linux

iv/linux

History

Kuniyuki Iwashima 50749f2dd6 tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp. syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY skbs. We can reproduce the problem with these sequences: sk = socket(AF_INET, SOCK_DGRAM, 0) sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE) sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1) sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53)) sk.close() sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct ubuf_info_msgzc indirectly holds a refcnt of the socket. When the skb is sent, __skb_tstamp_tx() clones it and puts the clone into the socket's error queue with the TX timestamp. When the original skb is received locally, skb_copy_ubufs() calls skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt. This additional count is decremented while freeing the skb, but struct ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is not called. The last refcnt is not released unless we retrieve the TX timestamped skb by recvmsg(). Since we clear the error queue in inet_sock_destruct() after the socket's refcnt reaches 0, there is a circular dependency. If we close() the socket holding such skbs, we never call sock_put() and leak the count, sk, and skb. TCP has the same problem, and commit `e0c8bccd40` ("net: stream: purge sk_error_queue in sk_stream_kill_queues()") tried to fix it by calling skb_queue_purge() during close(). However, there is a small chance that skb queued in a qdisc or device could be put into the error queue after the skb_queue_purge() call. In __skb_tstamp_tx(), the cloned skb should not have a reference to the ubuf to remove the circular dependency, but skb_clone() does not call skb_copy_ubufs() for zerocopy skb. So, we need to call skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs(). [0]: BUG: memory leak unreferenced object 0xffff88800c6d2d00 (size 1152): comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................ 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024 [<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083 [<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline] [<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245 [<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515 [<00000000b9b11231>] sock_create net/socket.c:1566 [inline] [<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline] [<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline] [<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636 [<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline] [<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline] [<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd BUG: memory leak unreferenced object 0xffff888017633a00 (size 240): comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m..... backtrace: [<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497 [<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline] [<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596 [<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline] [<00000000be626478>] msg_zerocopy_realloc+0x1ce/0x7f0 net/core/skbuff.c:1370 [<00000000cbfc9870>] __ip_append_data+0x2adf/0x3b30 net/ipv4/ip_output.c:1037 [<0000000089869146>] ip_make_skb+0x26c/0x2e0 net/ipv4/ip_output.c:1652 [<00000000098015c2>] udp_sendmsg+0x1bac/0x2390 net/ipv4/udp.c:1253 [<0000000045e0e95e>] inet_sendmsg+0x10a/0x150 net/ipv4/af_inet.c:819 [<000000008d31bfde>] sock_sendmsg_nosec net/socket.c:714 [inline] [<000000008d31bfde>] sock_sendmsg+0x141/0x190 net/socket.c:734 [<0000000021e21aa4>] __sys_sendto+0x243/0x360 net/socket.c:2117 [<00000000ac0af00c>] __do_sys_sendto net/socket.c:2129 [inline] [<00000000ac0af00c>] __se_sys_sendto net/socket.c:2125 [inline] [<00000000ac0af00c>] __x64_sys_sendto+0xe1/0x1c0 net/socket.c:2125 [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: `f214f915e7` ("tcp: enable MSG_ZEROCOPY") Fixes: `b5947e5d1e` ("udp: msg_zerocopy") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2023-04-25 09:42:35 +01:00
..
bpf_sk_storage.c	bpf: Fix a compilation failure with clang lto build	2022-11-30 17:13:25 -08:00
datagram.c	tcp: TX zerocopy should not sense pfmemalloc status	2022-09-02 12:29:02 +01:00
dev_addr_lists_test.c	kunit: Use KUNIT_EXPECT_MEMEQ macro	2022-10-27 02:40:14 -06:00
dev_addr_lists.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
dev_ioctl.c	net: dev: Convert sa_data to flexible array in struct sockaddr	2022-10-25 11:44:20 -07:00
dev.c	rtnetlink: Restore RTM_NEW/DELLINK notification behavior	2023-04-12 20:47:58 -07:00
dev.h	net-sysctl: factor-out rpm mask manipulation helpers	2023-02-09 17:45:55 -08:00
drop_monitor.c	genetlink: introduce split op representation	2022-11-07 12:30:16 +00:00
dst_cache.c	wireguard: device: reset peer src endpoint when netns exits	2021-11-29 19:50:45 -08:00
dst.c	ipv6: remove max_size check inline with ipv4	2023-01-13 20:59:14 -08:00
failover.c	net: failover: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf	2022-12-12 15:18:25 -08:00
fib_notifier.c
fib_rules.c	fib: expand fib_rule_policy	2021-12-16 07:18:35 -08:00
filter.c	bpf: Add BPF_FIB_LOOKUP_SKIP_NEIGH for bpf_fib_lookup	2023-02-17 22:12:04 +01:00
flow_dissector.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-11-29 13:04:52 -08:00
flow_offload.c	net: flow_offload: add support for ARP frame matching	2022-11-14 11:24:16 +00:00
gen_estimator.c	treewide: Convert del_timer() to timer_shutdown()	2022-12-25 13:38:09 -08:00
gen_stats.c	net: Remove the obsolte u64_stats_fetch_*_irq() users (net).	2022-10-28 20:13:54 -07:00
gro_cells.c	net: drop the weight argument from netif_napi_add	2022-09-28 18:57:14 -07:00
gro.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2023-02-02 14:49:55 -08:00
hwbm.c
link_watch.c	net: linkwatch: only report IF_OPER_LOWERLAYERDOWN if iflink is actually down	2022-11-16 09:45:00 +00:00
lwt_bpf.c	bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook	2022-04-22 17:45:25 +02:00
lwtunnel.c	xfrm: lwtunnel: squelch kernel warning in case XFRM encap type is not available	2022-10-12 10:45:51 +02:00
Makefile	netdev-genl: create a simple family for netdev stuff	2023-02-02 20:48:23 -08:00
neighbour.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2023-02-09 12:25:40 -08:00
net_namespace.c	net: initialize net->notrefcnt_tracker earlier	2023-02-09 22:49:25 -08:00
net-procfs.c	net: extract a few internals from netdevice.h	2022-04-07 20:32:09 -07:00
net-sysfs.c	net: make default_rps_mask a per netns attribute	2023-02-20 11:22:54 +00:00
net-sysfs.h
net-traces.c	net: bridge: Add a tracepoint for MDB overflows	2023-02-06 08:48:25 +00:00
netclassid_cgroup.c	core: Variable type completion	2022-08-31 09:40:34 +01:00
netdev-genl-gen.c	ynl: broaden the license even more	2023-03-16 21:20:32 -07:00
netdev-genl-gen.h	ynl: broaden the license even more	2023-03-16 21:20:32 -07:00
netdev-genl.c	netdev-genl: create a simple family for netdev stuff	2023-02-02 20:48:23 -08:00
netevent.c
netpoll.c	net: don't let netpoll invoke NAPI if in xmit context	2023-04-02 13:26:21 +01:00
netprio_cgroup.c
of_net.c	of: net: export of_get_mac_address_nvmem()	2022-11-29 10:45:53 +01:00
page_pool.c	net: page_pool: use in_softirq() instead	2023-02-06 09:15:22 +00:00
pktgen.c	treewide: use get_random_u32_inclusive() when possible	2022-11-18 02:18:02 +01:00
ptp_classifier.c	ptp: Add generic PTP is_sync() function	2022-03-07 11:31:34 +00:00
request_sock.c
rtnetlink.c	rtnetlink: Restore RTM_NEW/DELLINK notification behavior	2023-04-12 20:47:58 -07:00
scm.c	scm: add user copy checks to put_cmsg()	2023-02-20 11:39:59 +00:00
secure_seq.c	tcp: Fix data-races around sysctl knobs related to SYN option.	2022-07-20 10:14:49 +01:00
selftests.c	net: core: constify mac addrs in selftests	2021-10-24 13:59:44 +01:00
skbuff.c	tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.	2023-04-25 09:42:35 +01:00
skmsg.c	net/sock: Introduce trace_sk_data_ready()	2023-01-23 11:26:50 +00:00
sock_destructor.h	skb_expand_head() adjust skb->truesize incorrectly	2021-10-22 12:35:51 -07:00
sock_diag.c	net: fix __sock_gen_cookie()	2022-11-21 20:36:30 -08:00
sock_map.c	bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself	2023-01-24 21:32:55 -08:00
sock_reuseport.c	soreuseport: Fix socket selection for SO_INCOMING_CPU.	2022-10-25 11:35:16 +02:00
sock.c	net: use indirect calls helpers for sk_exit_memory_pressure()	2023-03-02 11:35:06 +01:00
stream.c	net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().	2023-02-10 19:53:42 -08:00
sysctl_net_core.c	net: make default_rps_mask a per netns attribute	2023-02-20 11:22:54 +00:00
timestamping.c
tso.c	net: tso: inline tso_count_descs()	2022-12-12 15:04:39 -08:00
utils.c	net: core: inet[46]_pton strlen len types	2022-11-01 21:14:39 -07:00
xdp.c	xdp: rss hash types representation	2023-04-13 11:15:10 -07:00