230 perfeventalloc kernel/events/core.c:11733 [inline] _dosysperfeventopen kernel/events/core.c:11831 [inline] _sesysperfeventopen+0x550/0x15f4 kernel/events/core.c:11723 _arm64sysperfevent_open+0x6c/0x80 kernel/events/core.c:11723 [...]

Freed by task 14445: kasansavestack+0x24/0x50 mm/kasan/common.c:48 kasansettrack+0x24/0x34 mm/kasan/common.c:56 kasansetfreeinfo+0x20/0x40 mm/kasan/generic.c:358 _kasanslabfree.part.0+0x11c/0x1b0 mm/kasan/common.c:437 _kasanslabfree mm/kasan/common.c:445 [inline] kasanslabfree+0x2c/0x40 mm/kasan/common.c:446 slabfreehook mm/slub.c:1569 [inline] slabfreefreelisthook mm/slub.c:1608 [inline] slabfree mm/slub.c:3179 [inline] kfree+0x12c/0xc10 mm/slub.c:4176 perfeventalloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434 perfeventalloc kernel/events/core.c:11733 [inline] _dosysperfeventopen kernel/events/core.c:11831 [inline] _sesysperfevent_open+0x550/0x15f4 kernel/events/core.c:11723 [...]