运行tun设备时出现重复释放tun->security资源问题

【标题描述】能够简要描述问题：说明什么场景下，做了什么操作，出现什么问题（尽量使用正向表达方式）
运行tun设备时出现重复释放tun->security资源问题
【环境信息】
硬件信息：
1）	裸机场景提供出问题的硬件信息；
2）	虚机场景提供虚机XML文件或者配置信息
![输入图片说明](https://images.gitee.com/uploads/images/2022/0803/164132_036e339a_8289294.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0803/164203_e6732787_8289294.png "屏幕截图.png")
软件信息：
1）	OS版本及分支
[root@localhost home]# cat /etc/*release
openEuler release 22.03 LTS
NAME="openEuler"
VERSION="22.03 LTS"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 LTS"
ANSI_COLOR="0;31"

openEuler release 22.03 LTS

2）	内核信息
5.10.0-16621-g6056e728ac19
3）	发现问题的组件版本信息
如果有特殊组网，请提供网络拓扑图
tun虚拟网络设备
【问题复现步骤】
// https://syzkaller.appspot.com/bug?id=ddb673727990990c6ded3e7cc220e39abfc244ab
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {
    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
            (uint8_t)a1, (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {
    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

static void test();

void loop()
{
 // while (1) {
    test();
 // }
}

long r[25];
void test()
{
  memset(r, -1, sizeof(r));
  r[0] = syscall(__NR_mmap, 0x20000000ul, 0xfff000ul, 0x3ul, 0x32ul,
                 0xfffffffffffffffful, 0x0ul);
  memcpy((void*)0x20b90000,
         "\x2f\x64\x65\x76\x2f\x6e\x65\x74\x2f\x74\x75\x6e\x00", 13);
  r[2] = syz_open_dev(0x20b90000ul, 0x0ul, 0x8100ul);
  *(uint32_t*)0x202d1000 = (uint32_t)0xb;
  r[4] = syscall(__NR_ioctl, r[2], 0x400454daul, 0x202d1000ul);
  memcpy((void*)0x20533000, "\x02\xf5\x00\x00\x00\x00\x00\x00\x00\x00"
                            "\x00\x02\x00\xe9\xbc\x22",
         16);
  *(uint32_t*)0x20533010 = (uint32_t)0x10001;
  *(uint32_t*)0x20533014 = (uint32_t)0x0;
  *(uint64_t*)0x20533018 = (uint64_t)0x20012fe8;
  *(uint32_t*)0x20012fe8 = (uint32_t)0x0;
  *(uint32_t*)0x20012fec = (uint32_t)0x0;
  *(uint32_t*)0x20012ff0 = (uint32_t)0x0;
  *(uint32_t*)0x20012ff4 = (uint32_t)0x0;
  *(uint32_t*)0x20012ff8 = (uint32_t)0x0;
  *(uint16_t*)0x20012ffc = (uint16_t)0x0;
  *(uint16_t*)0x20012ffe = (uint16_t)0x0;
  r[16] = syscall(__NR_ioctl, r[2], 0x400454caul, 0x20533000ul);
  r[17] = syscall(__NR_socket, 0x11ul, 0x80803ul, 0x80000001ul);
  r[18] = syscall(__NR_dup3, r[17], r[2], 0x80000ul);
  r[19] = syscall(__NR_socket, 0x2ul, 0x6ul, 0x0ul);
  *(uint64_t*)0x20fdf000 = (uint64_t)0x2;
  *(uint64_t*)0x20fdf008 = (uint64_t)0x20e9a000;
  *(uint64_t*)0x20fdf010 = (uint64_t)0x1000003a8d;
  memcpy((void*)0x20e9a000, "\x25\x64\x66\x43\x27\x84\x5a\x4b\xc7\xec"
                            "\x9a\xfd\x1b\xbf\xe0\x3c",
         16);
  r[24] = syscall(__NR_ioctl, r[19], 0x8940ul, 0x20fdf000ul);
}

int main()
{
  loop();
  return 0;
}
具体操作步骤
出现概率(是否必现，概率性错误)
概率性复现
【预期结果】
描述预期结果，可以通过对比新老版本获取
正常执行程序，tun设备正常
【实际结果】
描述出问题的结果 
出现重复释放tun->security资源问题
【附件信息】
比如系统message日志/组件日志、dump信息、图片等
Aug  3 15:20:20 localhost kernel: [  214.123375] ==================================================================
Aug  3 15:20:20 localhost kernel: [  214.127277] BUG: KASAN: double-free or invalid-free in security_tun_dev_free_security+0x35/0x50
Aug  3 15:20:20 localhost kernel: [  214.135354]
Aug  3 15:20:20 localhost kernel: [  214.135354] CPU: 31 PID: 8920 Comm: repo Kdump: loaded Tainted: G    B             5.10.0-16619-gd63ffd36ed04-dirty #1
Aug  3 15:20:20 localhost kernel: [  214.135354] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Aug  3 15:20:20 localhost kernel: [  214.135354] Call Trace:
Aug  3 15:20:20 localhost kernel: [  214.135354]  dump_stack+0xbe/0xf9
Aug  3 15:20:20 localhost kernel: [  214.135354]  print_address_description.constprop.0+0x19/0x130
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? security_tun_dev_free_security+0x35/0x50
Aug  3 15:20:20 localhost kernel: [  214.135354]  kasan_report_invalid_free+0x51/0x80
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? security_tun_dev_free_security+0x35/0x50
Aug  3 15:20:20 localhost kernel: [  214.135354]  __kasan_slab_free+0x13f/0x150
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? security_tun_dev_free_security+0x35/0x50
Aug  3 15:20:20 localhost kernel: [  214.135354]  kfree+0xa1/0x5e0
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? tun_flow_flush+0x169/0x1f0
Aug  3 15:20:20 localhost kernel: [  214.135354]  security_tun_dev_free_security+0x35/0x50
Aug  3 15:20:20 localhost kernel: [  214.135354]  tun_free_netdev+0xa6/0x170
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? tun_flow_flush+0x1f0/0x1f0
Aug  3 15:20:20 localhost kernel: [  214.135354]  netdev_run_todo+0x3d6/0x720
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? generic_xdp_install+0x260/0x260
Aug  3 15:20:20 localhost kernel: [  214.135354]  __tun_chr_ioctl.constprop.0+0xb11/0x1780
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? tun_set_iff.constprop.0+0xe90/0xe90
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? do_vfs_ioctl+0xf3/0x840
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? ioctl_file_clone+0x140/0x140
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? up_read+0x6b/0x160
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? selinux_file_ioctl+0x98/0x1c0
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? __tun_chr_ioctl.constprop.0+0x1780/0x1780
Aug  3 15:20:20 localhost kernel: [  214.135354]  __x64_sys_ioctl+0x131/0x170
Aug  3 15:20:20 localhost kernel: [  214.135354]  do_syscall_64+0x33/0x40
Aug  3 15:20:20 localhost kernel: [  214.135354]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Aug  3 15:20:20 localhost kernel: [  214.135354] RIP: 0033:0x7fe425cd2a3d
Aug  3 15:20:20 localhost kernel: [  214.135354] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48
Aug  3 15:20:20 localhost kernel: [  214.135354] RSP: 002b:00007ffc87a903e8 EFLAGS: 00000287 ORIG_RAX: 0000000000000010
Aug  3 15:20:20 localhost kernel: [  214.135354] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe425cd2a3d
Aug  3 15:20:20 localhost kernel: [  214.135354] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003
Aug  3 15:20:20 localhost kernel: [  214.135354] RBP: 00007ffc87a903f0 R08: 00007ffc87a90400 R09: 00007ffc87a90400
Aug  3 15:20:20 localhost kernel: [  214.135354] R10: 0000ffff00000000 R11: 0000000000000287 R12: 00007ffc87a90548
Aug  3 15:20:20 localhost kernel: [  214.135354] R13: 0000000000400bd3 R14: 00007fe425e10aa0 R15: 0000000000600e08
Aug  3 15:20:20 localhost kernel: [  214.135354]
Aug  3 15:20:20 localhost kernel: [  214.143285] Allocated by task 8920:
Aug  3 15:20:20 localhost kernel: [  214.147220]  kasan_save_stack+0x1b/0x40
Aug  3 15:20:20 localhost kernel: [  214.147220]  __kasan_kmalloc.constprop.0+0xc2/0xd0
Aug  3 15:20:20 localhost kernel: [  214.147220]  selinux_tun_dev_alloc_security+0x35/0xc0
Aug  3 15:20:20 localhost kernel: [  214.151123]  security_tun_dev_alloc_security+0x37/0x70
Aug  3 15:20:20 localhost kernel: [  214.151123]  tun_set_iff.constprop.0+0x933/0xe90
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? do_vfs_ioctl+0xf3/0x840
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? ioctl_file_clone+0x140/0x140
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? up_read+0x6b/0x160
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? selinux_file_ioctl+0x98/0x1c0
Aug  3 15:20:20 localhost kernel: [  214.135354]  ? __tun_chr_ioctl.constprop.0+0x1780/0x1780
Aug  3 15:20:20 localhost kernel: [  214.135354]  __x64_sys_ioctl+0x131/0x170
Aug  3 15:20:20 localhost kernel: [  214.135354]  do_syscall_64+0x33/0x40
Aug  3 15:20:20 localhost kernel: [  214.135354]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Aug  3 15:20:20 localhost kernel: [  214.135354] RIP: 0033:0x7fe425cd2a3d
Aug  3 15:20:20 localhost kernel: [  214.135354] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48
Aug  3 15:20:20 localhost kernel: [  214.135354] RSP: 002b:00007ffc87a903e8 EFLAGS: 00000287 ORIG_RAX: 0000000000000010
Aug  3 15:20:20 localhost kernel: [  214.135354] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe425cd2a3d
Aug  3 15:20:20 localhost kernel: [  214.135354] RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003
Aug  3 15:20:20 localhost kernel: [  214.135354] RBP: 00007ffc87a903f0 R08: 00007ffc87a90400 R09: 00007ffc87a90400
Aug  3 15:20:20 localhost kernel: [  214.135354] R10: 0000ffff00000000 R11: 0000000000000287 R12: 00007ffc87a90548
Aug  3 15:20:20 localhost kernel: [  214.135354] R13: 0000000000400bd3 R14: 00007fe425e10aa0 R15: 0000000000600e08
Aug  3 15:20:20 localhost kernel: [  214.135354]
Aug  3 15:20:20 localhost kernel: [  214.143285] Allocated by task 8920:
Aug  3 15:20:20 localhost kernel: [  214.147220]  kasan_save_stack+0x1b/0x40
Aug  3 15:20:20 localhost kernel: [  214.147220]  __kasan_kmalloc.constprop.0+0xc2/0xd0
Aug  3 15:20:20 localhost kernel: [  214.147220]  selinux_tun_dev_alloc_security+0x35/0xc0
Aug  3 15:20:20 localhost kernel: [  214.151123]  security_tun_dev_alloc_security+0x37/0x70
Aug  3 15:20:20 localhost kernel: [  214.151123]  tun_set_iff.constprop.0+0x933/0xe90
Aug  3 15:20:20 localhost kernel: [  214.151123]  __tun_chr_ioctl.constprop.0+0xac3/0x1780
Aug  3 15:20:20 localhost kernel: [  214.151123]  __x64_sys_ioctl+0x131/0x170
Aug  3 15:20:20 localhost kernel: [  214.151123]  do_syscall_64+0x33/0x40
Aug  3 15:20:20 localhost kernel: [  214.151123]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Aug  3 15:20:20 localhost kernel: [  214.151123]
Aug  3 15:20:20 localhost kernel: [  214.151816] Freed by task 8920:
Aug  3 15:20:20 localhost kernel: [  214.160327]  kasan_save_stack+0x1b/0x40
Aug  3 15:20:20 localhost kernel: [  214.160327]  kasan_set_track+0x1c/0x30
Aug  3 15:20:20 localhost kernel: [  214.160327]  kasan_set_free_info+0x1b/0x30
Aug  3 15:20:20 localhost kernel: [  214.160327]  __kasan_slab_free+0x110/0x150
Aug  3 15:20:20 localhost kernel: [  214.160327]  kfree+0xa1/0x5e0
Aug  3 15:20:20 localhost kernel: [  214.160327]  security_tun_dev_free_security+0x35/0x50
Aug  3 15:20:20 localhost kernel: [  214.160327]  tun_set_iff.constprop.0+0xd13/0xe90
Aug  3 15:20:20 localhost kernel: [  214.160327]  __tun_chr_ioctl.constprop.0+0xac3/0x1780
Aug  3 15:20:20 localhost kernel: [  214.160454]  __x64_sys_ioctl+0x131/0x170
Aug  3 15:20:20 localhost kernel: [  214.160454]  do_syscall_64+0x33/0x40
Aug  3 15:20:20 localhost kernel: [  214.160454]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Aug  3 15:20:20 localhost kernel: [  214.160454]
Aug  3 15:20:20 localhost kernel: [  214.160930] The buggy address belongs to the object at ffff888105086058#012 which belongs to the cache kmalloc-8 of size 8
Aug  3 15:20:20 localhost kernel: [  214.172081] The buggy address is located 0 bytes inside of#012 8-byte region [ffff888105086058, ffff888105086060)
Aug  3 15:20:20 localhost kernel: [  214.183322] The buggy address belongs to the page:
Aug  3 15:20:20 localhost kernel: [  214.189356] page:ffffea0004142100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888105086928 pfn:0x105084
Aug  3 15:20:20 localhost kernel: [  214.189425] head:ffffea0004142100 order:2 compound_mapcount:0 compound_pincount:0
Aug  3 15:20:20 localhost kernel: [  214.189425] flags: 0x17ffe0000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff)
Aug  3 15:20:20 localhost kernel: [  214.189425] raw: 017ffe0000010200 ffffea0004141a08 ffff888100040450 ffff888100050900
Aug  3 15:20:20 localhost kernel: [  214.189425] raw: ffff888105086928 00000000002b001c 00000001ffffffff 0000000000000000
Aug  3 15:20:20 localhost kernel: [  214.189425] page dumped because: kasan: bad access detected
Aug  3 15:20:20 localhost kernel: [  214.189425]
Aug  3 15:20:20 localhost kernel: [  214.191290] Memory state around the buggy address:
Aug  3 15:20:20 localhost kernel: [  214.199143]  ffff888105085f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Aug  3 15:20:20 localhost kernel: [  214.199282]  ffff888105085f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Aug  3 15:20:20 localhost kernel: [  214.207254] >ffff888105086000: fc fc fc fc fc fc fc fc fc fc fc fa fc fc fc fc
Aug  3 15:20:20 localhost kernel: [  214.207254]                                                     ^
Aug  3 15:20:20 localhost kernel: [  214.215256]  ffff888105086080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Aug  3 15:20:20 localhost kernel: [  214.223257]  ffff888105086100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Aug  3 15:20:20 localhost kernel: [  214.223257] ==================================================================

tun_chr_ioctl接口中存在重复释放tun->security的场景，在tun_set_iff接口中，输入的ifname不存在，需要注册网络设备，注册网络设备失败，将需要释放的设备加到todo_List中，tun_set_iff会释放一次tun->security，tun_chr_ioctl接口中还会再释放一次tun_chr_ioctl，导致出现重复释放tun_chr_ioctl的问题。

openeular2203会涉及，openeular2003不涉及

src-openEuler/kernel

内容风险标识

评论 (3)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识