mac802154: fix llsec key resources release in mac802154_llsec_key_del

JIRA: https://issues.redhat.com/browse/RHEL-34969
CVE: CVE-2024-26961
Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=61635436
Tested: Did sanity module load/unload testing Intel (intel-arrowlake-s-02) system.

commit e8a1e58345cf40b7b272e08ac7b32328b2543e40
Author: Fedor Pchelkin pchelkin@ispras.ru
Date: Wed Feb 28 19:38:39 2024 +0300

mac802154: fix llsec key resources release in mac802154_llsec_key_del  

mac802154_llsec_key_del() can free resources of a key directly without  
following the RCU rules for waiting before the end of a grace period. This  
may lead to use-after-free in case llsec_lookup_key() is traversing the  
list of keys in parallel with a key deletion:  

refcount_t: addition on 0; use-after-free.  
WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0  
Modules linked in:  
CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014  
RIP: 0010:refcount_warn_saturate+0x162/0x2a0  
Call Trace:  
 <TASK>  
 llsec_lookup_key.isra.0+0x890/0x9e0  
 mac802154_llsec_encrypt+0x30c/0x9c0  
 ieee802154_subif_start_xmit+0x24/0x1e0  
 dev_hard_start_xmit+0x13e/0x690  
 sch_direct_xmit+0x2ae/0xbc0  
 __dev_queue_xmit+0x11dd/0x3c20  
 dgram_sendmsg+0x90b/0xd60  
 __sys_sendto+0x466/0x4c0  
 __x64_sys_sendto+0xe0/0x1c0  
 do_syscall_64+0x45/0xf0  
 entry_SYSCALL_64_after_hwframe+0x6e/0x76  

Also, ieee802154_llsec_key_entry structures are not freed by  
mac802154_llsec_key_del():  

unreferenced object 0xffff8880613b6980 (size 64):  
  comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s)  
  hex dump (first 32 bytes):  
    78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de  x.......".......  
    00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00  ................  
  backtrace:  
    [<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0  
    [<ffffffff81c43865>] kmalloc_trace+0x25/0xc0  
    [<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0  
    [<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80  
    [<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0  
    [<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0  
    [<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0  
    [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440  
    [<ffffffff86ff1d88>] genl_rcv+0x28/0x40  
    [<ffffffff86fec15c>] netlink_unicast+0x53c/0x820  
    [<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60  
    [<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0  
    [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0  
    [<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0  
    [<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0  
    [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76  

Handle the proper resource release in the RCU callback function  
mac802154_llsec_key_del_rcu().  

Note that if llsec_lookup_key() finds a key, it gets a refcount via  
llsec_key_get() and locally copies key id from key_entry (which is a  
list element). So it's safe to call llsec_key_put() and free the list  
entry after the RCU grace period elapses.  

Found by Linux Verification Center (linuxtesting.org).  

Fixes: 5d637d5aabd8 ("mac802154: add llsec structures and mutators")  
Cc: stable@vger.kernel.org  
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>  
Acked-by: Alexander Aring <aahringo@redhat.com>  
Message-ID: <20240228163840.6667-1-pchelkin@ispras.ru>  
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>  

Signed-off-by: Steve Best sbest@redhat.com