From: Jakub Kicinski <kuba@kernel.org>
To: Kuniyuki Iwashima <kuni1840@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH v1 net 0/4] af_unix: Fix two OOB issues.
Date: Wed, 18 Jun 2025 06:41:26 -0700 [thread overview]
Message-ID: <20250618064126.2cf21b31@kernel.org> (raw)
In-Reply-To: <20250618043453.281247-1-kuni1840@gmail.com>
On Tue, 17 Jun 2025 21:34:38 -0700 Kuniyuki Iwashima wrote:
> Patch 1 fixes issues that happen when multiple consumed OOB
> skbs are placed consecutively in the recv queue.
>
> Patch 2 fixes an inconsistent behaviour that close()ing a socket
> with a consumed OOB skb at the head of the recv queue triggers
> -ECONNRESET on the peer's recv().
It appears to break the scm_rights tests, including a UAF.
# # RUN scm_rights.stream_listener.self_ref ...
# # scm_rights.c:176:self_ref:Expected 0 (0) == ret (4)
# # self_ref: Test terminated by assertion
# # FAIL scm_rights.stream_listener.self_ref
# not ok 25 scm_rights.stream_listener.self_ref
# # RUN scm_rights.stream_listener.triangle ...
# # scm_rights.c:176:triangle:Expected 0 (0) == ret (12)
# # triangle: Test terminated by assertion
# # FAIL scm_rights.stream_listener.triangle
# not ok 26 scm_rights.stream_listener.triangle
# # RUN scm_rights.stream_listener.cross_edge ...
# # scm_rights.c:176:cross_edge:Expected 0 (0) == ret (16)
# # cross_edge: Test terminated by assertion
# # FAIL scm_rights.stream_listener.cross_edge
# not ok 27 scm_rights.stream_listener.cross_edge
# # RUN scm_rights.stream_listener.backtrack_from_scc ...
[ 5716.340166][T26625] ==================================================================
[ 5716.340494][T26625] BUG: KASAN: slab-use-after-free in __unix_walk_scc+0x8e0/0xce0
[ 5716.340761][T26625] Read of size 8 at addr ffff88801d8c6fd0 by task kworker/u17:0/26625
[ 5716.341015][T26625]
[ 5716.341103][T26625] CPU: 2 UID: 0 PID: 26625 Comm: kworker/u17:0 Not tainted 6.16.0-rc1-virtme #1 PREEMPT(full)
[ 5716.341109][T26625] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 5716.341112][T26625] Workqueue: events_unbound __unix_gc
[ 5716.341118][T26625] Call Trace:
[ 5716.341120][T26625] <TASK>
[ 5716.341123][T26625] dump_stack_lvl+0x82/0xd0
[ 5716.341133][T26625] print_address_description.constprop.0+0x2c/0x400
[ 5716.341141][T26625] ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341145][T26625] print_report+0xb4/0x270
[ 5716.341148][T26625] ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341152][T26625] ? kasan_addr_to_slab+0x25/0x80
[ 5716.341155][T26625] ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341158][T26625] kasan_report+0xca/0x100
[ 5716.341163][T26625] ? __unix_walk_scc+0x8e0/0xce0
[ 5716.341168][T26625] __unix_walk_scc+0x8e0/0xce0
[ 5716.341174][T26625] ? __pfx___unix_walk_scc+0x10/0x10
[ 5716.341178][T26625] ? do_raw_spin_lock+0x130/0x270
[ 5716.341185][T26625] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 5716.341189][T26625] ? lock_acquire+0x10c/0x170
[ 5716.341192][T26625] ? __unix_gc+0x8b/0x400
[ 5716.341197][T26625] __unix_gc+0x29f/0x400
[ 5716.341201][T26625] ? __pfx___unix_gc+0x10/0x10
[ 5716.341207][T26625] ? rcu_is_watching+0x12/0xc0
[ 5716.341215][T26625] ? rcu_is_watching+0x12/0xc0
[ 5716.341219][T26625] process_one_work+0xe43/0x1660
[ 5716.341228][T26625] ? __pfx_process_one_work+0x10/0x10
[ 5716.341233][T26625] ? assign_work+0x16c/0x240
[ 5716.341241][T26625] worker_thread+0x591/0xcf0
[ 5716.341246][T26625] ? __pfx_worker_thread+0x10/0x10
[ 5716.341250][T26625] kthread+0x37e/0x600
[ 5716.341254][T26625] ? __pfx_kthread+0x10/0x10
[ 5716.341256][T26625] ? ret_from_fork+0x1b/0x320
[ 5716.341261][T26625] ? __lock_release+0x5d/0x170
[ 5716.341265][T26625] ? rcu_is_watching+0x12/0xc0
[ 5716.341268][T26625] ? __pfx_kthread+0x10/0x10
[ 5716.341271][T26625] ret_from_fork+0x240/0x320
[ 5716.341274][T26625] ? __pfx_kthread+0x10/0x10
[ 5716.341276][T26625] ret_from_fork_asm+0x1a/0x30
[ 5716.341286][T26625] </TASK>
[ 5716.341288][T26625]
[ 5716.347648][T26625] Allocated by task 12654:
[ 5716.347814][T26625] kasan_save_stack+0x24/0x50
[ 5716.347983][T26625] kasan_save_track+0x14/0x30
[ 5716.348171][T26625] __kasan_slab_alloc+0x59/0x70
[ 5716.348348][T26625] kmem_cache_alloc_noprof+0x10b/0x330
[ 5716.348522][T26625] sk_prot_alloc.constprop.0+0x4e/0x1b0
[ 5716.348695][T26625] sk_alloc+0x36/0x6c0
[ 5716.348823][T26625] unix_create1+0x84/0x6f0
[ 5716.348991][T26625] unix_create+0xcb/0x170
[ 5716.349119][T26625] __sock_create+0x23c/0x6a0
[ 5716.349287][T26625] __sys_socket+0x11a/0x1d0
[ 5716.349457][T26625] __x64_sys_socket+0x72/0xb0
[ 5716.349634][T26625] do_syscall_64+0xc1/0x380
[ 5716.349803][T26625] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 5716.350014][T26625]
[ 5716.350098][T26625] Freed by task 12654:
[ 5716.350223][T26625] kasan_save_stack+0x24/0x50
[ 5716.350390][T26625] kasan_save_track+0x14/0x30
[ 5716.350586][T26625] kasan_save_free_info+0x3b/0x60
[ 5716.350759][T26625] __kasan_slab_free+0x38/0x50
[ 5716.350930][T26625] kmem_cache_free+0x149/0x330
[ 5716.351099][T26625] __sk_destruct+0x46e/0x780
[ 5716.351269][T26625] unix_release_sock+0xa0e/0xf90
[ 5716.351440][T26625] unix_release+0x8c/0xf0
[ 5716.351574][T26625] __sock_release+0xa6/0x260
[ 5716.351763][T26625] sock_close+0x18/0x20
[ 5716.351980][T26625] __fput+0x35c/0xa80
[ 5716.352125][T26625] fput_close_sync+0xdd/0x190
[ 5716.352293][T26625] __x64_sys_close+0x7d/0xd0
[ 5716.352464][T26625] do_syscall_64+0xc1/0x380
[ 5716.352724][T26625] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 5716.352933][T26625]
[ 5716.353018][T26625] The buggy address belongs to the object at ffff88801d8c6940
[ 5716.353018][T26625] which belongs to the cache UNIX-STREAM of size 1984
[ 5716.353553][T26625] The buggy address is located 1680 bytes inside of
[ 5716.353553][T26625] freed 1984-byte region [ffff88801d8c6940, ffff88801d8c7100)
[ 5716.353951][T26625]
[ 5716.354037][T26625] The buggy address belongs to the physical page:
[ 5716.354324][T26625] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d8c0
[ 5716.354621][T26625] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 5716.354966][T26625] flags: 0x80000000000040(head|node=0|zone=1)
[ 5716.355181][T26625] page_type: f5(slab)
[ 5716.355311][T26625] raw: 0080000000000040 ffff888005b4edc0 ffffea00002b7610 ffffea0000763210
[ 5716.355702][T26625] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
[ 5716.356022][T26625] head: 0080000000000040 ffff888005b4edc0 ffffea00002b7610 ffffea0000763210
[ 5716.356330][T26625] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
[ 5716.356727][T26625] head: 0080000000000003 ffffea0000763001 00000000ffffffff 00000000ffffffff
[ 5716.357027][T26625] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 5716.357434][T26625] page dumped because: kasan: bad access detected
[ 5716.357635][T26625]
[ 5716.357716][T26625] Memory state around the buggy address:
[ 5716.357874][T26625] ffff88801d8c6e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.358115][T26625] ffff88801d8c6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.358382][T26625] >ffff88801d8c6f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.358720][T26625] ^
[ 5716.358921][T26625] ffff88801d8c7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.359162][T26625] ffff88801d8c7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5716.359506][T26625] ==================================================================
[ 5716.359805][T26625] Disabling lock debugging due to kernel taint
# # scm_rights.c:176:backtrack_from_scc:Expected 0 (0) == ret (22)
# # backtrack_from_scc: Test terminated by assertion
# # FAIL scm_rights.stream_listener.backtrack_from_scc
# not ok 28 scm_rights.stream_listener.backtrack_from_scc
--
pw-bot: cr
next prev parent reply other threads:[~2025-06-18 13:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 4:34 [PATCH v1 net 0/4] af_unix: Fix two OOB issues Kuniyuki Iwashima
2025-06-18 4:34 ` [PATCH v1 net 1/4] af_unix: Don't leave consecutive consumed OOB skbs Kuniyuki Iwashima
2025-06-18 4:34 ` [PATCH v1 net 2/4] af_unix: Add test for consecutive consumed OOB Kuniyuki Iwashima
2025-06-18 4:34 ` [PATCH v1 net 3/4] af_unix: Don't set -ECONNRESET for consumed OOB skb Kuniyuki Iwashima
2025-06-18 4:34 ` [PATCH v1 net 4/4] selftest: af_unix: Add tests for -ECONNRESET Kuniyuki Iwashima
2025-06-18 13:41 ` Jakub Kicinski [this message]
2025-06-18 16:28 ` [PATCH v1 net 0/4] af_unix: Fix two OOB issues Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250618064126.2cf21b31@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.