iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Liu Jian 3f8ef65af9 net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory 
Fixes the below NULL pointer dereference:

  [...]
  [   14.471200] Call Trace:
  [   14.471562]  <TASK>
  [   14.471882]  lock_acquire+0x245/0x2e0
  [   14.472416]  ? remove_wait_queue+0x12/0x50
  [   14.473014]  ? _raw_spin_lock_irqsave+0x17/0x50
  [   14.473681]  _raw_spin_lock_irqsave+0x3d/0x50
  [   14.474318]  ? remove_wait_queue+0x12/0x50
  [   14.474907]  remove_wait_queue+0x12/0x50
  [   14.475480]  sk_stream_wait_memory+0x20d/0x340
  [   14.476127]  ? do_wait_intr_irq+0x80/0x80
  [   14.476704]  do_tcp_sendpages+0x287/0x600
  [   14.477283]  tcp_bpf_push+0xab/0x260
  [   14.477817]  tcp_bpf_sendmsg_redir+0x297/0x500
  [   14.478461]  ? __local_bh_enable_ip+0x77/0xe0
  [   14.479096]  tcp_bpf_send_verdict+0x105/0x470
  [   14.479729]  tcp_bpf_sendmsg+0x318/0x4f0
  [   14.480311]  sock_sendmsg+0x2d/0x40
  [   14.480822]  ____sys_sendmsg+0x1b4/0x1c0
  [   14.481390]  ? copy_msghdr_from_user+0x62/0x80
  [   14.482048]  ___sys_sendmsg+0x78/0xb0
  [   14.482580]  ? vmf_insert_pfn_prot+0x91/0x150
  [   14.483215]  ? __do_fault+0x2a/0x1a0
  [   14.483738]  ? do_fault+0x15e/0x5d0
  [   14.484246]  ? __handle_mm_fault+0x56b/0x1040
  [   14.484874]  ? lock_is_held_type+0xdf/0x130
  [   14.485474]  ? find_held_lock+0x2d/0x90
  [   14.486046]  ? __sys_sendmsg+0x41/0x70
  [   14.486587]  __sys_sendmsg+0x41/0x70
  [   14.487105]  ? intel_pmu_drain_pebs_core+0x350/0x350
  [   14.487822]  do_syscall_64+0x34/0x80
  [   14.488345]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
  [...]

The test scenario has the following flow:

thread1                               thread2
-----------                           ---------------
 tcp_bpf_sendmsg
  tcp_bpf_send_verdict
   tcp_bpf_sendmsg_redir              sock_close
    tcp_bpf_push_locked                 __sock_release
     tcp_bpf_push                         //inet_release
      do_tcp_sendpages                    sock->ops->release
       sk_stream_wait_memory          	   // tcp_close
          sk_wait_event                      sk->sk_prot->close
           release_sock(__sk);
            ***
                                                lock_sock(sk);
                                                  __tcp_close
                                                    sock_orphan(sk)
                                                      sk->sk_wq  = NULL
                                                release_sock
            ****
           lock_sock(__sk);
          remove_wait_queue(sk_sleep(sk), &wait);
             sk_sleep(sk)
             //NULL pointer dereference
             &rcu_dereference_raw(sk->sk_wq)->wait

While waiting for memory in thread1, the socket is released with its wait
queue because thread2 has closed it. This caused by tcp_bpf_send_verdict
didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.

We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory
before accessing the wait queue.

Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com
2022-09-26 17:43:43 +02:00
..
6lowpan
net: 6lowpan: constify lowpan_nhc structures
2022-06-09 21:53:28 +02:00
9p
iov_iter stuff, part 2, rebased
2022-08-08 20:04:35 -07:00
802
8021q
net: gro: skb_gro_header helper function
2022-08-25 10:33:21 +02:00
appletalk
net: remove noblock parameter from skb_recv_datagram()
2022-04-06 13:45:26 +01:00
atm
net: SO_RCVMARK socket option for SO_MARK with recvmsg()
2022-04-28 13:08:15 -07:00
ax25
ax25: move from strlcpy with unused retval to strscpy
2022-08-22 17:55:50 -07:00
batman-adv
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
bluetooth
Bluetooth: hci_sync: hold hdev->lock when cleanup hci_conn
2022-08-25 16:26:19 -07:00
bpf
selftests/bpf: Add tests for kfunc returning a memory pointer
2022-09-07 11:05:17 -07:00
bpfilter
uaccess: remove CONFIG_SET_FS
2022-02-25 09:36:06 +01:00
bridge
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2022-08-25 16:07:42 -07:00
caif
caif: move from strlcpy with unused retval to strscpy
2022-08-22 17:57:35 -07:00
can
can: j1939: j1939_session_destroy(): fix memory leak of skbs
2022-08-09 09:05:06 +02:00
ceph
libceph: clean up ceph_osdc_start_request prototype
2022-08-03 14:05:39 +02:00
core
net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
2022-09-26 17:43:43 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-03 08:01:55 -08:00
dccp
net: Add a bhash2 table hashed by port and address
2022-08-24 19:30:07 -07:00
dns_resolver
dsa
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2022-09-01 12:58:02 -07:00
ethernet
net: gro: skb_gro_header helper function
2022-08-25 10:33:21 +02:00
ethtool
ethtool: report missing header via ext_ack in the default handler
2022-08-30 12:20:43 +02:00
hsr
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
ieee802154
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
ife
ipv4
bpf: Use 0 instead of NOT_INIT for btf_struct_access() writes
2022-09-10 17:27:32 -07:00
ipv6
bpf: Invoke cgroup/connect{4,6} programs for unprivileged ICMP ping
2022-09-09 10:40:45 -07:00
iucv
net: keep sk->sk_forward_alloc as small as possible
2022-06-10 16:21:27 -07:00
kcm
kcm: fix strp_init() order and cleanup
2022-08-31 12:16:44 -07:00
key
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
2022-08-24 12:51:50 +01:00
l2tp
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-15 14:27:24 -07:00
lapb
llc
net: rename reference+tracking helpers
2022-06-09 21:52:55 -07:00
mac80211
drivers
2022-09-04 11:24:34 +01:00
mac802154
net: mac802154: Fix a condition in the receive path
2022-08-29 11:10:22 +02:00
mctp
Networking changes for 5.19.
2022-05-25 12:22:58 -07:00
mpls
net: Use u64_stats_fetch_begin_irq() for stats fetch.
2022-08-29 13:02:27 +01:00
mptcp
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
ncsi
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
netfilter
net: netfilter: add bpf_ct_set_nat_info kfunc helper
2022-09-21 19:25:26 -07:00
netlabel
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
netlink
netlink: Bounds-check struct nlmsgerr creation
2022-09-05 14:45:22 +01:00
netrom
net: remove noblock parameter from skb_recv_datagram()
2022-04-06 13:45:26 +01:00
nfc
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
nsh
openvswitch
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2022-09-01 12:58:02 -07:00
packet
packet: move from strlcpy with unused retval to strscpy
2022-08-22 17:59:51 -07:00
phonet
net: remove noblock parameter from recvmsg() entities
2022-04-12 15:00:25 +02:00
psample
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
qrtr
net: qrtr: start MHI channel after endpoit creation
2022-08-15 11:21:42 +01:00
rds
net/rds: Pass a pointer to virt_to_page()
2022-08-31 19:12:32 -07:00
rfkill
rfkill: make new event layout opt-in
2022-03-18 13:09:17 +02:00
rose
rose: check NULL rose_loopback_neigh->loopback
2022-08-22 14:24:54 +01:00
rxrpc
rxrpc: Fix locking in rxrpc's sendmsg
2022-08-25 12:39:40 -07:00
sched
net: sched: htb: remove redundant resource cleanup in htb_init()
2022-09-03 10:40:40 +01:00
sctp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2022-07-28 18:21:16 -07:00
smc
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2022-09-01 12:58:02 -07:00
strparser
strparser: pad sk_skb_cb to avoid straddling cachelines
2022-07-08 18:38:44 -07:00
sunrpc
NFS client bugfixes for Linux 6.0
2022-08-22 11:40:01 -07:00
switchdev
net: rename reference+tracking helpers
2022-06-09 21:52:55 -07:00
tipc
genetlink: start to validate reserved header bytes
2022-08-29 12:47:15 +01:00
tls
tls: rx: react to strparser initialization errors
2022-08-17 10:24:00 +01:00
unix
af_unix: Show number of inflight fds for sockets in TCP_LISTEN state too
2022-08-22 11:34:54 +01:00
vmw_vsock
vmci/vsock: check SO_RCVLOWAT before wake up reader
2022-08-23 10:43:12 +02:00
wireless
drivers
2022-09-04 11:24:34 +01:00
x25
net/x25: fix call timeouts in blocking connects
2022-08-08 20:48:51 -07:00
xdp
xsk: Fix corrupted packets for XDP_SHARED_UMEM
2022-08-15 17:26:07 +02:00
xfrm
net: Fix data-races around netdev_max_backlog.
2022-08-24 13:46:57 +01:00
compat.c
Merge branch 'for-5.20/io_uring' into for-5.20/io_uring-zerocopy-send
2022-07-24 18:41:03 -06:00
devres.c
Kconfig
Remove DECnet support from kernel
2022-08-22 14:26:30 +01:00
Kconfig.debug
net: CONFIG_DEBUG_NET depends on CONFIG_NET
2022-06-02 10:15:05 -07:00
Makefile
Remove DECnet support from kernel
2022-08-22 14:26:30 +01:00
socket.c
net: Fix a data-race around sysctl_somaxconn.
2022-08-24 13:46:58 +01:00
sysctl_net.c