From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Gerrit Renker <gerrit@erg.abdn.ac.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 08/28] dccp: Unlock sock before calling sk_free()
Date: Mon, 20 Mar 2017 18:49:03 +0100 [thread overview]
Message-ID: <20170320174719.277300948@linuxfoundation.org> (raw)
In-Reply-To: <20170320174718.794407270@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit d5afb6f9b6bb2c57bd0c05e76e12489dc0d037d9 ]
The code where sk_clone() came from created a new socket and locked it,
but then, on the error path didn't unlock it.
This problem stayed there for a long while, till b0691c8ee7c2 ("net:
Unlock sock before calling sk_free()") fixed it, but unfortunately the
callers of sk_clone() (now sk_clone_locked()) were not audited and the
one in dccp_create_openreq_child() remained.
Now in the age of the syskaller fuzzer, this was finally uncovered, as
reported by Dmitry:
---- 8< ----
I've got the following report while running syzkaller fuzzer on
86292b33d4b7 ("Merge branch 'akpm' (patches from Andrew)")
[ BUG: held lock freed! ]
4.10.0+ #234 Not tainted
-------------------------
syz-executor6/6898 is freeing memory
ffff88006286cac0-ffff88006286d3b7, with a lock still held there!
(slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>] spin_lock
include/linux/spinlock.h:299 [inline]
(slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>]
sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504
5 locks held by syz-executor6/6898:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff839a34b4>] lock_sock
include/net/sock.h:1460 [inline]
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff839a34b4>]
inet_stream_connect+0x44/0xa0 net/ipv4/af_inet.c:681
#1: (rcu_read_lock){......}, at: [<ffffffff83bc1c2a>]
inet6_csk_xmit+0x12a/0x5d0 net/ipv6/inet6_connection_sock.c:126
#2: (rcu_read_lock){......}, at: [<ffffffff8369b424>] __skb_unlink
include/linux/skbuff.h:1767 [inline]
#2: (rcu_read_lock){......}, at: [<ffffffff8369b424>] __skb_dequeue
include/linux/skbuff.h:1783 [inline]
#2: (rcu_read_lock){......}, at: [<ffffffff8369b424>]
process_backlog+0x264/0x730 net/core/dev.c:4835
#3: (rcu_read_lock){......}, at: [<ffffffff83aeb5c0>]
ip6_input_finish+0x0/0x1700 net/ipv6/ip6_input.c:59
#4: (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>] spin_lock
include/linux/spinlock.h:299 [inline]
#4: (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>]
sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504
Fix it just like was done by b0691c8ee7c2 ("net: Unlock sock before calling
sk_free()").
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20170301153510.GE15145@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/minisocks.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -122,6 +122,7 @@ struct sock *dccp_create_openreq_child(c
/* It is still raw copy of parent, so invalidate
* destructor and make plain sk_free() */
newsk->sk_destruct = NULL;
+ bh_unlock_sock(newsk);
sk_free(newsk);
return NULL;
}
next prev parent reply other threads:[~2017-03-20 17:57 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 17:48 [PATCH 4.4 00/28] 4.4.56-stable review Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 01/28] netlink: remove mmapped netlink support Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 02/28] [PATCH 04/41] vxlan: correctly validate VXLAN ID against VXLAN_N_VID Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 03/28] [PATCH 05/41] vti6: return GRE_KEY for vti6 Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 04/28] ipv4: mask tos for input route Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 06/28] net: dont call strlen() on the user buffer in packet_bind_spkt() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 07/28] net: net_enable_timestamp() can be called from irq contexts Greg Kroah-Hartman
2017-03-20 17:49 ` Greg Kroah-Hartman [this message]
2017-03-20 17:49 ` [PATCH 4.4 09/28] tcp: fix various issues for sockets morphing to listen state Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 10/28] net: fix socket refcounting in skb_complete_wifi_ack() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 11/28] net: fix socket refcounting in skb_complete_tx_timestamp() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 12/28] dccp: fix use-after-free in dccp_feat_activate_values Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 13/28] vrf: Fix use-after-free in vrf_xmit Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 14/28] uapi: fix linux/packet_diag.h userspace compilation error Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 16/28] mpls: Send route delete notifications when router module is unloaded Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 17/28] ipv6: make ECMP route replacement less greedy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 18/28] ipv6: avoid write to a possibly cloned skb Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 19/28] bridge: drop netfilter fake rtable unconditionally Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 21/28] dccp: fix memory leak during tear-down of unsuccessful connection request Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 22/28] net sched actions: decrement module reference count after table flush Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 23/28] fscrypt: fix renaming and linking special files Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 24/28] fscrypto: lock inode while setting encryption policy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 25/28] x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 26/28] x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 27/28] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 28/28] futex: Add missing error handling to FUTEX_REQUEUE_PI Greg Kroah-Hartman
2017-03-21 0:11 ` [PATCH 4.4 00/28] 4.4.56-stable review Shuah Khan
2017-03-21 2:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170320174719.277300948@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=acme@redhat.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=gerrit@erg.abdn.ac.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).