From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C1E3D139568; Mon, 29 Jul 2024 08:46:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722242768; cv=none; b=PQOPKqGYx4QXDFG+WTzS1gUJ639RDeHRLBVGwnO8Qj4EeuNn2B+8xrlhyl0tjhDDYM3RSi3tGSNS4dnspsiynFtX/lUAXkrzM4r04qN0Bh+7CtIvfNHChAngqs8OmVALp1xRtgs4xewod6E2WU6EmgME6bMz4TbAX59U2CrjY4E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722242768; c=relaxed/simple; bh=MLjcBaTxpO6P1IZvvVYQmBHkUvRhlAHA8XJ4Vucqct4=; h=Message-ID:Date:Subject:To:Cc:References:From:In-Reply-To: Content-Type:MIME-Version; b=EXNFly3udnnJSDLXKe6LcFzf+oSVzik2L7N/2EXHUVBGuAXZ+ZuZb+yX8pnLskMLd8T80PfkCkDHs4Q/qvRJCe+ApgpGc4hztNyEPLMpMqilxx7xgtyMMsSTWDQyIQv8pasCibdDLQFR3hZceS1kAD2SsPT9Glyz0VnCVYSHMzE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=tAt7lgNE; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="tAt7lgNE" Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46T8QgRn026379; Mon, 29 Jul 2024 08:45:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h= message-id:date:subject:to:cc:references:from:in-reply-to :content-type:content-transfer-encoding:mime-version; s=pp1; bh= pdvuivoWd+HSKBiVuKHJSsk9TqqOkwtD+FXpwcq9EAI=; b=tAt7lgNE77Ua6mmr cMpSU98dIvy4tHabH5wC7DdAL16h2odqFmVuPDrCGyXzJEFWU5QTvdbY2uHdc5Bk WNqPAKmpGGjEo52jHKDwpPH6pdhRhPLFTbGcP/mSYMkB52aLRYTbVK8p236WF/cD 2bZduaprUErM4Hehhd3dbpRQDajIQI+jpIb39sAEJ73x2eH/juOH05qzzAkRRJNz oIzkzEKhrfE7+CoHkSQGPWqVJgtSOm/1GPTw3OjtvesM5BHgtZ5s5B/qcemLPDFn /9ZADMXKRcHH8kPy1wkrm3EAUq+ZzKWfpj/B7SSRmhdMsSbN0OjjVI3KkKycvr2Y hBisCA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 40n34euaka-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 29 Jul 2024 08:45:54 +0000 (GMT) Received: from m0356517.ppops.net (m0356517.ppops.net [127.0.0.1]) by pps.reinject (8.18.0.8/8.18.0.8) with ESMTP id 46T8hdH6020200; Mon, 29 Jul 2024 08:45:54 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 40n34euak3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 29 Jul 2024 08:45:53 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 46T5pnOB007450; Mon, 29 Jul 2024 08:45:52 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 40nb7twx04-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 29 Jul 2024 08:45:52 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 46T8joFs27984546 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 29 Jul 2024 08:45:52 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1935A58059; Mon, 29 Jul 2024 08:45:50 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 18BB858058; Mon, 29 Jul 2024 08:45:48 +0000 (GMT) Received: from [9.179.15.240] (unknown [9.179.15.240]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Mon, 29 Jul 2024 08:45:47 +0000 (GMT) Message-ID: Date: Mon, 29 Jul 2024 10:45:47 +0200 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net] net/smc: prevent UAF in inet_create() To: "D. Wythe" , kgraul@linux.ibm.com, jaka@linux.ibm.com, wintera@linux.ibm.com, guwen@linux.alibaba.com Cc: kuba@kernel.org, davem@davemloft.net, netdev@vger.kernel.org, linux-s390@vger.kernel.org, linux-rdma@vger.kernel.org, tonylu@linux.alibaba.com, pabeni@redhat.com, edumazet@google.com References: <1722224415-30999-1-git-send-email-alibuda@linux.alibaba.com> Content-Language: en-US From: Wenjia Zhang In-Reply-To: <1722224415-30999-1-git-send-email-alibuda@linux.alibaba.com> Content-Type: text/plain; charset=UTF-8; format=flowed X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: kb-HwYZIfsQPMO5AulE2V5GbQ0MW7XWC X-Proofpoint-GUID: GXWjxH3SFmzH21GeFrBuTRafqynB7doY Content-Transfer-Encoding: 7bit X-Proofpoint-UnRewURL: 0 URL was un-rewritten Precedence: bulk X-Mailing-List: linux-s390@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-29_06,2024-07-26_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 malwarescore=0 mlxscore=0 mlxlogscore=743 clxscore=1011 suspectscore=0 priorityscore=1501 phishscore=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2407290057 On 29.07.24 05:40, D. Wythe wrote: > From: "D. Wythe" > > Following syzbot repro crashes the kernel: > > socketpair(0x2, 0x1, 0x100, &(0x7f0000000140)) (fail_nth: 13) > > Fix this by not calling sk_common_release() from smc_create_clcsk(). > > Stack trace: > socket: no more sockets > ------------[ cut here ]------------ > refcount_t: underflow; use-after-free. > WARNING: CPU: 1 PID: 5092 at lib/refcount.c:28 > refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28 > Modules linked in: > CPU: 1 PID: 5092 Comm: syz-executor424 Not tainted > 6.10.0-syzkaller-04483-g0be9ae5486cd #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 06/27/2024 > RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28 > Code: 80 f3 1f 8c e8 e7 69 a8 fc 90 0f 0b 90 90 eb 99 e8 cb 4f e6 fc c6 > 05 8a 8d e8 0a 01 90 48 c7 c7 e0 f3 1f 8c e8 c7 69 a8 fc 90 <0f> 0b 90 > 90 e9 76 ff ff ff e8 a8 4f e6 fc c6 05 64 8d e8 0a 01 90 > RSP: 0018:ffffc900034cfcf0 EFLAGS: 00010246 > RAX: 3b9fcde1c862f700 RBX: ffff888022918b80 RCX: ffff88807b39bc00 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: 0000000000000003 R08: ffffffff815878a2 R09: fffffbfff1c39d94 > R10: dffffc0000000000 R11: fffffbfff1c39d94 R12: 00000000ffffffe9 > R13: 1ffff11004523165 R14: ffff888022918b28 R15: ffff888022918b00 > FS: 00005555870e7380(0000) GS:ffff8880b9500000(0000) > knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020000140 CR3: 000000007582e000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > > inet_create+0xbaf/0xe70 > __sock_create+0x490/0x920 net/socket.c:1571 > sock_create net/socket.c:1622 [inline] > __sys_socketpair+0x2ca/0x720 net/socket.c:1769 > __do_sys_socketpair net/socket.c:1822 [inline] > __se_sys_socketpair net/socket.c:1819 [inline] > __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1819 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7fbcb9259669 > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 > f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 > f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fffe931c6d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 > RAX: ffffffffffffffda RBX: 00007fffe931c6f0 RCX: 00007fbcb9259669 > RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000002 > RBP: 0000000000000002 R08: 00007fffe931c476 R09: 00000000000000a0 > R10: 0000000020000140 R11: 0000000000000246 R12: 00007fffe931c6ec > R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 > > > Link: https://lore.kernel.org/r/20240723175809.537291-1-edumazet@google.com/ > Fixes: d25a92ccae6b ("net/smc: Introduce IPPROTO_SMC") > Reported-by: syzbot > Signed-off-by: D. Wythe It looks good to me. Reviewed-by: Wenjia Zhang Thanks!