CVE-2022-49892

In the Linux kernel, the following vulnerability has been resolved:

ftrace: Fix use-after-free for dynamic ftrace_ops

KASAN reported a use-after-free with ftrace ops [1]. It was found from vmcore that perf had registered two ops with the same content successively, both dynamic. After unregistering the second ops, a use-after-free occurred.

In ftraceshutdown(), when the second ops is unregistered, the FTRACEUPDATECALLS command is not set because there is another enabled ops with the same content. Also, both ops are dynamic and the ftrace callback function is ftraceopslistfunc, so the FTRACEUPDATETRACEFUNC command will not be set. Eventually the value of 'command' will be 0 and ftraceshutdown() will skip the rcu synchronization.

However, ftrace may be activated. When the ops is released, another CPU may be accessing the ops. Add the missing synchronization to fix this problem.

[1] BUG: KASAN: use-after-free in __ftraceopslistfunc kernel/trace/ftrace.c:7020 [inline] BUG: KASAN: use-after-free in ftraceopslistfunc+0x2b0/0x31c kernel/trace/ftrace.c:7049 Read of size 8 at addr ffff56551965bbc8 by task syz-executor.2/14468

CPU: 1 PID: 14468 Comm: syz-executor.2 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0x0/0x40c arch/arm64/kernel/stacktrace.c:132 showstack+0x30/0x40 arch/arm64/kernel/stacktrace.c:196 __dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x1b4/0x248 lib/dumpstack.c:118 printaddressdescription.constprop.0+0x28/0x48c mm/kasan/report.c:387 __kasanreport mm/kasan/report.c:547 [inline] kasanreport+0x118/0x210 mm/kasan/report.c:564 checkmemoryregion_inline mm/kasan/generic.c:187 [inline] __asan_load8+0x98/0xc0 mm/kasan/generic.c:253 __ftraceopslistfunc kernel/trace/ftrace.c:7020 [inline] ftraceopslistfunc+0x2b0/0x31c kernel/trace/ftrace.c:7049 ftracegraphcall+0x0/0x4 __mightsleep+0x8/0x100 include/linux/perfevent.h:1170 __might_fault mm/memory.c:5183 [inline] _mightfault+0x58/0x70 mm/memory.c:5171 dostrncpyfromuser lib/strncpyfromuser.c:41 [inline] strncpyfromuser+0x1f4/0x4b0 lib/strncpyfromuser.c:139 getnameflags+0xb0/0x31c fs/namei.c:149 getname+0x2c/0x40 fs/namei.c:209 [...]

Allocated by task 14445: kasansavestack+0x24/0x50 mm/kasan/common.c:48 kasansettrack mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:479 [inline] __kasankmalloc.constprop.0+0x110/0x13c mm/kasan/common.c:449 kasankmalloc+0xc/0x14 mm/kasan/common.c:493 kmemcachealloc_trace+0x440/0x924 mm/slub.c:2950 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:675 [inline] perfeventalloc.part.0+0xb4/0x1350 kernel/events/core.c:11230 perfeventalloc kernel/events/core.c:11733 [inline] __dosysperfeventopen kernel/events/core.c:11831 [inline] __sesysperfeventopen+0x550/0x15f4 kernel/events/core.c:11723 __arm64sysperfeventopen+0x6c/0x80 kernel/events/core.c:11723 [...]

Freed by task 14445: kasansavestack+0x24/0x50 mm/kasan/common.c:48 kasansettrack+0x24/0x34 mm/kasan/common.c:56 kasansetfree_info+0x20/0x40 mm/kasan/generic.c:358 __kasanslabfree.part.0+0x11c/0x1b0 mm/kasan/common.c:437 __kasanslabfree mm/kasan/common.c:445 [inline] kasanslabfree+0x2c/0x40 mm/kasan/common.c:446 slabfreehook mm/slub.c:1569 [inline] slabfreefreelisthook mm/slub.c:1608 [inline] slabfree mm/slub.c:3179 [inline] kfree+0x12c/0xc10 mm/slub.c:4176 perfeventalloc.part.0+0xa0c/0x1350 kernel/events/core.c:11434 perfeventalloc kernel/events/core.c:11733 [inline] __dosysperfeventopen kernel/events/core.c:11831 [inline] __sesysperfeventopen+0x550/0x15f4 kernel/events/core.c:11723 [...]