Duoming Zhou 2568a7e083 mISDN: fix use-after-free bugs in l1oip timer handlers
The l1oip_cleanup() traverses the l1oip_ilist and calls
release_card() to cleanup module and stack. However,
release_card() calls del_timer() to delete the timers
such as keep_tl and timeout_tl. If the timer handler is
running, the del_timer() will not stop it and result in
UAF bugs. One of the processes is shown below:

    (cleanup routine)          |        (timer handler)
release_card()                 | l1oip_timeout()
 ...                           |
 del_timer()                   | ...
 ...                           |
 kfree(hc) //FREE              |
                               | hc->timeout_on = 0 //USE

Fix by calling del_timer_sync() in release_card(), which
makes sure the timer handlers have finished before the
resources, such as l1oip and so on, have been deallocated.

What's more, the hc->workq and hc->socket_thread can kick
those timers right back in. We add a bool flag to show
if card is released. Then, check this flag in hc->workq
and hc->socket_thread.

Fixes: 3712b42d4b1b ("Add layer1 over IP support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-09-30 12:32:42 +01:00

93 lines
2.6 KiB
C

/* SPDX-License-Identifier: GPL-2.0 */
/*
* see notice in l1oip.c
*/
/* debugging */
#define DEBUG_L1OIP_INIT 0x00010000
#define DEBUG_L1OIP_SOCKET 0x00020000
#define DEBUG_L1OIP_MGR 0x00040000
#define DEBUG_L1OIP_MSG 0x00080000
/* enable to disorder received bchannels by sequence 2143658798... */
/*
#define REORDER_DEBUG
*/
/* frames */
#define L1OIP_MAX_LEN 2048 /* max packet size form l2 */
#define L1OIP_MAX_PERFRAME 1400 /* max data size in one frame */
/* timers */
#define L1OIP_KEEPALIVE 15
#define L1OIP_TIMEOUT 65
/* socket */
#define L1OIP_DEFAULTPORT 931
/* channel structure */
struct l1oip_chan {
struct dchannel *dch;
struct bchannel *bch;
u32 tx_counter; /* counts xmit bytes/packets */
u32 rx_counter; /* counts recv bytes/packets */
u32 codecstate; /* used by codec to save data */
#ifdef REORDER_DEBUG
int disorder_flag;
struct sk_buff *disorder_skb;
u32 disorder_cnt;
#endif
};
/* card structure */
struct l1oip {
struct list_head list;
/* card */
int registered; /* if registered with mISDN */
char name[MISDN_MAX_IDLEN];
int idx; /* card index */
int pri; /* 1=pri, 0=bri */
int d_idx; /* current dchannel number */
int b_num; /* number of bchannels */
u32 id; /* id of connection */
int ondemand; /* if transmis. is on demand */
int bundle; /* bundle channels in one frm */
int codec; /* codec to use for transmis. */
int limit; /* limit number of bchannels */
bool shutdown; /* if card is released */
/* timer */
struct timer_list keep_tl;
struct timer_list timeout_tl;
int timeout_on;
struct work_struct workq;
/* socket */
struct socket *socket; /* if set, socket is created */
struct completion socket_complete;/* completion of sock thread */
struct task_struct *socket_thread;
spinlock_t socket_lock; /* access sock outside thread */
u32 remoteip; /* if all set, ip is assigned */
u16 localport; /* must always be set */
u16 remoteport; /* must always be set */
struct sockaddr_in sin_local; /* local socket name */
struct sockaddr_in sin_remote; /* remote socket name */
struct msghdr sendmsg; /* ip message to send */
struct kvec sendiov; /* iov for message */
/* frame */
struct l1oip_chan chan[128]; /* channel instances */
};
extern int l1oip_law_to_4bit(u8 *data, int len, u8 *result, u32 *state);
extern int l1oip_4bit_to_law(u8 *data, int len, u8 *result);
extern int l1oip_alaw_to_ulaw(u8 *data, int len, u8 *result);
extern int l1oip_ulaw_to_alaw(u8 *data, int len, u8 *result);
extern void l1oip_4bit_free(void);
extern int l1oip_4bit_alloc(int ulaw);