From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>,
Eric Dumazet <edumazet@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Benjamin LaHaise <bcrl@kvack.org>,
"David S. Miller" <davem@davemloft.net>,
Al Viro <viro@zeniv.linux.org.uk>,
David Howells <dhowells@redhat.com>,
Ying Xue <ying.xue@windriver.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: Re: use-after-free in sock_wake_async
Date: Thu, 26 Nov 2015 15:31:33 +0100 [thread overview]
Message-ID: <1448548293.879369.450777185.798D081C@webmail.messagingengine.com> (raw)
In-Reply-To: <87r3jcx4w7.fsf@stressinduktion.org>
On Thu, Nov 26, 2015, at 14:32, Hannes Frederic Sowa wrote:
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 7f89e4b..ae34da1 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -1674,7 +1674,7 @@ static inline void sock_orphan(struct sock *sk)
> static inline void sock_graft(struct sock *sk, struct socket *parent)
> {
> write_lock_bh(&sk->sk_callback_lock);
> - sk->sk_wq = parent->wq;
> + sk->sk_wq = &parent->wq;
RCU_INIT_POINTER(sk->sk_wq, &parent->wq);
> parent->sk = sk;
> sk_set_socket(sk, parent);
> security_sock_graft(sk, parent);
> diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
> index 630c197..c125881 100644
> --- a/kernel/rcu/tree_plugin.h
> +++ b/kernel/rcu/tree_plugin.h
> @@ -657,7 +657,7 @@ static void rcu_preempt_do_callbacks(void)
> /*
> * Queue a preemptible-RCU callback for invocation after a grace period.
> */
> -void call_rcu(struct rcu_head *head, rcu_callback_t func)
> +static void call_rcu(struct rcu_head *head, rcu_callback_t func)
> {
> __call_rcu(head, func, rcu_state_p, -1, 0);
> }
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 1e4dd54..314ab6a 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -2383,7 +2383,7 @@ void sock_init_data(struct socket *sock, struct
> sock *sk)
>
> if (sock) {
> sk->sk_type = sock->type;
> - sk->sk_wq = sock->wq;
> + sk->sk_wq = &sock->wq;
RCU_INIT_POINTER()
> sock->sk = sk;
> } else
> sk->sk_wq = NULL;
> diff --git a/net/socket.c b/net/socket.c
> index dd2c247..495485e 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -245,19 +245,12 @@ static struct kmem_cache *sock_inode_cachep
> __read_mostly;
> static struct inode *sock_alloc_inode(struct super_block *sb)
> {
> struct socket_alloc *ei;
> - struct socket_wq *wq;
>
> ei = kmem_cache_alloc(sock_inode_cachep, GFP_KERNEL);
> if (!ei)
> return NULL;
> - wq = kmalloc(sizeof(*wq), GFP_KERNEL);
> - if (!wq) {
> - kmem_cache_free(sock_inode_cachep, ei);
> - return NULL;
> - }
> - init_waitqueue_head(&wq->wait);
> - wq->fasync_list = NULL;
> - RCU_INIT_POINTER(ei->socket.wq, wq);
> + init_waitqueue_head(&ei->socket.wq.wait);
> + ei->socket.wq.fasync_list = NULL;
>
> ei->socket.state = SS_UNCONNECTED;
> ei->socket.flags = 0;
> @@ -268,17 +261,18 @@ static struct inode *sock_alloc_inode(struct
> super_block *sb)
> return &ei->vfs_inode;
> }
>
> -static void sock_destroy_inode(struct inode *inode)
> +static void sock_cache_free_rcu(struct rcu_head *rcu)
> {
> - struct socket_alloc *ei;
> - struct socket_wq *wq;
> -
> - ei = container_of(inode, struct socket_alloc, vfs_inode);
> - wq = rcu_dereference_protected(ei->socket.wq, 1);
> - kfree_rcu(wq, rcu);
> + struct socket_alloc *ei =
> + container_of(rcu, struct socket_alloc, vfs_inode.i_rcu);
> kmem_cache_free(sock_inode_cachep, ei);
> }
>
> +static void sock_destroy_inode(struct inode *inode)
> +{
> + call_rcu(&inode->i_rcu, sock_cache_free_rcu);
> +}
> +
> static void init_once(void *foo)
> {
> struct socket_alloc *ei = (struct socket_alloc *)foo;
> @@ -573,7 +567,7 @@ void sock_release(struct socket *sock)
> module_put(owner);
> }
>
> - if (rcu_dereference_protected(sock->wq, 1)->fasync_list)
> + if (sock->wq.fasync_list)
> pr_err("%s: fasync list not empty!\n", __func__);
>
> this_cpu_sub(sockets_in_use, 1);
> @@ -1044,7 +1038,7 @@ static int sock_fasync(int fd, struct file *filp,
> int on)
> return -EINVAL;
>
> lock_sock(sk);
> - wq = rcu_dereference_protected(sock->wq, sock_owned_by_user(sk));
> + wq = &sock->wq;
> fasync_helper(fd, filp, on, &wq->fasync_list);
>
> if (!wq->fasync_list)
> @@ -1065,7 +1059,7 @@ int sock_wake_async(struct socket *sock, int how,
> int band)
> if (!sock)
> return -1;
> rcu_read_lock();
> - wq = rcu_dereference(sock->wq);
> + wq = &sock->wq;
> if (!wq || !wq->fasync_list) {
> rcu_read_unlock();
> return -1;
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-11-26 14:31 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 14:18 use-after-free in sock_wake_async Dmitry Vyukov
2015-11-24 15:21 ` Eric Dumazet
2015-11-24 15:39 ` Eric Dumazet
2015-11-24 21:30 ` Jason Baron
2015-11-24 21:40 ` Al Viro
2015-11-24 21:45 ` Benjamin LaHaise
2015-11-24 22:03 ` Eric Dumazet
2015-11-24 22:12 ` Eric Dumazet
2015-11-24 23:34 ` Rainer Weikusat
2015-11-24 23:43 ` Eric Dumazet
2015-11-25 1:10 ` Rainer Weikusat
2015-11-25 1:16 ` Rainer Weikusat
2015-11-25 1:18 ` Eric Dumazet
2015-11-25 2:28 ` Eric Dumazet
2015-11-25 5:43 ` Eric Dumazet
2015-11-25 14:18 ` Eric Dumazet
2015-11-25 16:43 ` Rainer Weikusat
2015-11-25 17:11 ` Eric Dumazet
2015-11-25 17:30 ` Rainer Weikusat
2015-11-25 17:51 ` Eric Dumazet
2015-11-25 18:24 ` Rainer Weikusat
2015-11-25 18:39 ` Eric Dumazet
2015-11-25 19:38 ` Rainer Weikusat
2015-11-25 19:50 ` Eric Dumazet
2015-11-25 20:23 ` Eric Dumazet
2015-11-25 20:57 ` Rainer Weikusat
2015-11-25 22:09 ` Eric Dumazet
2015-11-25 22:32 ` Hannes Frederic Sowa
2015-11-25 22:43 ` Eric Dumazet
2015-11-25 22:52 ` Hannes Frederic Sowa
2015-11-26 13:32 ` Hannes Frederic Sowa
2015-11-26 14:31 ` Hannes Frederic Sowa [this message]
2015-11-26 15:51 ` Eric Dumazet
2015-11-26 17:03 ` Hannes Frederic Sowa
2015-11-26 17:09 ` Eric Dumazet
2015-11-26 17:15 ` Hannes Frederic Sowa
2015-11-26 17:29 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1448548293.879369.450777185.798D081C@webmail.messagingengine.com \
--to=hannes@stressinduktion.org \
--cc=bcrl@kvack.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rweikusat@mobileactivedefense.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).