From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzbot <syzkaller@googlegroups.com>,
Eric Dumazet <edumazet@google.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Jakub Kicinski <kuba@kernel.org>,
Zhengchao Shao <shaozhengchao@huawei.com>
Subject: [PATCH 5.15 67/80] tcp: Clean up kernel listeners reqsk in inet_twsk_purge()
Date: Tue, 30 Apr 2024 12:40:39 +0200 [thread overview]
Message-ID: <20240430103045.395477566@linuxfoundation.org> (raw)
In-Reply-To: <20240430103043.397234724@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit 740ea3c4a0b2e326b23d7cdf05472a0e92aa39bc upstream.
Eric Dumazet reported a use-after-free related to the per-netns ehash
series. [0]
When we create a TCP socket from userspace, the socket always holds a
refcnt of the netns. This guarantees that a reqsk timer is always fired
before netns dismantle. Each reqsk has a refcnt of its listener, so the
listener is not freed before the reqsk, and the net is not freed before
the listener as well.
OTOH, when in-kernel users create a TCP socket, it might not hold a refcnt
of its netns. Thus, a reqsk timer can be fired after the netns dismantle
and access freed per-netns ehash.
To avoid the use-after-free, we need to clean up TCP_NEW_SYN_RECV sockets
in inet_twsk_purge() if the netns uses a per-netns ehash.
[0]: https://lore.kernel.org/netdev/CANn89iLXMup0dRD_Ov79Xt8N9FM0XdhCHEN05sf3eLwxKweM6w@mail.gmail.com/
BUG: KASAN: use-after-free in tcp_or_dccp_get_hashinfo
include/net/inet_hashtables.h:181 [inline]
BUG: KASAN: use-after-free in reqsk_queue_unlink+0x320/0x350
net/ipv4/inet_connection_sock.c:913
Read of size 8 at addr ffff88807545bd80 by task syz-executor.2/8301
CPU: 1 PID: 8301 Comm: syz-executor.2 Not tainted
6.0.0-syzkaller-02757-gaf7d23f9d96a #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 09/22/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
tcp_or_dccp_get_hashinfo include/net/inet_hashtables.h:181 [inline]
reqsk_queue_unlink+0x320/0x350 net/ipv4/inet_connection_sock.c:913
inet_csk_reqsk_queue_drop net/ipv4/inet_connection_sock.c:927 [inline]
inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:939 [inline]
reqsk_timer_handler+0x724/0x1160 net/ipv4/inet_connection_sock.c:1053
call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
__do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1107
</IRQ>
Fixes: d1e5e6408b30 ("tcp: Introduce optional per-netns ehash.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20221012145036.74960-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[shaozhengchao: resolved conflicts in 5.15]
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_timewait_sock.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -268,8 +268,21 @@ restart_rcu:
rcu_read_lock();
restart:
sk_nulls_for_each_rcu(sk, node, &head->chain) {
- if (sk->sk_state != TCP_TIME_WAIT)
+ if (sk->sk_state != TCP_TIME_WAIT) {
+ /* A kernel listener socket might not hold refcnt for net,
+ * so reqsk_timer_handler() could be fired after net is
+ * freed. Userspace listener and reqsk never exist here.
+ */
+ if (unlikely(sk->sk_state == TCP_NEW_SYN_RECV &&
+ hashinfo->pernet)) {
+ struct request_sock *req = inet_reqsk(sk);
+
+ inet_csk_reqsk_queue_drop_and_put(req->rsk_listener, req);
+ }
+
continue;
+ }
+
tw = inet_twsk(sk);
if ((tw->tw_family != family) ||
refcount_read(&twsk_net(tw)->ns.count))
next prev parent reply other threads:[~2024-04-30 11:19 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-30 10:39 [PATCH 5.15 00/80] 5.15.158-rc1 review Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 01/80] smb: client: fix rename(2) regression against samba Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 02/80] cifs: reinstate original behavior again for forceuid/forcegid Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 03/80] HID: intel-ish-hid: ipc: Fix dev_err usage with uninitialized dev->devc Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 04/80] HID: logitech-dj: allow mice to use all types of reports Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 05/80] arm64: dts: rockchip: enable internal pull-up on Q7_USB_ID for RK3399 Puma Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 06/80] arm64: dts: rockchip: fix alphabetical ordering RK3399 puma Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 07/80] arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 08/80] arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 09/80] arm64: dts: mediatek: mt8183: Add power-domains properity to mfgcfg Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 10/80] arm64: dts: mediatek: mt7622: add support for coherent DMA Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 11/80] arm64: dts: mediatek: mt7622: introduce nodes for Wireless Ethernet Dispatch Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 12/80] arm64: dts: mediatek: mt7622: fix clock controllers Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 13/80] arm64: dts: mediatek: mt7622: fix IR nodename Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 14/80] arm64: dts: mediatek: mt7622: fix ethernet controller "compatible" Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 15/80] arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 16/80] arm64: dts: mediatek: mt2712: fix validation errors Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 17/80] ARC: [plat-hsdk]: Remove misplaced interrupt-cells property Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 18/80] wifi: iwlwifi: mvm: remove old PASN station when adding a new one Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 19/80] wifi: iwlwifi: mvm: return uid from iwl_mvm_build_scan_cmd Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 20/80] vxlan: drop packets from invalid src-address Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 21/80] mlxsw: core: Unregister EMAD trap using FORWARD action Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 22/80] icmp: prevent possible NULL dereferences from icmp_build_probe() Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 23/80] bridge/br_netlink.c: no need to return void function Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 24/80] NFC: trf7970a: disable all regulators on removal Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 25/80] ipv4: check for NULL idev in ip_route_use_hint() Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 26/80] net: usb: ax88179_178a: stop lying about skb->truesize Greg Kroah-Hartman
2024-04-30 10:39 ` [PATCH 5.15 27/80] net: gtp: Fix Use-After-Free in gtp_dellink Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 28/80] ipvs: Fix checksumming on GSO of SCTP packets Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 29/80] net: openvswitch: Fix Use-After-Free in ovs_ct_exit Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 30/80] mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 31/80] mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 32/80] mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 33/80] mlxsw: spectrum_acl_tcam: Rate limit error message Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 34/80] mlxsw: spectrum_acl_tcam: Fix memory leak during rehash Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 35/80] mlxsw: spectrum_acl_tcam: Fix warning " Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 36/80] mlxsw: spectrum_acl_tcam: Fix incorrect list API usage Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 37/80] mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 38/80] netfilter: nf_tables: honor table dormant flag from netdev release event path Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 39/80] i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 40/80] i40e: Report MFS in decimal base instead of hex Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 41/80] iavf: Fix TC config comparison with existing adapter TC config Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 42/80] net: ethernet: ti: am65-cpts: Fix PTPv1 message type on TX packets Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 43/80] af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc() Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 44/80] serial: core: Provide port lock wrappers Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 45/80] serial: mxs-auart: add spinlock around changing cts state Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 46/80] drm-print: add drm_dbg_driver to improve namespace symmetry Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 47/80] drm/vmwgfx: Fix crtcs atomic check conditional Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 48/80] Revert "crypto: api - Disallow identical driver names" Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 49/80] net/mlx5e: Fix a race in command alloc flow Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 50/80] tracing: Show size of requested perf buffer Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 51/80] tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 52/80] x86/cpu: Fix check for RDPKRU in __show_regs() Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 53/80] Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 54/80] Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 55/80] Bluetooth: qca: fix NULL-deref on non-serdev suspend Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 56/80] mmc: sdhci-msm: pervent access to suspended controller Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 57/80] btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 58/80] cpu: Re-enable CPU mitigations by default for !X86 architectures Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 59/80] arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 60/80] drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 61/80] drm/amdgpu: Fix leak when GPU memory allocation fails Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 62/80] irqchip/gic-v3-its: Prevent double free on error Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 63/80] ethernet: Add helper for assigning packet type when dest address does not match device address Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 64/80] net: b44: set pause params only when interface is up Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 65/80] stackdepot: respect __GFP_NOLOCKDEP allocation flag Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 66/80] mtd: diskonchip: work around ubsan link failure Greg Kroah-Hartman
2024-04-30 10:40 ` Greg Kroah-Hartman [this message]
2024-04-30 10:40 ` [PATCH 5.15 68/80] tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 69/80] dmaengine: owl: fix register access functions Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 70/80] idma64: Dont try to serve interrupts when device is powered off Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 71/80] dma: xilinx_dpdma: Fix locking Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 72/80] dmaengine: idxd: Fix oops during rmmod on single-CPU platforms Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 73/80] riscv: fix VMALLOC_START definition Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 74/80] riscv: Fix TASK_SIZE on 64-bit NOMMU Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 75/80] i2c: smbus: fix NULL function pointer dereference Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 76/80] fbdev: fix incorrect address computation in deferred IO Greg Kroah-Hartman
2024-05-02 8:34 ` Harshit Mogalapalli
2024-04-30 10:40 ` [PATCH 5.15 77/80] HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 78/80] bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 79/80] udp: preserve the connected status if only UDP cmsg Greg Kroah-Hartman
2024-04-30 10:40 ` [PATCH 5.15 80/80] serial: core: fix kernel-doc for uart_port_unlock_irqrestore() Greg Kroah-Hartman
2024-04-30 16:31 ` [PATCH 5.15 00/80] 5.15.158-rc1 review Harshit Mogalapalli
2024-04-30 16:47 ` SeongJae Park
2024-04-30 18:49 ` Florian Fainelli
2024-05-01 8:52 ` Ron Economos
2024-05-01 10:30 ` Naresh Kamboju
2024-05-01 13:38 ` Jon Hunter
2024-05-02 3:05 ` Shuah Khan
2024-05-02 6:38 ` Pascal Ernster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240430103045.395477566@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=shaozhengchao@huawei.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.