From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 06/83] llc: do not use sk_eat_skb()
Date: Thu, 29 Nov 2018 15:11:24 +0100 [thread overview]
Message-ID: <20181129140138.402406616@linuxfoundation.org> (raw)
In-Reply-To: <20181129140138.002176596@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream.
syzkaller triggered a use-after-free [1], caused by a combination of
skb_get() in llc_conn_state_process() and usage of sk_eat_skb()
sk_eat_skb() is assuming the skb about to be freed is only used by
the current thread. TCP/DCCP stacks enforce this because current
thread holds the socket lock.
llc_conn_state_process() wants to make sure skb does not disappear,
and holds a reference on the skb it manipulates. But as soon as this
skb is added to socket receive queue, another thread can consume it.
This means that llc must use regular skb_unlink() and kfree_skb()
so that both producer and consumer can safely work on the same skb.
[1]
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline]
BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655
Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18
CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
refcount_read include/linux/refcount.h:43 [inline]
skb_unref include/linux/skbuff.h:967 [inline]
kfree_skb+0xb7/0x580 net/core/skbuff.c:655
llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224
llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297
llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438
llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208
__netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
process_backlog+0x218/0x6f0 net/core/dev.c:5829
napi_poll net/core/dev.c:6249 [inline]
net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
__do_softirq+0x30c/0xb03 kernel/softirq.c:292
run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
kthread+0x35a/0x420 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
Allocated by task 18:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644
__alloc_skb+0x119/0x770 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:995 [inline]
llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54
llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline]
llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111
llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220
__netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
process_backlog+0x218/0x6f0 net/core/dev.c:5829
napi_poll net/core/dev.c:6249 [inline]
net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
__do_softirq+0x30c/0xb03 kernel/softirq.c:292
Freed by task 16383:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x83/0x290 mm/slab.c:3756
kfree_skbmem+0x154/0x230 net/core/skbuff.c:582
__kfree_skb+0x1d/0x20 net/core/skbuff.c:642
sk_eat_skb include/net/sock.h:2366 [inline]
llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882
sock_recvmsg_nosec net/socket.c:794 [inline]
sock_recvmsg+0xd0/0x110 net/socket.c:801
___sys_recvmsg+0x2b6/0x680 net/socket.c:2278
__sys_recvmmsg+0x303/0xb90 net/socket.c:2390
do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466
__do_sys_recvmmsg net/socket.c:2484 [inline]
__se_sys_recvmmsg net/socket.c:2480 [inline]
__x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801d1f6fac0
which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 228 bytes inside of
232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8)
The buggy address belongs to the page:
page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680
raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/llc/af_llc.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -726,7 +726,6 @@ static int llc_ui_recvmsg(struct kiocb *
struct sk_buff *skb = NULL;
struct sock *sk = sock->sk;
struct llc_sock *llc = llc_sk(sk);
- unsigned long cpu_flags;
size_t copied = 0;
u32 peek_seq = 0;
u32 *seq, skb_len;
@@ -852,9 +851,8 @@ static int llc_ui_recvmsg(struct kiocb *
goto copy_uaddr;
if (!(flags & MSG_PEEK)) {
- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
- sk_eat_skb(sk, skb);
- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
+ skb_unlink(skb, &sk->sk_receive_queue);
+ kfree_skb(skb);
*seq = 0;
}
@@ -875,9 +873,8 @@ copy_uaddr:
llc_cmsg_rcv(msg, skb);
if (!(flags & MSG_PEEK)) {
- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
- sk_eat_skb(sk, skb);
- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
+ skb_unlink(skb, &sk->sk_receive_queue);
+ kfree_skb(skb);
*seq = 0;
}
next prev parent reply other threads:[~2018-11-30 1:20 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-29 14:11 [PATCH 3.18 00/83] 3.18.128-stable review Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 01/83] usb: core: Fix hub port connection events lost Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 02/83] v9fs_dir_readdir: fix double-free on p9stat_read error Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 03/83] bfs: add sanity check at bfs_fill_super() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 04/83] sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 05/83] gfs2: Dont leave s_fs_info pointing to freed memory in init_sbd Greg Kroah-Hartman
2018-11-29 14:11 ` Greg Kroah-Hartman [this message]
2018-11-29 14:11 ` [PATCH 3.18 07/83] drm/ast: fixed cursor may disappear sometimes Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 08/83] drm/ast: change resolution may cause screen blurred Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 09/83] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 10/83] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 11/83] can: dev: __can_get_echo_skb(): Dont crash the kernel if can_priv::echo_skb is accessed out of bounds Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 12/83] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 13/83] cpufreq: imx6q: add return value check for voltage scale Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 14/83] ARM: make lookup_processor_type() non-__init Greg Kroah-Hartman
2018-11-29 14:28 ` Russell King - ARM Linux
2018-11-30 15:15 ` Greg Kroah-Hartman
2018-11-30 15:18 ` Greg Kroah-Hartman
2018-11-30 19:02 ` Russell King - ARM Linux
2018-12-02 15:17 ` Sasha Levin
2018-12-02 16:15 ` Greg Kroah-Hartman
2018-12-02 16:25 ` Sasha Levin
2018-12-02 20:11 ` Greg Kroah-Hartman
2018-12-02 20:32 ` Sasha Levin
2018-11-29 14:11 ` [PATCH 3.18 15/83] SUNRPC: Fix a bogus get/put in generic_key_to_expire() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 16/83] kdb: Use strscpy with destination buffer size Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 17/83] powerpc/numa: Suppress "VPHN is not supported" messages Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 18/83] tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 19/83] arm64: remove no-op -p linker flag Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 20/83] Input: initialize device counter variables with -1 Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 21/83] Input: xpad - add rumble support for Xbox One controller Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 22/83] Input: xpad - set the LEDs properly on XBox Wireless controllers Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 23/83] Input: xpad - re-send LED command on present event Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 24/83] Input: xpad - add Covert Forces edition of the Xbox One controller Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 25/83] Input: xpad - fix Razer Atrox Arcade Stick button mapping Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 26/83] Input: xpad - clarify LED enumeration Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 27/83] Input: xpad - use ida() for finding the pad_nr Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 28/83] Input: xpad - remove needless bulk out URB used for LED setup Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 29/83] Input: xpad - factor out URB submission in xpad_play_effect Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 30/83] Input: xpad - x360w: report dpad as buttons and axes Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 31/83] Input: xpad - move the input device creation to a new function Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 32/83] Input: xpad - query wireless controller state at init Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 33/83] Input: xpad - fix clash of presence handling with LED setting Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 34/83] Input: xpad - remove spurious events of wireless xpad 360 controller Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 35/83] Input: xpad - handle "present" and "gone" correctly Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 36/83] Input: xpad - correctly handle concurrent LED and FF requests Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 37/83] Input: xpad - update Xbox One Force Feedback Support Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 38/83] Input: xpad - workaround dead irq_out after suspend/ resume Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 39/83] Input: xpad - use LED API when identifying wireless controllers Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 40/83] Input: xpad - correct xbox one pad device name Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 41/83] Input: xpad - remove unused function Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 42/83] Input: xpad - add Mad Catz FightStick TE 2 VID/PID Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 43/83] Input: xpad - move pending clear to the correct location Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 44/83] Input: xpad - prevent spurious input from wired Xbox 360 controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 45/83] Input: xpad - add more third-party controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 46/83] Input: xpad - xbox one elite controller support Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 47/83] Input: xpad - fix rumble on Xbox One controllers with 2015 firmware Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 48/83] Input: xpad - fix oops when attaching an unknown Xbox One gamepad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 49/83] Input: xpad - power off wireless 360 controllers on suspend Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 50/83] Input: xpad - add product ID for Xbox One S pad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 51/83] Input: xpad - fix Xbox One rumble stopping after 2.5 secs Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 52/83] Input: xpad - use correct product id for x360w controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 53/83] Input: xpad - correctly sort vendor ids Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 54/83] Input: xpad - move reporting xbox one home button to common function Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 55/83] Input: xpad - simplify error condition in init_output Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 56/83] Input: xpad - dont depend on endpoint order Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 57/83] Input: xpad - fix stuck mode button on Xbox One S pad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 58/83] Input: xpad - restore LED state after device resume Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 59/83] Input: xpad - support some quirky Xbox One pads Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 60/83] Input: xpad - sort supported devices by USB ID Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 61/83] Input: xpad - sync supported devices with xboxdrv Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 62/83] Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 63/83] Input: xpad - sync supported devices with 360Controller Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 64/83] Input: xpad - sync supported devices with XBCD Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 65/83] Input: xpad - constify usb_device_id Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 66/83] Input: xpad - fix PowerA init quirk for some gamepad models Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 67/83] Input: xpad - validate USB endpoint type during probe Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 68/83] Input: xpad - add support for PDP Xbox One controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 69/83] Input: xpad - add PDP device id 0x02a4 Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 70/83] Input: xpad - fix some coding style issues Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 71/83] Input: xpad - avoid using __set_bit() for capabilities Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 72/83] Input: xpad - add GPD Win 2 Controller USB IDs Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 73/83] Input: xpad - fix GPD Win 2 controller name Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 74/83] Input: xpad - add support for Xbox1 PDP Camo series gamepad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 75/83] cw1200: Dont leak memory if krealloc failes Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 76/83] scsi: ufs: fix bugs related to null pointer access and array size Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 77/83] scsi: ufshcd: Fix race between clk scaling and ungate work Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 78/83] scsi: ufs: fix race between clock gating and devfreq scaling work Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 79/83] scsi: qla2xxx: do not queue commands when unloading Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 80/83] tty: wipe buffer Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 81/83] tty: wipe buffer if not echoing data Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 82/83] af_unix: move unix_mknod() out of bindlock Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 83/83] drm/ast: Remove existing framebuffers before loading driver Greg Kroah-Hartman
2018-11-29 19:51 ` [PATCH 3.18 00/83] 3.18.128-stable review kernelci.org bot
2018-11-29 20:25 ` shuah
2018-11-29 21:49 ` Harsh Shandilya
2018-11-30 22:26 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181129140138.402406616@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).