From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com,
Magnus Karlsson <magnus.karlsson@intel.com>,
Martin KaFai Lau <martin.lau@kernel.org>
Subject: [PATCH 5.15 49/89] xsk: fix refcount underflow in error path
Date: Sun, 13 Aug 2023 23:19:40 +0200 [thread overview]
Message-ID: <20230813211712.260561254@linuxfoundation.org> (raw)
In-Reply-To: <20230813211710.787645394@linuxfoundation.org>
From: Magnus Karlsson <magnus.karlsson@intel.com>
commit 85c2c79a07302fe68a1ad5cc449458cc559e314d upstream.
Fix a refcount underflow problem reported by syzbot that can happen
when a system is running out of memory. If xp_alloc_tx_descs() fails,
and it can only fail due to not having enough memory, then the error
path is triggered. In this error path, the refcount of the pool is
decremented as it has incremented before. However, the reference to
the pool in the socket was not nulled. This means that when the socket
is closed later, the socket teardown logic will think that there is a
pool attached to the socket and try to decrease the refcount again,
leading to a refcount underflow.
I chose this fix as it involved adding just a single line. Another
option would have been to move xp_get_pool() and the assignment of
xs->pool to after the if-statement and using xs_umem->pool instead of
xs->pool in the whole if-statement resulting in somewhat simpler code,
but this would have led to much more churn in the code base perhaps
making it harder to backport.
Fixes: ba3beec2ec1d ("xsk: Fix possible crash when multiple sockets are created")
Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Link: https://lore.kernel.org/r/20230809142843.13944-1-magnus.karlsson@gmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xdp/xsk.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -1001,6 +1001,7 @@ static int xsk_bind(struct socket *sock,
err = xp_alloc_tx_descs(xs->pool, xs);
if (err) {
xp_put_pool(xs->pool);
+ xs->pool = NULL;
sockfd_put(sock);
goto out_unlock;
}
next prev parent reply other threads:[~2023-08-13 21:44 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-13 21:18 [PATCH 5.15 00/89] 5.15.127-rc1 review Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 01/89] ksmbd: validate command request size Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 02/89] ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 03/89] wireguard: allowedips: expand maximum node depth Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 04/89] mmc: moxart: read scr register without changing byte order Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 05/89] ipv6: adjust ndisc_is_useropt() to also return true for PIO Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 06/89] dmaengine: pl330: Return DMA_PAUSED when transaction is paused Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 07/89] riscv,mmio: Fix readX()-to-delay() ordering Greg Kroah-Hartman
2023-08-13 21:18 ` [PATCH 5.15 08/89] drm/nouveau/gr: enable memory loads on helper invocation on all channels Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 09/89] drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 10/89] drm/amd/display: check attr flag before set cursor degamma on DCN3+ Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 11/89] hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100 Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 12/89] radix tree test suite: fix incorrect allocation size for pthreads Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 13/89] nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 14/89] bpf: allow precision tracking for programs with subprogs Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 15/89] bpf: stop setting precise in current state Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 16/89] bpf: aggressively forget precise markings during state checkpointing Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 17/89] selftests/bpf: make test_align selftest more robust Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 18/89] selftests/bpf: Workaround verification failure for fexit_bpf2bpf/func_replace_return_code Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 19/89] selftests/bpf: Fix sk_assign on s390x Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 20/89] io_uring: correct check for O_TMPFILE Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 21/89] iio: cros_ec: Fix the allocation size for cros_ec_command Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 22/89] iio: adc: ina2xx: avoid NULL pointer dereference on OF device match Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 23/89] binder: fix memory leak in binder_init() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 24/89] misc: rtsx: judge ASPM Mode to set PETXCFG Reg Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 25/89] usb-storage: alauda: Fix uninit-value in alauda_check_media() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 26/89] usb: dwc3: Properly handle processing of pending events Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 27/89] usb: common: usb-conn-gpio: Prevent bailing out if initial role is none Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 28/89] usb: typec: tcpm: Fix response to vsafe0V event Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 29/89] x86/srso: Fix build breakage with the LLVM linker Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 30/89] x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 31/89] x86/mm: Fix VDSO and VVAR placement on 5-level paging machines Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 32/89] x86/speculation: Add cpu_show_gds() prototype Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 33/89] x86: Move gds_ucode_mitigated() declaration to header Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 34/89] drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 35/89] netfilter: nf_tables: dont skip expired elements during walk Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 36/89] selftests/rseq: Fix build with undefined __weak Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 37/89] selftests: forwarding: Add a helper to skip test when using veth pairs Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 38/89] selftests: forwarding: ethtool: Skip " Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 39/89] selftests: forwarding: ethtool_extended_state: " Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 40/89] selftests: forwarding: Skip test when no interfaces are specified Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 41/89] selftests: forwarding: Switch off timeout Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 42/89] selftests: forwarding: tc_flower: Relax success criterion Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 43/89] net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 44/89] bpf, sockmap: Fix map type error in sock_map_del_link Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 45/89] bpf, sockmap: Fix bug that strp_done cannot be called Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 46/89] mISDN: Update parameter type of dsp_cmx_send() Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 47/89] net/packet: annotate data-races around tp->status Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 48/89] tunnels: fix kasan splat when generating ipv4 pmtu error Greg Kroah-Hartman
2023-08-13 21:19 ` Greg Kroah-Hartman [this message]
2023-08-13 21:19 ` [PATCH 5.15 50/89] bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 51/89] dccp: fix data-race around dp->dccps_mss_cache Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 52/89] drivers: net: prevent tun_build_skb() to exceed the packet size limit Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 53/89] iavf: fix potential races for FDIR filters Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 54/89] IB/hfi1: Fix possible panic during hotplug remove Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 55/89] drm/rockchip: Dont spam logs in atomic check Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 56/89] wifi: cfg80211: fix sband iftype data lookup for AP_VLAN Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 57/89] RDMA/umem: Set iova in ODP flow Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 58/89] net: phy: at803x: remove set/get wol callbacks for AR8032 Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 59/89] net: hns3: refactor hclge_mac_link_status_wait for interface reuse Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 60/89] net: hns3: add wait until mac link down Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 61/89] nexthop: Fix infinite nexthop dump when using maximum nexthop ID Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 62/89] nexthop: Make nexthop bucket dump more efficient Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 63/89] nexthop: Fix infinite nexthop bucket dump when using maximum nexthop ID Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 64/89] dmaengine: mcf-edma: Fix a potential un-allocated memory access Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 65/89] net/mlx5: Allow 0 for total host VFs Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 66/89] net/mlx5: Skip clock update work when device is in error state Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 67/89] ibmvnic: Enforce stronger sanity checks on login response Greg Kroah-Hartman
2023-08-13 21:19 ` [PATCH 5.15 68/89] ibmvnic: Unmap DMA login rsp buffer on send login fail Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 69/89] ibmvnic: Handle DMA unmapping of login buffs in release functions Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 70/89] btrfs: dont stop integrity writeback too early Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 71/89] btrfs: exit gracefully if reloc roots dont match Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 72/89] btrfs: reject invalid reloc tree root keys with stack dump Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 73/89] btrfs: set cache_block_group_error if we find an error Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 74/89] nvme-tcp: fix potential unbalanced freeze & unfreeze Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 75/89] nvme-rdma: " Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 76/89] netfilter: nf_tables: report use refcount overflow Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 77/89] scsi: core: Fix legacy /proc parsing buffer overflow Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 78/89] scsi: storvsc: Fix handling of virtual Fibre Channel timeouts Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 79/89] scsi: 53c700: Check that command slot is not NULL Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 80/89] scsi: snic: Fix possible memory leak if device_add() fails Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 81/89] scsi: core: " Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 82/89] scsi: fnic: Replace return codes in fnic_clean_pending_aborts() Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 83/89] scsi: qedi: Fix firmware halt over suspend and resume Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 84/89] scsi: qedf: " Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 85/89] alpha: remove __init annotation from exported page_is_ram() Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 86/89] sch_netem: fix issues in netem_change() vs get_dist_table() Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 87/89] tick: Detect and fix jiffies update stall Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 88/89] timers/nohz: Switch to ONESHOT_STOPPED in the low-res handler when the tick is stopped Greg Kroah-Hartman
2023-08-13 21:20 ` [PATCH 5.15 89/89] timers/nohz: Last resort update jiffies on nohz_full IRQ entry Greg Kroah-Hartman
2023-08-14 14:49 ` [PATCH 5.15 00/89] 5.15.127-rc1 review Thierry Reding
2023-08-14 17:33 ` SeongJae Park
2023-08-14 18:27 ` Guenter Roeck
2023-08-15 0:33 ` Ron Economos
2023-08-15 0:50 ` Shuah Khan
2023-08-15 1:42 ` Harshit Mogalapalli
2023-08-15 5:04 ` Daniel Díaz
2023-08-15 16:37 ` Florian Fainelli
2023-08-15 17:07 ` Allen Pais
2023-08-16 16:36 ` Thierry Reding
2023-08-16 22:26 ` Joel Fernandes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230813211712.260561254@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=magnus.karlsson@intel.com \
--cc=martin.lau@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).