From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com,
Alexey Kodanev <alexey.kodanev@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.16 08/48] dccp: dont free ccid2_hc_tx_sock struct in dccp_disconnect()
Date: Sat, 9 Jun 2018 17:29:20 +0200 [thread overview]
Message-ID: <20180609145948.206133690@linuxfoundation.org> (raw)
In-Reply-To: <20180609145947.679103414@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
[ Upstream commit 2677d20677314101293e6da0094ede7b5526d2b1 ]
Syzbot reported the use-after-free in timer_is_static_object() [1].
This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
called after that.
The report [1] is similar to the one in commit 120e9dabaf55 ("dccp:
defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same,
delay freeing ccid2_hc_tx_sock structure, so that it is freed in
dccp_sk_destruct().
[1]
==================================================================
BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90
kernel/time/timer.c:607
Read of size 8 at addr ffff8801bebb5118 by task syz-executor2/25299
CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
debug_timer_activate kernel/time/timer.c:709 [inline]
debug_activate kernel/time/timer.c:764 [inline]
__mod_timer kernel/time/timer.c:1041 [inline]
mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
sk_reset_timer+0x22/0x60 net/core/sock.c:2742
ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x79e/0xc50 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1d1/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:525 [inline]
smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
</IRQ>
...
Allocated by task 25374:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
__dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:450 [inline]
ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
__netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
process_backlog+0x219/0x760 net/core/dev.c:5337
napi_poll net/core/dev.c:5735 [inline]
net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
Freed by task 25374:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286
dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045
inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
sock_release+0x96/0x1b0 net/socket.c:594
sock_close+0x16/0x20 net/socket.c:1149
__fput+0x34d/0x890 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801bebb4cc0
which belongs to the cache ccid2_hc_tx_sock of size 1240
The buggy address is located 1112 bytes inside of
1240-byte region [ffff8801bebb4cc0, ffff8801bebb5198)
The buggy address belongs to the page:
page:ffffea0006faed00 count:1 mapcount:0 mapping:ffff8801bebb41c0
index:0xffff8801bebb5240 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801bebb41c0 ffff8801bebb5240 0000000100000003
raw: ffff8801cdba3138 ffffea0007634120 ffff8801cdbaab40 0000000000000000
page dumped because: kasan: bad access detected
...
==================================================================
Reported-by: syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/proto.c | 2 --
1 file changed, 2 deletions(-)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -283,9 +283,7 @@ int dccp_disconnect(struct sock *sk, int
dccp_clear_xmit_timers(sk);
ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
- ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
dp->dccps_hc_rx_ccid = NULL;
- dp->dccps_hc_tx_ccid = NULL;
__skb_queue_purge(&sk->sk_receive_queue);
__skb_queue_purge(&sk->sk_write_queue);
next prev parent reply other threads:[~2018-06-09 15:32 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-09 15:29 [PATCH 4.16 00/48] 4.16.15-stable review Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 01/48] mmap: introduce sane default mmap limits Greg Kroah-Hartman
[not found] ` <CAMwc25rh7ZSO3mEFyTwbyh1qNy3k-5AHyRrRFq-Zih4kDDGsig@mail.gmail.com>
2018-06-11 5:26 ` Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 02/48] mmap: relax file size limit for regular files Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 03/48] netfilter: nf_flow_table: attach dst to skbs Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 05/48] be2net: Fix error detection logic for BE3 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 06/48] bnx2x: use the right constant Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 07/48] cls_flower: Fix incorrect idr release when failing to modify rule Greg Kroah-Hartman
2018-06-09 15:29 ` Greg Kroah-Hartman [this message]
2018-06-09 15:29 ` [PATCH 4.16 09/48] enic: set DMA mask to 47 bit Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 10/48] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 11/48] ip6_tunnel: remove magic mtu value 0xFFF8 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 12/48] ipmr: properly check rhltable_init() return value Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 13/48] ipv4: remove warning in ip_recv_error Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 14/48] ipv6: omit traffic class when calculating flow hash Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 15/48] isdn: eicon: fix a missing-check bug Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 16/48] kcm: Fix use-after-free caused by clonned sockets Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 17/48] l2tp: fix refcount leakage on PPPoL2TP sockets Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 18/48] mlxsw: spectrum: Forbid creation of VLAN 1 over port/LAG Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 19/48] netdev-FAQ: clarify DaveMs position for stable backports Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 20/48] net: ethernet: davinci_emac: fix error handling in probe() Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 21/48] net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 22/48] net: metrics: add proper netlink validation Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 23/48] net/packet: refine check for priv area size Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 24/48] net: phy: broadcom: Fix bcm_write_exp() Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 26/48] packet: fix reserve calculation Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 27/48] qed: Fix mask for physical address in ILT entry Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 28/48] rtnetlink: validate attributes in do_setlink() Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 29/48] sctp: not allow transport timeout value less than HZ/5 for hb_timer Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 30/48] team: use netdev_features_t instead of u32 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 31/48] vhost: synchronize IOTLB message with dev cleanup Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 32/48] vrf: check the original netdevice for generating redirect Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 33/48] ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 34/48] net: phy: broadcom: Fix auxiliary control register reads Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 35/48] net-sysfs: Fix memory leak in XPS configuration Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 36/48] virtio-net: correctly transmit XDP buff after linearizing Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 37/48] virtio-net: fix leaking page for gso packet during mergeable XDP Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 38/48] net/mlx4: Fix irq-unsafe spinlock usage Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 39/48] net/mlx5e: When RXFCS is set, add FCS data into checksum calculation Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 40/48] tun: Fix NULL pointer dereference in XDP redirect Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 41/48] virtio-net: correctly check num_buf during err path Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 43/48] net : sched: cls_api: deal with egdev path only if needed Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 44/48] virtio-net: correctly redirect linearized packet Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 45/48] ip_tunnel: restore binding to ifaces with a large mtu Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 46/48] net: netsec: reduce DMA mask to 40 bits Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.16 47/48] vhost_net: flush batched heads before trying to busy polling Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.16 48/48] PCI: hv: Do not wait forever on a device that has disappeared Greg Kroah-Hartman
2018-06-10 9:07 ` [PATCH 4.16 00/48] 4.16.15-stable review Naresh Kamboju
2018-06-10 14:05 ` Greg Kroah-Hartman
2018-06-10 17:04 ` Naresh Kamboju
2018-06-10 15:24 ` Guenter Roeck
2018-06-11 19:35 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180609145948.206133690@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexey.kodanev@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+5d47e9ec91a6f15dbd6f@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox