leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5e20087d1b
linux/net/mptcp
History
Florian Westphal 5e20087d1b mptcp: handle mptcp listener destruction via rcu 
Following splat can occur during self test:

 BUG: KASAN: use-after-free in subflow_data_ready+0x156/0x160
 Read of size 8 at addr ffff888100c35c28 by task mptcp_connect/4808

  subflow_data_ready+0x156/0x160
  tcp_child_process+0x6a3/0xb30
  tcp_v4_rcv+0x2231/0x3730
  ip_protocol_deliver_rcu+0x5c/0x860
  ip_local_deliver_finish+0x220/0x360
  ip_local_deliver+0x1c8/0x4e0
  ip_rcv_finish+0x1da/0x2f0
  ip_rcv+0xd0/0x3c0
  __netif_receive_skb_one_core+0xf5/0x160
  __netif_receive_skb+0x27/0x1c0
  process_backlog+0x21e/0x780
  net_rx_action+0x35f/0xe90
  do_softirq+0x4c/0x50
  [..]

This occurs when accessing subflow_ctx->conn.

Problem is that tcp_child_process() calls listen sockets'
sk_data_ready() notification, but it doesn't hold the listener
lock.  Another cpu calling close() on the listener will then cause
transition of refcount to 0.

Fixes: 58b0991962 ("mptcp: create msk early")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-04-20 12:59:32 -07:00
..
crypto.c mptcp: Add ADD_ADDR handling 2020-03-29 22:14:48 -07:00
ctrl.c mptcp: new sysctl to control the activation per NS 2020-01-24 13:44:08 +01:00
diag.c mptcp: allow dumping subflow context to userspace 2020-03-29 22:14:48 -07:00
Kconfig mptcp: select CRYPTO 2020-02-16 19:37:16 -08:00
Makefile mptcp: add netlink-based PM 2020-03-29 22:14:49 -07:00
mib.c mptcp: add and use MIB counter infrastructure 2020-03-29 22:14:49 -07:00
mib.h mptcp: add and use MIB counter infrastructure 2020-03-29 22:14:49 -07:00
options.c mptcp: add some missing pr_fmt defines 2020-04-03 16:06:32 -07:00
pm_netlink.c mptcp: add some missing pr_fmt defines 2020-04-03 16:06:32 -07:00
pm.c mptcp: add some missing pr_fmt defines 2020-04-03 16:06:32 -07:00
protocol.c mptcp: handle mptcp listener destruction via rcu 2020-04-20 12:59:32 -07:00
protocol.h mptcp: subflow: check parent mptcp socket on subflow state change 2020-04-02 06:59:21 -07:00
subflow.c mptcp: fix 'Attempt to release TCP socket in state' warnings 2020-04-18 15:43:20 -07:00
token.c mptcp: fix "fn parameter not described" warnings 2020-04-02 06:59:21 -07:00