From: Paolo Abeni <pabeni@redhat.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Eric Dumazet <edumazet@google.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
syzbot <syzbot+694120e1002c117747ed@syzkaller.appspotmail.com>,
netdev <netdev@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
OFED mailing list <linux-rdma@vger.kernel.org>
Subject: Re: [PATCH v2] net: rds: acquire refcount on TCP sockets
Date: Tue, 03 May 2022 11:02:47 +0200 [thread overview]
Message-ID: <3b6bc24c8cd3f896dcd480ff75715a2bf9b2db06.camel@redhat.com> (raw)
In-Reply-To: <a5fb1fc4-2284-3359-f6a0-e4e390239d7b@I-love.SAKURA.ne.jp>
Hello,
On Mon, 2022-05-02 at 10:40 +0900, Tetsuo Handa wrote:
> syzbot is reporting use-after-free read in tcp_retransmit_timer() [1],
> for TCP socket used by RDS is accessing sock_net() without acquiring a
> refcount on net namespace. Since TCP's retransmission can happen after
> a process which created net namespace terminated, we need to explicitly
> acquire a refcount.
>
> Link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed [1]
> Reported-by: syzbot <syzbot+694120e1002c117747ed@syzkaller.appspotmail.com>
> Fixes: 26abe14379f8e2fa ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
> Fixes: 8a68173691f03661 ("net: sk_clone_lock() should only do get_net() if the parent is not a kernel socket")
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Tested-by: syzbot <syzbot+694120e1002c117747ed@syzkaller.appspotmail.com>
> ---
> Changes in v2:
> Add Fixes: tag.
> Move to inside lock_sock() section.
>
> I chose 26abe14379f8e2fa and 8a68173691f03661 which went to 4.2 for Fixes: tag,
> for refcount was implicitly taken when 70041088e3b97662 ("RDS: Add TCP transport
> to RDS") was added to 2.6.32.
>
> net/rds/tcp.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/rds/tcp.c b/net/rds/tcp.c
> index 5327d130c4b5..2f638f8b7b1e 100644
> --- a/net/rds/tcp.c
> +++ b/net/rds/tcp.c
> @@ -495,6 +495,14 @@ void rds_tcp_tune(struct socket *sock)
>
> tcp_sock_set_nodelay(sock->sk);
> lock_sock(sk);
> + /* TCP timer functions might access net namespace even after
> + * a process which created this net namespace terminated.
> + */
> + if (!sk->sk_net_refcnt) {
> + sk->sk_net_refcnt = 1;
> + get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
> + sock_inuse_add(net, 1);
> + }
> if (rtn->sndbuf_size > 0) {
> sk->sk_sndbuf = rtn->sndbuf_size;
> sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
This looks equivalent to the fix presented here:
https://lore.kernel.org/all/CANn89i+484ffqb93aQm1N-tjxxvb3WDKX0EbD7318RwRgsatjw@mail.gmail.com/
but the latter looks a more generic solution. @Tetsuo could you please
test the above in your setup?
Thanks!
Paolo
next prev parent reply other threads:[~2022-05-03 9:02 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-24 7:40 KASAN: use-after-free Read in tcp_retransmit_timer (5) syzbot
2021-12-22 11:00 ` [syzbot] " syzbot
2022-04-09 8:19 ` Tetsuo Handa
2022-04-09 16:46 ` Eric Dumazet
2022-04-09 17:47 ` Eric Dumazet
2022-04-09 17:55 ` Eric Dumazet
2022-04-10 0:38 ` Tetsuo Handa
2022-04-10 5:39 ` Tetsuo Handa
2022-04-10 11:36 ` Tetsuo Handa
2022-04-22 14:40 ` Tetsuo Handa
2022-04-24 3:57 ` Tetsuo Handa
2022-05-01 15:29 ` [PATCH] net: rds: acquire refcount on TCP sockets Tetsuo Handa
2022-05-01 16:14 ` Eric Dumazet
2022-05-02 1:40 ` [PATCH v2] " Tetsuo Handa
2022-05-02 14:12 ` Haakon Bugge
2022-05-02 14:29 ` Tetsuo Handa
2022-05-03 9:02 ` Paolo Abeni [this message]
2022-05-03 9:56 ` Tetsuo Handa
2022-05-03 11:10 ` Paolo Abeni
2022-05-03 13:27 ` David Laight
2022-05-03 13:43 ` Eric Dumazet
2022-05-03 14:25 ` David Laight
2022-05-03 13:45 ` Eric Dumazet
2022-05-03 14:08 ` Tetsuo Handa
2022-05-03 11:40 ` patchwork-bot+netdevbpf
2022-05-03 21:17 ` Eric Dumazet
2022-05-03 22:37 ` Eric Dumazet
2022-05-04 1:04 ` Tetsuo Handa
2022-05-04 3:09 ` Eric Dumazet
2022-05-04 4:58 ` Tetsuo Handa
2022-05-04 15:15 ` Tetsuo Handa
2022-05-05 0:45 ` [PATCH] net: rds: use maybe_get_net() when acquiring " Tetsuo Handa
2022-05-05 0:53 ` Eric Dumazet
2022-05-05 1:04 ` Jakub Kicinski
2022-05-05 1:53 ` [PATCH net v2] " Tetsuo Handa
2022-05-05 19:13 ` Eric Dumazet
2022-05-06 1:20 ` patchwork-bot+netdevbpf
2022-05-04 13:09 ` [PATCH v2] net: rds: acquire " Paolo Abeni
2022-05-04 13:25 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3b6bc24c8cd3f896dcd480ff75715a2bf9b2db06.camel@redhat.com \
--to=pabeni@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=santosh.shilimkar@oracle.com \
--cc=syzbot+694120e1002c117747ed@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).