From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>,
Wen Gu <guwen@linux.alibaba.com>,
Hawkins Jiawei <yin31149@gmail.com>,
Jakub Sitnicki <jakub@cloudflare.com>,
syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com
Subject: [PATCH 5.19 14/72] net: fix refcount bug in sk_psock_get (2)
Date: Fri, 2 Sep 2022 14:18:50 +0200 [thread overview]
Message-ID: <20220902121405.257399777@linuxfoundation.org> (raw)
In-Reply-To: <20220902121404.772492078@linuxfoundation.org>
From: Hawkins Jiawei <yin31149@gmail.com>
commit 2a0133723f9ebeb751cfce19f74ec07e108bef1f upstream.
Syzkaller reports refcount bug as follows:
------------[ cut here ]------------
refcount_t: saturated; leaking memory.
WARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19
Modules linked in:
CPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0
<TASK>
__refcount_add_not_zero include/linux/refcount.h:163 [inline]
__refcount_inc_not_zero include/linux/refcount.h:227 [inline]
refcount_inc_not_zero include/linux/refcount.h:245 [inline]
sk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439
tls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091
tcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983
tcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057
tcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659
tcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682
sk_backlog_rcv include/net/sock.h:1061 [inline]
__release_sock+0x134/0x3b0 net/core/sock.c:2849
release_sock+0x54/0x1b0 net/core/sock.c:3404
inet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909
__sys_shutdown_sock net/socket.c:2331 [inline]
__sys_shutdown_sock net/socket.c:2325 [inline]
__sys_shutdown+0xf1/0x1b0 net/socket.c:2343
__do_sys_shutdown net/socket.c:2351 [inline]
__se_sys_shutdown net/socket.c:2349 [inline]
__x64_sys_shutdown+0x50/0x70 net/socket.c:2349
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
During SMC fallback process in connect syscall, kernel will
replaces TCP with SMC. In order to forward wakeup
smc socket waitqueue after fallback, kernel will sets
clcsk->sk_user_data to origin smc socket in
smc_fback_replace_callbacks().
Later, in shutdown syscall, kernel will calls
sk_psock_get(), which treats the clcsk->sk_user_data
as psock type, triggering the refcnt warning.
So, the root cause is that smc and psock, both will use
sk_user_data field. So they will mismatch this field
easily.
This patch solves it by using another bit(defined as
SK_USER_DATA_PSOCK) in PTRMASK, to mark whether
sk_user_data points to a psock object or not.
This patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e
("net, sk_msg: Clear sk_user_data pointer on clone if tagged").
For there will possibly be more flags in the sk_user_data field,
this patch also refactor sk_user_data flags code to be more generic
to improve its maintainability.
Reported-and-tested-by: syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Wen Gu <guwen@linux.alibaba.com>
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skmsg.h | 3 +-
include/net/sock.h | 68 +++++++++++++++++++++++++++++++++++---------------
net/core/skmsg.c | 4 ++
3 files changed, 53 insertions(+), 22 deletions(-)
--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -277,7 +277,8 @@ static inline void sk_msg_sg_copy_clear(
static inline struct sk_psock *sk_psock(const struct sock *sk)
{
- return rcu_dereference_sk_user_data(sk);
+ return __rcu_dereference_sk_user_data_with_flags(sk,
+ SK_USER_DATA_PSOCK);
}
static inline void sk_psock_set_state(struct sk_psock *psock,
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -545,14 +545,26 @@ enum sk_pacing {
SK_PACING_FQ = 2,
};
-/* Pointer stored in sk_user_data might not be suitable for copying
- * when cloning the socket. For instance, it can point to a reference
- * counted object. sk_user_data bottom bit is set if pointer must not
- * be copied.
+/* flag bits in sk_user_data
+ *
+ * - SK_USER_DATA_NOCOPY: Pointer stored in sk_user_data might
+ * not be suitable for copying when cloning the socket. For instance,
+ * it can point to a reference counted object. sk_user_data bottom
+ * bit is set if pointer must not be copied.
+ *
+ * - SK_USER_DATA_BPF: Mark whether sk_user_data field is
+ * managed/owned by a BPF reuseport array. This bit should be set
+ * when sk_user_data's sk is added to the bpf's reuseport_array.
+ *
+ * - SK_USER_DATA_PSOCK: Mark whether pointer stored in
+ * sk_user_data points to psock type. This bit should be set
+ * when sk_user_data is assigned to a psock object.
*/
#define SK_USER_DATA_NOCOPY 1UL
-#define SK_USER_DATA_BPF 2UL /* Managed by BPF */
-#define SK_USER_DATA_PTRMASK ~(SK_USER_DATA_NOCOPY | SK_USER_DATA_BPF)
+#define SK_USER_DATA_BPF 2UL
+#define SK_USER_DATA_PSOCK 4UL
+#define SK_USER_DATA_PTRMASK ~(SK_USER_DATA_NOCOPY | SK_USER_DATA_BPF |\
+ SK_USER_DATA_PSOCK)
/**
* sk_user_data_is_nocopy - Test if sk_user_data pointer must not be copied
@@ -565,24 +577,40 @@ static inline bool sk_user_data_is_nocop
#define __sk_user_data(sk) ((*((void __rcu **)&(sk)->sk_user_data)))
+/**
+ * __rcu_dereference_sk_user_data_with_flags - return the pointer
+ * only if argument flags all has been set in sk_user_data. Otherwise
+ * return NULL
+ *
+ * @sk: socket
+ * @flags: flag bits
+ */
+static inline void *
+__rcu_dereference_sk_user_data_with_flags(const struct sock *sk,
+ uintptr_t flags)
+{
+ uintptr_t sk_user_data = (uintptr_t)rcu_dereference(__sk_user_data(sk));
+
+ WARN_ON_ONCE(flags & SK_USER_DATA_PTRMASK);
+
+ if ((sk_user_data & flags) == flags)
+ return (void *)(sk_user_data & SK_USER_DATA_PTRMASK);
+ return NULL;
+}
+
#define rcu_dereference_sk_user_data(sk) \
+ __rcu_dereference_sk_user_data_with_flags(sk, 0)
+#define __rcu_assign_sk_user_data_with_flags(sk, ptr, flags) \
({ \
- void *__tmp = rcu_dereference(__sk_user_data((sk))); \
- (void *)((uintptr_t)__tmp & SK_USER_DATA_PTRMASK); \
-})
-#define rcu_assign_sk_user_data(sk, ptr) \
-({ \
- uintptr_t __tmp = (uintptr_t)(ptr); \
- WARN_ON_ONCE(__tmp & ~SK_USER_DATA_PTRMASK); \
- rcu_assign_pointer(__sk_user_data((sk)), __tmp); \
-})
-#define rcu_assign_sk_user_data_nocopy(sk, ptr) \
-({ \
- uintptr_t __tmp = (uintptr_t)(ptr); \
- WARN_ON_ONCE(__tmp & ~SK_USER_DATA_PTRMASK); \
+ uintptr_t __tmp1 = (uintptr_t)(ptr), \
+ __tmp2 = (uintptr_t)(flags); \
+ WARN_ON_ONCE(__tmp1 & ~SK_USER_DATA_PTRMASK); \
+ WARN_ON_ONCE(__tmp2 & SK_USER_DATA_PTRMASK); \
rcu_assign_pointer(__sk_user_data((sk)), \
- __tmp | SK_USER_DATA_NOCOPY); \
+ __tmp1 | __tmp2); \
})
+#define rcu_assign_sk_user_data(sk, ptr) \
+ __rcu_assign_sk_user_data_with_flags(sk, ptr, 0)
static inline
struct net *sock_net(const struct sock *sk)
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -735,7 +735,9 @@ struct sk_psock *sk_psock_init(struct so
sk_psock_set_state(psock, SK_PSOCK_TX_ENABLED);
refcount_set(&psock->refcnt, 1);
- rcu_assign_sk_user_data_nocopy(sk, psock);
+ __rcu_assign_sk_user_data_with_flags(sk, psock,
+ SK_USER_DATA_NOCOPY |
+ SK_USER_DATA_PSOCK);
sock_hold(sk);
out:
next prev parent reply other threads:[~2022-09-02 13:33 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-02 12:18 [PATCH 5.19 00/72] 5.19.7-rc1 review Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 01/72] drm/vc4: hdmi: Rework power up Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 02/72] drm/vc4: hdmi: Depends on CONFIG_PM Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 03/72] firmware: tegra: bpmp: Do only aligned access to IPC memory area Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 04/72] crypto: lib - remove unneeded selection of XOR_BLOCKS Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 05/72] docs: kerneldoc-preamble: Test xeCJK.sty before loading Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 06/72] arm64: errata: Add Cortex-A510 to the repeat tlbi list Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 07/72] Bluetooth: L2CAP: Fix build errors in some archs Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 08/72] Revert "PCI/portdrv: Dont disable AER reporting in get_port_device_capability()" Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 09/72] HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 10/72] udmabuf: Set the DMA mask for the udmabuf device (v2) Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 11/72] media: pvrusb2: fix memory leak in pvr_probe Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 12/72] USB: gadget: Fix use-after-free Read in usb_udc_uevent() Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 13/72] HID: hidraw: fix memory leak in hidraw_release() Greg Kroah-Hartman
2022-09-02 12:18 ` Greg Kroah-Hartman [this message]
2022-09-02 12:18 ` [PATCH 5.19 15/72] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 16/72] ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 17/72] bpf: Dont redirect packets with invalid pkt_len Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 18/72] mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 19/72] ALSA: usb-audio: Add quirk for LH Labs Geek Out HD Audio 1V5 Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 20/72] HID: input: fix uclogic tablets Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 21/72] HID: add Lenovo Yoga C630 battery quirk Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 22/72] HID: AMD_SFH: Add a DMI quirk entry for Chromebooks Greg Kroah-Hartman
2022-09-02 12:18 ` [PATCH 5.19 23/72] HID: Add Apple Touchbar on T2 Macs in hid_have_special_driver list Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 24/72] HID: asus: ROG NKey: Ignore portion of 0x5a report Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 25/72] HID: nintendo: fix rumble worker null pointer deref Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 26/72] HID: thrustmaster: Add sparco wheel and fix array length Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 27/72] HID: intel-ish-hid: ipc: Add Meteor Lake PCI device ID Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 28/72] mmc: mtk-sd: Clear interrupts when cqe off/disable Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 29/72] mmc: sdhci-of-dwcmshc: add reset call back for rockchip Socs Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 30/72] mmc: sdhci-of-dwcmshc: rename rk3568 to rk35xx Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 31/72] mmc: sdhci-of-dwcmshc: Re-enable support for the BlueField-3 SoC Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 32/72] fs/ntfs3: Fix work with fragmented xattr Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 33/72] ASoC: sh: rz-ssi: Improve error handling in rz_ssi_probe() error path Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 34/72] ASoC: rt5640: Fix the JD voltage dropping issue Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 35/72] rtla: Fix tracer name Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 36/72] drm/amd/display: Add a missing register field for HPO DP stream encoder Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 37/72] drm/amd/display: Device flash garbage before get in OS Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 38/72] drm/amd/display: Avoid MPC infinite loop Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 39/72] drm/amd/display: Fix HDMI VSIF V3 incorrect issue Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 40/72] drm/amd/display: For stereo keep "FLIP_ANY_FRAME" Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 41/72] drm/amd/display: clear optc underflow before turn off odm clock Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 42/72] drm/amd/display: Fix TDR eDP and USB4 display light up issue Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 43/72] drm/amd/pm: skip pptable override for smu_v13_0_7 Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 44/72] drm/amdkfd: Handle restart of kfd_ioctl_wait_events Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 45/72] drm/amd/pm: Fix a potential gpu_metrics_table memory leak Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 46/72] ksmbd: return STATUS_BAD_NETWORK_NAME error status if share is not configured Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 47/72] net: lan966x: fix checking for return value of platform_get_irq_byname() Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 48/72] neigh: fix possible DoS due to net iface start/stop loop Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 49/72] ALSA: hda/realtek: Add quirks for ASUS Zenbooks using CS35L41 Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 50/72] s390/hypfs: avoid error message under KVM Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 51/72] ksmbd: dont remove dos attribute xattr on O_TRUNC open Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 52/72] drm/amdgpu: disable 3DCGCG/CGLS temporarily due to stability issue Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 53/72] drm/amd/pm: add missing ->fini_microcode interface for Sienna Cichlid Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 54/72] drm/amd/pm: add missing ->fini_xxxx interfaces for some SMU13 asics Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 55/72] drm/amd/display: Fix pixel clock programming Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 56/72] drm/amdgpu: Increase tlb flush timeout for sriov Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 57/72] drm/amd/display: Fix plug/unplug external monitor will hang while playback MPO video Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 58/72] drm/amd/display: avoid doing vm_init multiple time Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 59/72] drm/amdgpu: Add decode_iv_ts helper for ih_v6 block Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 60/72] drm/amdgpu: Add secure display TA load for Renoir Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 61/72] drm/amdgpu: Fix interrupt handling on ih_soft ring Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 62/72] netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 63/72] testing: selftests: nft_flowtable.sh: use random netns names Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 64/72] platform/x86: serial-multi-instantiate: Add CLSA0101 Laptop Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 65/72] ALSA: hda/cs8409: Support new Dolphin Variants Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 66/72] btrfs: move lockdep class helpers to locking.c Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 67/72] btrfs: fix lockdep splat with reloc root extent buffers Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 68/72] btrfs: tree-checker: check for overlapping extent items Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 69/72] android: binder: fix lockdep check on clearing vma Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 70/72] net/af_packet: check len when min_header_len equals to 0 Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 71/72] net: neigh: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2022-09-02 12:19 ` [PATCH 5.19 72/72] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Greg Kroah-Hartman
2022-09-02 17:47 ` [PATCH 5.19 00/72] 5.19.7-rc1 review Jon Hunter
2022-09-02 18:28 ` Florian Fainelli
2022-09-02 22:01 ` Shuah Khan
2022-09-02 23:26 ` Ron Economos
2022-09-03 0:37 ` Guenter Roeck
2022-09-03 2:14 ` Naresh Kamboju
2022-09-03 7:35 ` Rudi Heitbaum
2022-09-03 9:25 ` Bagas Sanjaya
2022-09-03 10:49 ` Sudip Mukherjee
2022-09-03 14:20 ` Justin Forbes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220902121405.257399777@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=guwen@linux.alibaba.com \
--cc=jakub@cloudflare.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com \
--cc=yin31149@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.