From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Gerrit Renker <gerrit@erg.abdn.ac.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Arnaldo Carvalho de Melo <acme@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 08/28] dccp: Unlock sock before calling sk_free()
Date: Mon, 20 Mar 2017 18:49:03 +0100 [thread overview]
Message-ID: <20170320174719.277300948@linuxfoundation.org> (raw)
In-Reply-To: <20170320174718.794407270@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
[ Upstream commit d5afb6f9b6bb2c57bd0c05e76e12489dc0d037d9 ]
The code where sk_clone() came from created a new socket and locked it,
but then, on the error path didn't unlock it.
This problem stayed there for a long while, till b0691c8ee7c2 ("net:
Unlock sock before calling sk_free()") fixed it, but unfortunately the
callers of sk_clone() (now sk_clone_locked()) were not audited and the
one in dccp_create_openreq_child() remained.
Now in the age of the syskaller fuzzer, this was finally uncovered, as
reported by Dmitry:
---- 8< ----
I've got the following report while running syzkaller fuzzer on
86292b33d4b7 ("Merge branch 'akpm' (patches from Andrew)")
[ BUG: held lock freed! ]
4.10.0+ #234 Not tainted
-------------------------
syz-executor6/6898 is freeing memory
ffff88006286cac0-ffff88006286d3b7, with a lock still held there!
(slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>] spin_lock
include/linux/spinlock.h:299 [inline]
(slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>]
sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504
5 locks held by syz-executor6/6898:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff839a34b4>] lock_sock
include/net/sock.h:1460 [inline]
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff839a34b4>]
inet_stream_connect+0x44/0xa0 net/ipv4/af_inet.c:681
#1: (rcu_read_lock){......}, at: [<ffffffff83bc1c2a>]
inet6_csk_xmit+0x12a/0x5d0 net/ipv6/inet6_connection_sock.c:126
#2: (rcu_read_lock){......}, at: [<ffffffff8369b424>] __skb_unlink
include/linux/skbuff.h:1767 [inline]
#2: (rcu_read_lock){......}, at: [<ffffffff8369b424>] __skb_dequeue
include/linux/skbuff.h:1783 [inline]
#2: (rcu_read_lock){......}, at: [<ffffffff8369b424>]
process_backlog+0x264/0x730 net/core/dev.c:4835
#3: (rcu_read_lock){......}, at: [<ffffffff83aeb5c0>]
ip6_input_finish+0x0/0x1700 net/ipv6/ip6_input.c:59
#4: (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>] spin_lock
include/linux/spinlock.h:299 [inline]
#4: (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>]
sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504
Fix it just like was done by b0691c8ee7c2 ("net: Unlock sock before calling
sk_free()").
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20170301153510.GE15145@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dccp/minisocks.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -122,6 +122,7 @@ struct sock *dccp_create_openreq_child(c
/* It is still raw copy of parent, so invalidate
* destructor and make plain sk_free() */
newsk->sk_destruct = NULL;
+ bh_unlock_sock(newsk);
sk_free(newsk);
return NULL;
}
next prev parent reply other threads:[~2017-03-20 17:57 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 17:48 [PATCH 4.4 00/28] 4.4.56-stable review Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 01/28] netlink: remove mmapped netlink support Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 02/28] [PATCH 04/41] vxlan: correctly validate VXLAN ID against VXLAN_N_VID Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 03/28] [PATCH 05/41] vti6: return GRE_KEY for vti6 Greg Kroah-Hartman
2017-03-20 17:48 ` [PATCH 4.4 04/28] ipv4: mask tos for input route Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 06/28] net: dont call strlen() on the user buffer in packet_bind_spkt() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 07/28] net: net_enable_timestamp() can be called from irq contexts Greg Kroah-Hartman
2017-03-20 17:49 ` Greg Kroah-Hartman [this message]
2017-03-20 17:49 ` [PATCH 4.4 09/28] tcp: fix various issues for sockets morphing to listen state Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 10/28] net: fix socket refcounting in skb_complete_wifi_ack() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 11/28] net: fix socket refcounting in skb_complete_tx_timestamp() Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 12/28] dccp: fix use-after-free in dccp_feat_activate_values Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 13/28] vrf: Fix use-after-free in vrf_xmit Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 14/28] uapi: fix linux/packet_diag.h userspace compilation error Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 16/28] mpls: Send route delete notifications when router module is unloaded Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 17/28] ipv6: make ECMP route replacement less greedy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 18/28] ipv6: avoid write to a possibly cloned skb Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 19/28] bridge: drop netfilter fake rtable unconditionally Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 21/28] dccp: fix memory leak during tear-down of unsuccessful connection request Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 22/28] net sched actions: decrement module reference count after table flush Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 23/28] fscrypt: fix renaming and linking special files Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 24/28] fscrypto: lock inode while setting encryption policy Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 25/28] x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y Greg Kroah-Hartman
2017-03-20 17:49 ` Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 26/28] x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 27/28] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI Greg Kroah-Hartman
2017-03-20 17:49 ` [PATCH 4.4 28/28] futex: Add missing error handling to FUTEX_REQUEUE_PI Greg Kroah-Hartman
2017-03-21 0:11 ` [PATCH 4.4 00/28] 4.4.56-stable review Shuah Khan
2017-03-21 2:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170320174719.277300948@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=acme@redhat.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=gerrit@erg.abdn.ac.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.