From: Jiang Wang <jiang.wang@bytedance.com>
To: bpf@vger.kernel.org
Cc: cong.wang@bytedance.com, duanxiongchun@bytedance.com,
xieyongji@bytedance.com, chaiwen.cc@bytedance.com,
kuniyu@amazon.co.jp, Dmitry Osipenko <digetx@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>, Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <christian.brauner@ubuntu.com>,
Rao Shoaib <rao.shoaib@oracle.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH bpf-next v2] af_unix: fix NULL pointer bug in unix_shutdown
Date: Sat, 21 Aug 2021 18:07:36 +0000 [thread overview]
Message-ID: <20210821180738.1151155-1-jiang.wang@bytedance.com> (raw)
Commit 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
introduced a bug for af_unix SEQPACKET type. In unix_shutdown, the
unhash function will call prot->unhash(), which is NULL for SEQPACKET.
And kernel will panic. On ARM32, it will show following messages: (it
likely affects x86 too).
Fix the bug by checking the prot->unhash is NULL or not first.
Kernel log:
<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address
00000000
pgd = 2fba1ffb
*pgd=00000000
Internal error: Oops: 80000005 [#1] PREEMPT SMP THUMB2
Modules linked in:
CPU: 1 PID: 1999 Comm: falkon Tainted: G W
5.14.0-rc5-01175-g94531cfcbe79-dirty #9240
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
PC is at 0x0
LR is at unix_shutdown+0x81/0x1a8
pc : [<00000000>] lr : [<c08f3311>] psr: 600f0013
sp : e45aff70 ip : e463a3c0 fp : beb54f04
r10: 00000125 r9 : e45ae000 r8 : c4a56664
r7 : 00000001 r6 : c4a56464 r5 : 00000001 r4 : c4a56400
r3 : 00000000 r2 : c5a6b180 r1 : 00000000 r0 : c4a56400
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 50c5387d Table: 05aa804a DAC: 00000051
Register r0 information: slab PING start c4a56400 pointer offset 0
Register r1 information: NULL pointer
Register r2 information: slab task_struct start c5a6b180 pointer offset 0
Register r3 information: NULL pointer
Register r4 information: slab PING start c4a56400 pointer offset 0
Register r5 information: non-paged memory
Register r6 information: slab PING start c4a56400 pointer offset 100
Register r7 information: non-paged memory
Register r8 information: slab PING start c4a56400 pointer offset 612
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-paged memory
Register r11 information: non-paged memory
Register r12 information: slab filp start e463a3c0 pointer offset 0
Process falkon (pid: 1999, stack limit = 0x9ec48895)
Stack: (0xe45aff70 to 0xe45b0000)
ff60: e45ae000 c5f26a00 00000000 00000125
ff80: c0100264 c07f7fa3 beb54f04 fffffff7 00000001 e6f3fc0e b5e5e9ec beb54ec4
ffa0: b5da0ccc c010024b b5e5e9ec beb54ec4 0000000f 00000000 00000000 beb54ebc
ffc0: b5e5e9ec beb54ec4 b5da0ccc 00000125 beb54f58 00785238 beb5529c beb54f04
ffe0: b5da1e24 beb54eac b301385c b62b6ee8 600f0030 0000000f 00000000 00000000
[<c08f3311>] (unix_shutdown) from [<c07f7fa3>] (__sys_shutdown+0x2f/0x50)
[<c07f7fa3>] (__sys_shutdown) from [<c010024b>]
(__sys_trace_return+0x1/0x16)
Exception stack(0xe45affa8 to 0xe45afff0)
Signed-off-by: Jiang Wang <jiang.wang@bytedance.com>
Reported-by: Dmitry Osipenko <digetx@gmail.com>
Tested-by: Dmitry Osipenko <digetx@gmail.com>
---
v1 -> v2: check prot->unhash directly.
net/unix/af_unix.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 443c49081636..15c1e4e4012d 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2847,7 +2847,8 @@ static int unix_shutdown(struct socket *sock, int mode)
int peer_mode = 0;
const struct proto *prot = READ_ONCE(other->sk_prot);
- prot->unhash(other);
+ if (prot->unhash)
+ prot->unhash(other);
if (mode&RCV_SHUTDOWN)
peer_mode |= SEND_SHUTDOWN;
if (mode&SEND_SHUTDOWN)
--
2.20.1
next reply other threads:[~2021-08-21 18:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-21 18:07 Jiang Wang [this message]
2021-08-21 23:23 ` [PATCH bpf-next v2] af_unix: fix NULL pointer bug in unix_shutdown Kuniyuki Iwashima
2021-08-23 13:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210821180738.1151155-1-jiang.wang@bytedance.com \
--to=jiang.wang@bytedance.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=chaiwen.cc@bytedance.com \
--cc=christian.brauner@ubuntu.com \
--cc=cong.wang@bytedance.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=digetx@gmail.com \
--cc=duanxiongchun@bytedance.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.co.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rao.shoaib@oracle.com \
--cc=songliubraving@fb.com \
--cc=viro@zeniv.linux.org.uk \
--cc=xieyongji@bytedance.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.