leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
740ea3c4a0
linux/net
History
Kuniyuki Iwashima 740ea3c4a0 tcp: Clean up kernel listener's reqsk in inet_twsk_purge() 
Eric Dumazet reported a use-after-free related to the per-netns ehash
series. [0]

When we create a TCP socket from userspace, the socket always holds a
refcnt of the netns.  This guarantees that a reqsk timer is always fired
before netns dismantle.  Each reqsk has a refcnt of its listener, so the
listener is not freed before the reqsk, and the net is not freed before
the listener as well.

OTOH, when in-kernel users create a TCP socket, it might not hold a refcnt
of its netns.  Thus, a reqsk timer can be fired after the netns dismantle
and access freed per-netns ehash.

To avoid the use-after-free, we need to clean up TCP_NEW_SYN_RECV sockets
in inet_twsk_purge() if the netns uses a per-netns ehash.

[0]: https://lore.kernel.org/netdev/CANn89iLXMup0dRD_Ov79Xt8N9FM0XdhCHEN05sf3eLwxKweM6w@mail.gmail.com/

BUG: KASAN: use-after-free in tcp_or_dccp_get_hashinfo
include/net/inet_hashtables.h:181 [inline]
BUG: KASAN: use-after-free in reqsk_queue_unlink+0x320/0x350
net/ipv4/inet_connection_sock.c:913
Read of size 8 at addr ffff88807545bd80 by task syz-executor.2/8301

CPU: 1 PID: 8301 Comm: syz-executor.2 Not tainted
6.0.0-syzkaller-02757-gaf7d23f9d96a #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 09/22/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
tcp_or_dccp_get_hashinfo include/net/inet_hashtables.h:181 [inline]
reqsk_queue_unlink+0x320/0x350 net/ipv4/inet_connection_sock.c:913
inet_csk_reqsk_queue_drop net/ipv4/inet_connection_sock.c:927 [inline]
inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:939 [inline]
reqsk_timer_handler+0x724/0x1160 net/ipv4/inet_connection_sock.c:1053
call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
__do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1107
</IRQ>

Fixes: d1e5e6408b ("tcp: Introduce optional per-netns ehash.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20221012145036.74960-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-10-13 09:33:16 -07:00
..
6lowpan
9p iov_iter stuff, part 2, rebased 2022-08-08 20:04:35 -07:00
802
8021q net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
appletalk
atm
ax25 ax25: move from strlcpy with unused retval to strscpy 2022-08-22 17:55:50 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-09-22 13:02:10 -07:00
bluetooth Bluetooth: hci_sync: Fix not indicating power state 2022-09-30 17:32:12 -07:00
bpf selftests/bpf: Add tests for kfunc returning a memory pointer 2022-09-07 11:05:17 -07:00
bpfilter
bridge net: bridge: assign path_cost for 2.5G and 5G link speed 2022-09-30 12:35:29 +01:00
caif caif: move from strlcpy with unused retval to strscpy 2022-08-22 17:57:35 -07:00
can can: bcm: check the result of can_send() in bcm_can_tx() 2022-09-23 13:53:10 +02:00
ceph libceph: clean up ceph_osdc_start_request prototype 2022-08-03 14:05:39 +02:00
core ipv6: Fix data races around sk->sk_prot. 2022-10-12 17:50:37 -07:00
dcb
dccp tcp: Introduce optional per-netns ehash. 2022-09-20 10:21:50 -07:00
dns_resolver
dsa net: dsa: fix wrong pointer passed to PTR_ERR() in dsa_port_phylink_create() 2022-10-09 20:01:32 +01:00
ethernet net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
ethtool ethtool: add interface to interact with Ethernet Power Equipment 2022-10-03 17:33:57 -07:00
hsr genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
ieee802154 net/ieee802154: don't warn zero-sized raw_sendmsg() 2022-10-05 12:37:10 +02:00
ife
ipv4 tcp: Clean up kernel listener's reqsk in inet_twsk_purge() 2022-10-13 09:33:16 -07:00
ipv6 tcp: Fix data races around icsk->icsk_af_ops. 2022-10-12 17:50:37 -07:00
iucv
kcm kcm: fix strp_init() order and cleanup 2022-08-31 12:16:44 -07:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-08-24 12:51:50 +01:00
l2tp genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
l3mdev
lapb
llc
mac80211 Merge branch 'cve-fixes-2022-10-13' 2022-10-13 11:59:56 +02:00
mac802154 net: mac802154: Fix a condition in the receive path 2022-08-29 11:10:22 +02:00
mctp mctp: prevent double key removal and unref 2022-10-12 13:30:50 +01:00
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-08-29 13:02:27 +01:00
mptcp mptcp: update misleading comments. 2022-10-03 11:18:53 +01:00
ncsi genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netfilter Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-10-03 13:02:49 -07:00
netlabel genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink genetlink: reject use of nlmsg_flags for new commands 2022-09-30 17:43:09 -07:00
netrom
nfc NFC: hci: Split memcpy() of struct hcp_message flexible array 2022-09-27 07:45:18 -07:00
nsh
openvswitch openvswitch: add nf_ct_is_confirmed check before assigning the helper 2022-10-12 17:51:15 -07:00
packet net/af_packet: registration process optimization in packet_init() 2022-09-21 12:59:22 +01:00
phonet
psample genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
qrtr net: qrtr: start MHI channel after endpoit creation 2022-08-15 11:21:42 +01:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
rfkill
rose rose: check NULL rose_loopback_neigh->loopback 2022-08-22 14:24:54 +01:00
rxrpc rxrpc: remove rxrpc_max_call_lifetime declaration 2022-09-19 17:58:47 -07:00
sched Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" 2022-10-05 20:32:15 -07:00
sctp sctp: handle the error returned from sctp_auth_asoc_init_active_key 2022-09-30 12:36:40 +01:00
smc net/smc: Support SO_REUSEPORT 2022-09-27 10:26:17 +02:00
strparser
sunrpc SUNRPC: Fix typo in xdr_buf_subsegment's kdoc comment 2022-09-26 14:02:47 -04:00
switchdev
tipc net/tipc: Remove unused struct distr_queue_item 2022-09-29 18:48:32 -07:00
tls net: tls: Add ARIA-GCM algorithm 2022-09-27 17:29:09 -07:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
wireless Merge branch 'cve-fixes-2022-10-13' 2022-10-13 11:59:56 +02:00
x25 net/x25: fix call timeouts in blocking connects 2022-08-08 20:48:51 -07:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
compat.c net: clear msg_get_inq in __get_compat_msghdr() 2022-09-20 08:23:20 -07:00
devres.c
Kconfig Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
socket.c net: Fix a data-race around sysctl_somaxconn. 2022-08-24 13:46:58 +01:00
sysctl_net.c