From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 29/64] af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.
Date: Tue, 13 Feb 2024 18:21:15 +0100 [thread overview]
Message-ID: <20240213171845.668600346@linuxfoundation.org> (raw)
In-Reply-To: <20240213171844.702064831@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 1279f9d9dec2d7462823a18c29ad61359e0a007d ]
syzbot reported a warning [0] in __unix_gc() with a repro, which
creates a socketpair and sends one socket's fd to itself using the
peer.
socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0
sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}],
msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,
cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],
msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1
This forms a self-cyclic reference that GC should finally untangle
but does not due to lack of MSG_OOB handling, resulting in memory
leak.
Recently, commit 11498715f266 ("af_unix: Remove io_uring code for
GC.") removed io_uring's dead code in GC and revealed the problem.
The code was executed at the final stage of GC and unconditionally
moved all GC candidates from gc_candidates to gc_inflight_list.
That papered over the reported problem by always making the following
WARN_ON_ONCE(!list_empty(&gc_candidates)) false.
The problem has been there since commit 2aab4b969002 ("af_unix: fix
struct pid leaks in OOB support") added full scm support for MSG_OOB
while fixing another bug.
To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb
if the socket still exists in gc_candidates after purging collected skb.
Then, we need to set NULL to oob_skb before calling kfree_skb() because
it calls last fput() and triggers unix_release_sock(), where we call
duplicate kfree_skb(u->oob_skb) if not NULL.
Note that the leaked socket remained being linked to a global list, so
kmemleak also could not detect it. We need to check /proc/net/protocol
to notice the unfreed socket.
[0]:
WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Modules linked in:
CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Workqueue: events_unbound __unix_gc
RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345
Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8
RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e
RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30
RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66
R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000
R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
kthread+0x2c6/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
</TASK>
Reported-by: syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183
Fixes: 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240203183149.63573-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/garbage.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index dc2763540393..767b338a7a2d 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -314,6 +314,17 @@ void unix_gc(void)
/* Here we are. Hitlist is filled. Die. */
__skb_queue_purge(&hitlist);
+#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+ list_for_each_entry_safe(u, next, &gc_candidates, link) {
+ struct sk_buff *skb = u->oob_skb;
+
+ if (skb) {
+ u->oob_skb = NULL;
+ kfree_skb(skb);
+ }
+ }
+#endif
+
spin_lock(&unix_gc_lock);
/* There could be io_uring registered files, just push them back to
--
2.43.0
next prev parent reply other threads:[~2024-02-13 17:25 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-13 17:20 [PATCH 6.1 00/64] 6.1.78-rc1 review Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 01/64] ext4: regenerate buddy after block freeing failed if under fc replay Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 02/64] dmaengine: fsl-dpaa2-qdma: Fix the size of dma pools Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 03/64] dmaengine: ti: k3-udma: Report short packet errors Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 04/64] dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 05/64] dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 06/64] phy: renesas: rcar-gen3-usb2: Fix returning wrong error code Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 07/64] dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 08/64] phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 09/64] cifs: failure to add channel on iface should bump up weight Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 10/64] drm/msms/dp: fixed link clock divider bits be over written in BPC unknown case Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 11/64] drm/msm/dp: return correct Colorimetry for DP_TEST_DYNAMIC_RANGE_CEA case Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 12/64] drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup Greg Kroah-Hartman
2024-02-13 17:20 ` [PATCH 6.1 13/64] net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 14/64] wifi: mac80211: fix waiting for beacons logic Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 15/64] netdevsim: avoid potential loop in nsim_dev_trap_report_work() Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 16/64] net: atlantic: Fix DMA mapping for PTP hwts ring Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 17/64] selftests: net: cut more slack for gro fwd tests Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 18/64] selftests: net: avoid just another constant wait Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 19/64] tunnels: fix out of bounds access when building IPv6 PMTU error Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 20/64] atm: idt77252: fix a memleak in open_card_ubr0 Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 21/64] octeontx2-pf: Fix a memleak otx2_sq_init Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 22/64] hwmon: (aspeed-pwm-tacho) mutex for tach reading Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 23/64] hwmon: (coretemp) Fix out-of-bounds memory access Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 24/64] hwmon: (coretemp) Fix bogus core_id to attr name mapping Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 25/64] inet: read sk->sk_family once in inet_recv_error() Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 26/64] drm/i915/gvt: Fix uninitialized variable in handle_mmio() Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 27/64] rxrpc: Fix response to PING RESPONSE ACKs to a dead call Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 28/64] tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() Greg Kroah-Hartman
2024-02-13 17:21 ` Greg Kroah-Hartman [this message]
2024-02-13 17:21 ` [PATCH 6.1 30/64] ppp_async: limit MRU to 64K Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 31/64] selftests: cmsg_ipv6: repeat the exact packet Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 32/64] netfilter: nft_compat: narrow down revision to unsigned 8-bits Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 33/64] netfilter: nft_compat: reject unused compat flag Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 34/64] netfilter: nft_compat: restrict match/target protocol to u16 Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 35/64] drm/amd/display: Implement bounds check for stream encoder creation in DCN301 Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 36/64] netfilter: nft_ct: reject direction for ct id Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 37/64] netfilter: nft_set_pipapo: store index in scratch maps Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 38/64] netfilter: nft_set_pipapo: add helper to release pcpu scratch area Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 39/64] netfilter: nft_set_pipapo: remove scratch_aligned pointer Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 40/64] fs/ntfs3: Fix an NULL dereference bug Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 41/64] scsi: core: Move scsi_host_busy() out of host lock if it is for per-command Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 42/64] blk-iocost: Fix an UBSAN shift-out-of-bounds warning Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 43/64] fs: dlm: dont put dlm_local_addrs on heap Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 44/64] mtd: parsers: ofpart: add workaround for #size-cells 0 Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 45/64] ALSA: usb-audio: Add delay quirk for MOTU M Series 2nd revision Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 46/64] ALSA: usb-audio: Add a quirk for Yamaha YIT-W12TX transmitter Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 47/64] ALSA: usb-audio: add quirk for RODE NT-USB+ Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 48/64] USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 49/64] USB: serial: option: add Fibocom FM101-GL variant Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 50/64] USB: serial: cp210x: add ID for IMST iM871A-USB Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 51/64] usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 52/64] usb: host: xhci-plat: Add support for XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 53/64] xhci: process isoc TD properly when there was a transaction error mid TD Greg Kroah-Hartman
2024-02-13 18:47 ` Michał Pecio
2024-02-14 14:23 ` Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 54/64] xhci: handle isoc Babble and Buffer Overrun events properly Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 55/64] hrtimer: Report offline hrtimer enqueue Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 56/64] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 57/64] Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 58/64] io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 59/64] Revert "ASoC: amd: Add new dmi entries for acp5x platform" Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 60/64] vhost: use kzalloc() instead of kmalloc() followed by memset() Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 61/64] RDMA/irdma: Fix support for 64k pages Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 62/64] f2fs: add helper to check compression level Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 63/64] block: treat poll queue enter similarly to timeouts Greg Kroah-Hartman
2024-02-13 17:21 ` [PATCH 6.1 64/64] clocksource: Skip watchdog check for large watchdog intervals Greg Kroah-Hartman
2024-02-13 19:03 ` [PATCH 6.1 00/64] 6.1.78-rc1 review SeongJae Park
2024-02-13 19:34 ` Pavel Machek
2024-02-13 21:04 ` Kelsey Steele
2024-02-13 21:15 ` Florian Fainelli
2024-02-13 22:46 ` Allen
2024-02-14 0:17 ` Shuah Khan
2024-02-14 9:03 ` Jon Hunter
2024-02-14 13:08 ` Greg Kroah-Hartman
2024-02-14 13:15 ` Jon Hunter
2024-02-14 14:23 ` Greg Kroah-Hartman
2024-02-14 11:07 ` Naresh Kamboju
2024-02-14 11:22 ` Yann Sionneau
2024-02-14 16:44 ` Sven Joachim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240213171845.668600346@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.