iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
59a63e479c
linux/net/ipv4
History
Eric Dumazet f0c928d878 tcp: fix a race in inet_diag_dump_icsk() 
Alexei reported use after frees in inet_diag_dump_icsk() [1]

Because we use refcount_set() when various sockets are setup and
inserted into ehash, we also need to make sure inet_diag_dump_icsk()
wont race with the refcount_set() operations.

Jonathan Lemon sent a patch changing net_twsk_hashdance() but
other spots would need risky changes.

Instead, fix inet_diag_dump_icsk() as this bug came with
linux-4.10 only.

[1] Quoting Alexei :

First something iterating over sockets finds already freed tw socket:

refcount_t: increment on 0; use-after-free.
WARNING: CPU: 2 PID: 2738 at lib/refcount.c:153 refcount_inc+0x26/0x30
RIP: 0010:refcount_inc+0x26/0x30
RSP: 0018:ffffc90004c8fbc0 EFLAGS: 00010282
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88085ee9d680 RSI: ffff88085ee954c8 RDI: ffff88085ee954c8
RBP: ffff88010ecbd2c0 R08: 0000000000000000 R09: 000000000000174c
R10: ffffffff81e7c5a0 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8806ba9bf210 R14: ffffffff82304600 R15: ffff88010ecbd328
FS:  00007f81f5a7d700(0000) GS:ffff88085ee80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f81e2a95000 CR3: 000000069b2eb006 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 inet_diag_dump_icsk+0x2b3/0x4e0 [inet_diag]  // sock_hold(sk); in net/ipv4/inet_diag.c:1002
 ? kmalloc_large_node+0x37/0x70
 ? __kmalloc_node_track_caller+0x1cb/0x260
 ? __alloc_skb+0x72/0x1b0
 ? __kmalloc_reserve.isra.40+0x2e/0x80
 __inet_diag_dump+0x3b/0x80 [inet_diag]
 netlink_dump+0x116/0x2a0
 netlink_recvmsg+0x205/0x3c0
 sock_read_iter+0x89/0xd0
 __vfs_read+0xf7/0x140
 vfs_read+0x8a/0x140
 SyS_read+0x3f/0xa0
 do_syscall_64+0x5a/0x100

then a minute later twsk timer fires and hits two bad refcnts
for this freed socket:

refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 31 PID: 0 at lib/refcount.c:228 refcount_dec+0x2e/0x40
Modules linked in:
RIP: 0010:refcount_dec+0x2e/0x40
RSP: 0018:ffff88085f5c3ea8 EFLAGS: 00010296
RAX: 000000000000002c RBX: ffff88010ecbd2c0 RCX: 000000000000083f
RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000003f
RBP: ffffc90003c77280 R08: 0000000000000000 R09: 00000000000017d3
R10: ffffffff81e7c5a0 R11: 0000000000000000 R12: ffffffff82ad2d80
R13: ffffffff8182de00 R14: ffff88085f5c3ef8 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe42685250 CR3: 0000000002209001 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 inet_twsk_kill+0x9d/0xc0  // inet_twsk_bind_unhash(tw, hashinfo);
 call_timer_fn+0x29/0x110
 run_timer_softirq+0x36b/0x3a0

refcount_t: underflow; use-after-free.
WARNING: CPU: 31 PID: 0 at lib/refcount.c:187 refcount_sub_and_test+0x46/0x50
RIP: 0010:refcount_sub_and_test+0x46/0x50
RSP: 0018:ffff88085f5c3eb8 EFLAGS: 00010296
RAX: 0000000000000026 RBX: ffff88010ecbd2c0 RCX: 000000000000083f
RDX: 0000000000000000 RSI: 00000000000000f6 RDI: 000000000000003f
RBP: ffff88010ecbd358 R08: 0000000000000000 R09: 000000000000185b
R10: ffffffff81e7c5a0 R11: 0000000000000000 R12: ffff88010ecbd358
R13: ffffffff8182de00 R14: ffff88085f5c3ef8 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe42685250 CR3: 0000000002209001 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 inet_twsk_put+0x12/0x20  // inet_twsk_put(tw);
 call_timer_fn+0x29/0x110
 run_timer_softirq+0x36b/0x3a0

Fixes: 67db3e4bfbc9 ("tcp: no longer hold ehash lock while calling tcp_get_info()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Alexei Starovoitov <ast@kernel.org>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-12-20 19:23:22 -08:00
..
bpfilter
bpfilter: remove trailing newline
2018-07-24 14:10:42 -07:00
netfilter
netfilter: nat: fix double register in masquerade modules
2018-11-27 00:36:46 +01:00
af_inet.c
gso_segment: Reset skb->mac_len after modifying network header
2018-09-13 12:09:32 -07:00
ah4.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
arp.c
net: Evict neighbor entries on carrier down
2018-10-12 09:47:39 -07:00
cipso_ipv4.c
net/ipv4: defensive cipso option parsing
2018-09-17 19:37:46 -07:00
datagram.c
ipv4: Allow sending multicast packets on specific i/f using VRF socket
2018-10-02 22:28:17 -07:00
devinet.c
net: Allow class-e address assignment via ifconfig ioctl
2018-12-14 15:39:31 -08:00
esp4_offload.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
2018-07-27 09:33:37 -07:00
esp4.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
2018-10-01 22:31:17 -07:00
fib_frontend.c
net: Don't return invalid table id error when dumping all families
2018-10-24 14:06:25 -07:00
fib_lookup.h
fib_notifier.c
fib_rules.c
net: fib_rules: add extack support
2018-04-23 10:21:24 -04:00
fib_semantics.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-12 21:38:46 -07:00
fib_trie.c
net/ipv4: Plumb support for filtering route dumps
2018-10-16 00:13:12 -07:00
fou.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-03 10:29:26 +09:00
gre_demux.c
ip_gre: fix parsing gre header in ipgre_err
2018-09-16 15:32:59 -07:00
gre_offload.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-03 10:29:26 +09:00
icmp.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
igmp.c
ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12
2018-10-29 20:26:06 -07:00
inet_connection_sock.c
inet: make sure to grab rcu_read_lock before using ireq->ireq_opt
2018-10-02 15:52:12 -07:00
inet_diag.c
tcp: fix a race in inet_diag_dump_icsk()
2018-12-20 19:23:22 -08:00
inet_fragment.c
inet: frags: better deal with smp races
2018-11-08 18:40:30 -08:00
inet_hashtables.c
mm: remove include/linux/bootmem.h
2018-10-31 08:54:16 -07:00
inet_timewait_sock.c
soreuseport: initialise timewait reuseport field
2018-04-07 22:32:32 -04:00
inetpeer.c
inetpeer: fix uninit-value in inet_getpeer
2018-04-09 10:57:35 -04:00
ip_forward.c
net: clear skb->tstamp in forwarding paths
2018-12-15 13:24:21 -08:00
ip_fragment.c
net: ipv4: do not handle duplicate fragments as overlapping
2018-12-15 11:50:40 -08:00
ip_gre.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
ip_input.c
net: use skb_list_del_init() to remove from RX sublists
2018-12-05 16:22:05 -08:00
ip_options.c
ip_output.c
net: always initialize pagedlen
2018-11-24 17:42:57 -08:00
ip_sockglue.c
net: bpfilter: fix iptables failure if bpfilter_umh is disabled
2018-11-05 17:12:18 -08:00
ip_tunnel_core.c
ip_tunnel: don't force DF when MTU is locked
2018-11-17 21:50:55 -08:00
ip_tunnel.c
ip_tunnel: be careful when accessing the inner header
2018-09-24 12:27:04 -07:00
ip_vti.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
ipcomp.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
ipconfig.c
net: Allow class-e address assignment via ifconfig ioctl
2018-12-14 15:39:31 -08:00
ipip.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
ipmr_base.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-19 11:03:06 -07:00
ipmr.c
ipv4: Fix potential Spectre v1 vulnerability
2018-12-10 12:10:38 -08:00
Kconfig
net: remove blank lines at end of file
2018-07-24 14:10:43 -07:00
Makefile
bpf, sockmap: convert to generic sk_msg interface
2018-10-15 12:23:19 -07:00
metrics.c
net: common metrics init helper for FIB entries
2018-10-04 21:54:03 -07:00
netfilter.c
netfilter: utils: move nf_ip_checksum* from ipv4 to utils
2018-07-16 17:51:48 +02:00
netlink.c
ipv4: support sport, dport and ip_proto in RTM_GETROUTE
2018-05-23 15:14:12 -04:00
ping.c
ipv4: Allow sending multicast packets on specific i/f using VRF socket
2018-10-02 22:28:17 -07:00
proc.c
ip: discard IPv4 datagrams with overlapping segments.
2018-08-05 17:16:46 -07:00
protocol.c
raw_diag.c
raw.c
net: add missing SOF_TIMESTAMPING_OPT_ID support
2018-12-17 23:27:00 -08:00
route.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-12 21:38:46 -07:00
syncookies.c
tcp: provide earliest departure time in skb->tstamp
2018-09-21 19:37:59 -07:00
sysctl_net_ipv4.c
net-tcp: /proc/sys/net/ipv4/tcp_probe_interval is a u32 not int
2018-09-26 20:33:21 -07:00
tcp_bbr.c
tcp_bbr: centralize code to set gains
2018-10-17 22:22:53 -07:00
tcp_bic.c
tcp_bpf.c
bpf: tcp_bpf_recvmsg should return EAGAIN when nonblocking and no data
2018-10-30 23:31:22 +01:00
tcp_cdg.c
tcp: cdg: use tcp high resolution clock cache
2018-10-15 22:56:42 -07:00
tcp_cong.c
tcp_cubic.c
tcp_dctcp.c
tcp: refactor DCTCP ECN ACK handling
2018-10-10 22:26:00 -07:00
tcp_dctcp.h
tcp: refactor DCTCP ECN ACK handling
2018-10-10 22:26:00 -07:00
tcp_diag.c
net: sock: replace sk_state_load with inet_sk_state_load and remove sk_state_store
2017-12-20 14:00:25 -05:00
tcp_fastopen.c
tcp: pause Fast Open globally after third consecutive timeout
2017-12-13 15:51:12 -05:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
net/tcp/illinois: replace broken algorithm reference link
2018-02-28 12:03:47 -05:00
tcp_input.c
tcp: address problems caused by EDT misshaps
2018-11-24 17:41:37 -08:00
tcp_ipv4.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-03 21:00:17 -07:00
tcp_lp.c
tcp_metrics.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
tcp_minisocks.c
tcp: do not restart timewait timer on rst reception
2018-08-31 23:10:35 -07:00
tcp_nv.c
tcp_nv: fix potential integer overflow in tcpnv_acked
2018-01-31 10:26:30 -05:00
tcp_offload.c
tcp: Don't coalesce decrypted and encrypted SKBs
2018-07-16 00:12:09 -07:00
tcp_output.c
tcp: lack of available data can also cause TSO defer
2018-12-07 16:18:22 -08:00
tcp_rate.c
tcp: introduce tcp_skb_timestamp_us() helper
2018-09-21 19:37:59 -07:00
tcp_recovery.c
tcp: introduce tcp_skb_timestamp_us() helper
2018-09-21 19:37:59 -07:00
tcp_scalable.c
tcp_timer.c
tcp: fix SNMP TCP timeout under-estimation
2018-11-30 17:22:41 -08:00
tcp_ulp.c
tcp, ulp: remove socket lock assertion on ULP cleanup
2018-10-16 12:38:41 -07:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tcp.c
mm: remove include/linux/bootmem.h
2018-10-31 08:54:16 -07:00
tunnel4.c
inet: whitespace cleanup
2018-02-28 11:43:28 -05:00
udp_diag.c
net: diag: document swapped src/dst in udp_dump_one.
2018-10-28 19:27:21 -07:00
udp_impl.h
udp_offload.c
udp: gro behind static key
2018-10-05 11:52:38 -07:00
udp_tunnel.c
udp.c
mm: remove include/linux/bootmem.h
2018-10-31 08:54:16 -07:00
udplite.c
proc: introduce proc_create_net{,_data}
2018-05-16 07:24:30 +02:00
xfrm4_input.c
xfrm: reset transport header back to network header after all input transforms ahave been applied
2018-09-04 10:26:30 +02:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm: reset transport header back to network header after all input transforms ahave been applied
2018-09-04 10:26:30 +02:00
xfrm4_mode_tunnel.c
xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto
2018-03-07 10:54:29 +01:00
xfrm4_output.c
net: xfrm: use skb_gso_validate_network_len() to check gso sizes
2018-03-04 17:49:17 -05:00
xfrm4_policy.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c