From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: John Fastabend <john.fastabend@gmail.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 164/205] bpf: skmsg, fix potential psock NULL pointer dereference
Date: Thu, 16 Jan 2020 11:42:19 -0500 [thread overview]
Message-ID: <20200116164300.6705-164-sashal@kernel.org> (raw)
In-Reply-To: <20200116164300.6705-1-sashal@kernel.org>
From: John Fastabend <john.fastabend@gmail.com>
[ Upstream commit 8163999db445021f2651a8a47b5632483e8722ea ]
Report from Dan Carpenter,
net/core/skmsg.c:792 sk_psock_write_space()
error: we previously assumed 'psock' could be null (see line 790)
net/core/skmsg.c
789 psock = sk_psock(sk);
790 if (likely(psock && sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)))
Check for NULL
791 schedule_work(&psock->work);
792 write_space = psock->saved_write_space;
^^^^^^^^^^^^^^^^^^^^^^^^
793 rcu_read_unlock();
794 write_space(sk);
Ensure psock dereference on line 792 only occurs if psock is not null.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 0675d022584e..ded2d5227678 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -793,15 +793,18 @@ static void sk_psock_strp_data_ready(struct sock *sk)
static void sk_psock_write_space(struct sock *sk)
{
struct sk_psock *psock;
- void (*write_space)(struct sock *sk);
+ void (*write_space)(struct sock *sk) = NULL;
rcu_read_lock();
psock = sk_psock(sk);
- if (likely(psock && sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)))
- schedule_work(&psock->work);
- write_space = psock->saved_write_space;
+ if (likely(psock)) {
+ if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
+ schedule_work(&psock->work);
+ write_space = psock->saved_write_space;
+ }
rcu_read_unlock();
- write_space(sk);
+ if (write_space)
+ write_space(sk);
}
int sk_psock_init_strp(struct sock *sk, struct sk_psock *psock)
--
2.20.1
next prev parent reply other threads:[~2020-01-16 19:20 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200116164300.6705-1-sashal@kernel.org>
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 008/205] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 018/205] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 022/205] rtw88: fix beaconing mode rsvd_page memory violation issue Sasha Levin
2020-01-16 16:39 ` [PATCH AUTOSEL 5.4 023/205] rtw88: fix error handling when setup efuse info Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 028/205] net: phy: broadcom: Fix RGMII delays configuration for BCM54210E Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 030/205] dpaa2-eth: Fix minor bug in ethtool stats reporting Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 049/205] net: netsec: Correct dma sync for XDP_TX frames Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 057/205] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 058/205] xprtrdma: Connection becomes unstable after a reconnect Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 059/205] xprtrdma: Fix MR list handling Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 064/205] iwlwifi: mvm: consider ieee80211 station max amsdu value Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 077/205] libbpf: Fix compatibility for kernels without need_wakeup Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 080/205] libbpf: Don't use kernel-side u32 type in xsk.c Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 083/205] SUNRPC: Fix svcauth_gss_proxy_init() Sasha Levin
2020-01-16 16:40 ` [PATCH AUTOSEL 5.4 084/205] rtw88: fix potential read outside array boundary Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 087/205] dpaa_eth: perform DMA unmapping before read Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 088/205] dpaa_eth: avoid timestamp read on error paths Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 096/205] net: openvswitch: don't unlock mutex when changing the user_features fails Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 102/205] hv_netvsc: flag software created hash value Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 104/205] rt2800: remove errornous duplicate condition Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 107/205] net: neigh: use long type to store jiffies delta Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 108/205] tipc: reduce sensitive to retransmit failures Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 109/205] net: axienet: Fix error return code in axienet_probe() Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 111/205] libbpf: Fix memory leak/double free issue Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 112/205] libbpf: Fix potential overflow issue Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 113/205] libbpf: Fix another potential overflow issue in bpf_prog_linfo Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 114/205] libbpf: Make btf__resolve_size logic always check size error condition Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 121/205] packet: fix data-race in fanout_flow_is_huge() Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 137/205] tipc: update mon's self addr when node addr generated Sasha Levin
2020-01-16 16:41 ` [PATCH AUTOSEL 5.4 142/205] iwlwifi: mvm: fix support for single antenna diversity Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 148/205] netfilter: nf_tables_offload: release flow_rule on error from commit path Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 149/205] SUNRPC: Fix another issue with MIC buffer space Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 155/205] libbpf: Fix call relocation offset calculation bug Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 159/205] mt76: mt76u: rely on usb_interface instead of usb_dev Sasha Levin
2020-01-16 16:42 ` Sasha Levin [this message]
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 165/205] SUNRPC: Fix backchannel latency metrics Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 171/205] ice: fix stack leakage Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 172/205] xdp: Fix cleanup on map free for devmap_hash map type Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 179/205] bpf: Support pre-2.25-binutils objcopy for vmlinux BTF Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 180/205] libbpf: Fix Makefile' libbpf symbol mismatch diagnostic Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 181/205] ath9k: use iowrite32 over __raw_writel Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 183/205] tipc: fix potential memory leak in __tipc_sendmsg() Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 184/205] tipc: fix wrong socket reference counter after tipc_sk_timeout() returns Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 185/205] tipc: fix wrong timeout input for tipc_wait_for_cond() Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 186/205] bpf: Force .BTF section start to zero when dumping from vmlinux Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 188/205] sch_cake: Add missing NLA policy entry TCA_CAKE_SPLIT_GSO Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 191/205] samples/bpf: Fix broken xdp_rxq_info due to map order assumptions Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 195/205] net/mlx5e: Fix free peer_flow when refcount is 0 Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 197/205] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 201/205] tipc: fix potential hanging after b/rcast changing Sasha Levin
2020-01-16 16:42 ` [PATCH AUTOSEL 5.4 202/205] tipc: fix retrans failure due to wrong destination Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116164300.6705-164-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=john.fastabend@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).