Linux-RDMA Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
@ 2021-04-07  0:09 Aditya Pakki
  2021-04-07 18:26 ` Santosh Shilimkar
                   ` (4 more replies)
  0 siblings, 5 replies; 9+ messages in thread
From: Aditya Pakki @ 2021-04-07  0:09 UTC (permalink / raw)
  To: pakki001
  Cc: Santosh Shilimkar, David S. Miller, Jakub Kicinski, netdev,
	linux-rdma, rds-devel, linux-kernel

In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
is freed and later under spinlock, causing potential use-after-free.
Set the free pointer to NULL to avoid undefined behavior.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
---
 net/rds/message.c | 1 +
 net/rds/send.c    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/rds/message.c b/net/rds/message.c
index 071a261fdaab..90ebcfe5fe3b 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -180,6 +180,7 @@ void rds_message_put(struct rds_message *rm)
 		rds_message_purge(rm);
 
 		kfree(rm);
+		rm = NULL;
 	}
 }
 EXPORT_SYMBOL_GPL(rds_message_put);
diff --git a/net/rds/send.c b/net/rds/send.c
index 985d0b7713ac..fe5264b9d4b3 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
 unlock_and_drop:
 		spin_unlock_irqrestore(&rm->m_rs_lock, flags);
 		rds_message_put(rm);
-		if (was_on_sock)
+		if (was_on_sock && rm)
 			rds_message_put(rm);
 	}
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-07  0:09 [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock Aditya Pakki
@ 2021-04-07 18:26 ` Santosh Shilimkar
  2021-04-07 21:10 ` patchwork-bot+netdevbpf
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 9+ messages in thread
From: Santosh Shilimkar @ 2021-04-07 18:26 UTC (permalink / raw)
  To: Aditya Pakki
  Cc: David S. Miller, Jakub Kicinski, netdev, linux-rdma, linux-kernel


> On Apr 6, 2021, at 5:09 PM, Aditya Pakki <pakki001@umn.edu> wrote:
> 
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> ---
> net/rds/message.c | 1 +
> net/rds/send.c    | 2 +-
> 2 files changed, 2 insertions(+), 1 deletion(-)

Looks fine by me. Thanks.

Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-07  0:09 [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock Aditya Pakki
  2021-04-07 18:26 ` Santosh Shilimkar
@ 2021-04-07 21:10 ` patchwork-bot+netdevbpf
  2021-04-09 10:26 ` Eric Dumazet
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 9+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-04-07 21:10 UTC (permalink / raw)
  To: Aditya Pakki
  Cc: santosh.shilimkar, davem, kuba, netdev, linux-rdma, rds-devel,
	linux-kernel

Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Tue,  6 Apr 2021 19:09:12 -0500 you wrote:
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> ---
>  net/rds/message.c | 1 +
>  net/rds/send.c    | 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)

Here is the summary with links:
  - net/rds: Avoid potential use after free in rds_send_remove_from_sock
    https://git.kernel.org/netdev/net/c/0c85a7e87465

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-07  0:09 [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock Aditya Pakki
  2021-04-07 18:26 ` Santosh Shilimkar
  2021-04-07 21:10 ` patchwork-bot+netdevbpf
@ 2021-04-09 10:26 ` Eric Dumazet
  2021-04-19 22:12 ` Al Viro
  2021-04-20  9:09 ` Leon Romanovsky
  4 siblings, 0 replies; 9+ messages in thread
From: Eric Dumazet @ 2021-04-09 10:26 UTC (permalink / raw)
  To: Aditya Pakki
  Cc: Santosh Shilimkar, David S. Miller, Jakub Kicinski, netdev,
	linux-rdma, rds-devel, linux-kernel



On 4/7/21 2:09 AM, Aditya Pakki wrote:
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> ---
>  net/rds/message.c | 1 +
>  net/rds/send.c    | 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/rds/message.c b/net/rds/message.c
> index 071a261fdaab..90ebcfe5fe3b 100644
> --- a/net/rds/message.c
> +++ b/net/rds/message.c
> @@ -180,6 +180,7 @@ void rds_message_put(struct rds_message *rm)
>  		rds_message_purge(rm);
>  
>  		kfree(rm);
> +		rm = NULL;

This is a nop really.

This does not clear @rm variable in the caller.



>  	}
>  }
>  EXPORT_SYMBOL_GPL(rds_message_put);
> diff --git a/net/rds/send.c b/net/rds/send.c
> index 985d0b7713ac..fe5264b9d4b3 100644
> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
>  unlock_and_drop:
>  		spin_unlock_irqrestore(&rm->m_rs_lock, flags);
>  		rds_message_put(rm);
> -		if (was_on_sock)
> +		if (was_on_sock && rm)
>  			rds_message_put(rm);

Maybe the bug is that the refcount has not be elevated when was_on_sock
has been set.

>  	}
>  
> 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-07  0:09 [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock Aditya Pakki
                   ` (2 preceding siblings ...)
  2021-04-09 10:26 ` Eric Dumazet
@ 2021-04-19 22:12 ` Al Viro
  2021-04-20  9:09 ` Leon Romanovsky
  4 siblings, 0 replies; 9+ messages in thread
From: Al Viro @ 2021-04-19 22:12 UTC (permalink / raw)
  To: Aditya Pakki
  Cc: Santosh Shilimkar, David S. Miller, Jakub Kicinski, netdev,
	linux-rdma, rds-devel, linux-kernel

On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:

> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
>  unlock_and_drop:
>  		spin_unlock_irqrestore(&rm->m_rs_lock, flags);
>  		rds_message_put(rm);
> -		if (was_on_sock)
> +		if (was_on_sock && rm)
>  			rds_message_put(rm);

	Look at the code immediately prior to the site of your "fix".
Think for a second what will happen if we *could* get there with rm
equal to NULL (with your patch applied, that is).  Now, try to construct
the sequence of events that would lead to that situation.  Either you
will arrive at a real bug (in which case your fix does not actually
fix anything) *OR* you will get closer to realization that "defensive
programming" tends to be worthless garbage.  In both case the result
would be useful...

	Incidentally, locate the place where that variable is
last modified and find the precondition required for rm == NULL
downstream of that.

	Plainly put, the patch demonstrates either complete lack of
understanding or somebody not acting in good faith.  If it's the latter[1],
may I suggest the esteemed sociologists to fuck off and stop
testing the reviewers with deliberately spewed excrements?

[1] https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-07  0:09 [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock Aditya Pakki
                   ` (3 preceding siblings ...)
  2021-04-19 22:12 ` Al Viro
@ 2021-04-20  9:09 ` Leon Romanovsky
  2021-04-20  9:11   ` Leon Romanovsky
  4 siblings, 1 reply; 9+ messages in thread
From: Leon Romanovsky @ 2021-04-20  9:09 UTC (permalink / raw)
  To: David S. Miller, Jakub Kicinski
  Cc: Aditya Pakki, Santosh Shilimkar, netdev, linux-rdma, rds-devel,
	linux-kernel

On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> ---
>  net/rds/message.c | 1 +
>  net/rds/send.c    | 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)

Dave, Jakub

Please revert this patch, given responses from Eric and Al together
with this response from Greg here https://lore.kernel.org/lkml/YH5/i7OvsjSmqADv@kroah.com

BTW, I looked on the rds code too and agree with Eric, this patch
is a total garbage.

Thanks

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-20  9:09 ` Leon Romanovsky
@ 2021-04-20  9:11   ` Leon Romanovsky
  2021-04-21 14:19     ` Krzysztof Kozlowski
  0 siblings, 1 reply; 9+ messages in thread
From: Leon Romanovsky @ 2021-04-20  9:11 UTC (permalink / raw)
  To: David S. Miller, Jakub Kicinski
  Cc: Aditya Pakki, Santosh Shilimkar, netdev, linux-rdma, rds-devel,
	linux-kernel

On Tue, Apr 20, 2021 at 12:09:06PM +0300, Leon Romanovsky wrote:
> On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:
> > In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> > is freed and later under spinlock, causing potential use-after-free.
> > Set the free pointer to NULL to avoid undefined behavior.
> > 
> > Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> > ---
> >  net/rds/message.c | 1 +
> >  net/rds/send.c    | 2 +-
> >  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> Dave, Jakub
> 
> Please revert this patch, given responses from Eric and Al together
> with this response from Greg here https://lore.kernel.org/lkml/YH5/i7OvsjSmqADv@kroah.com

https://lore.kernel.org/lkml/YH5%2Fi7OvsjSmqADv@kroah.com/

> 
> BTW, I looked on the rds code too and agree with Eric, this patch
> is a total garbage.
> 
> Thanks

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-20  9:11   ` Leon Romanovsky
@ 2021-04-21 14:19     ` Krzysztof Kozlowski
  2021-04-21 15:36       ` Leon Romanovsky
  0 siblings, 1 reply; 9+ messages in thread
From: Krzysztof Kozlowski @ 2021-04-21 14:19 UTC (permalink / raw)
  To: Leon Romanovsky, David S. Miller
  Cc: Jakub Kicinski, Aditya Pakki, Santosh Shilimkar, netdev,
	linux-rdma, rds-devel, linux-kernel

On Tue, 20 Apr 2021 at 11:13, Leon Romanovsky <leon@kernel.org> wrote:
>
> On Tue, Apr 20, 2021 at 12:09:06PM +0300, Leon Romanovsky wrote:
> > On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:
> > > In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> > > is freed and later under spinlock, causing potential use-after-free.
> > > Set the free pointer to NULL to avoid undefined behavior.
> > >
> > > Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> > > ---
> > >  net/rds/message.c | 1 +
> > >  net/rds/send.c    | 2 +-
> > >  2 files changed, 2 insertions(+), 1 deletion(-)
> >
> > Dave, Jakub
> >
> > Please revert this patch, given responses from Eric and Al together
> > with this response from Greg here https://lore.kernel.org/lkml/YH5/i7OvsjSmqADv@kroah.com
>
> https://lore.kernel.org/lkml/YH5%2Fi7OvsjSmqADv@kroah.com/
>
> >
> > BTW, I looked on the rds code too and agree with Eric, this patch
> > is a total garbage.

When reverting, consider giving credits to Kees/Coverity as he pointed
out after testing linux-next that this is bogus:
https://lore.kernel.org/linux-next/202104081640.1A09A99900@keescook/


Best regards,
Krzysztof

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
  2021-04-21 14:19     ` Krzysztof Kozlowski
@ 2021-04-21 15:36       ` Leon Romanovsky
  0 siblings, 0 replies; 9+ messages in thread
From: Leon Romanovsky @ 2021-04-21 15:36 UTC (permalink / raw)
  To: Krzysztof Kozlowski
  Cc: David S. Miller, Jakub Kicinski, Aditya Pakki, Santosh Shilimkar,
	netdev, linux-rdma, rds-devel, linux-kernel

On Wed, Apr 21, 2021 at 04:19:03PM +0200, Krzysztof Kozlowski wrote:
> On Tue, 20 Apr 2021 at 11:13, Leon Romanovsky <leon@kernel.org> wrote:
> >
> > On Tue, Apr 20, 2021 at 12:09:06PM +0300, Leon Romanovsky wrote:
> > > On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:
> > > > In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> > > > is freed and later under spinlock, causing potential use-after-free.
> > > > Set the free pointer to NULL to avoid undefined behavior.
> > > >
> > > > Signed-off-by: Aditya Pakki <pakki001@umn.edu>
> > > > ---
> > > >  net/rds/message.c | 1 +
> > > >  net/rds/send.c    | 2 +-
> > > >  2 files changed, 2 insertions(+), 1 deletion(-)
> > >
> > > Dave, Jakub
> > >
> > > Please revert this patch, given responses from Eric and Al together
> > > with this response from Greg here https://lore.kernel.org/lkml/YH5/i7OvsjSmqADv@kroah.com
> >
> > https://lore.kernel.org/lkml/YH5%2Fi7OvsjSmqADv@kroah.com/
> >
> > >
> > > BTW, I looked on the rds code too and agree with Eric, this patch
> > > is a total garbage.
> 
> When reverting, consider giving credits to Kees/Coverity as he pointed
> out after testing linux-next that this is bogus:
> https://lore.kernel.org/linux-next/202104081640.1A09A99900@keescook/

The revert is already done for almost all @umn.edu patches.
https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/

Thanks

> 
> 
> Best regards,
> Krzysztof

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-07  0:09 [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock Aditya Pakki
2021-04-07 18:26 ` Santosh Shilimkar
2021-04-07 21:10 ` patchwork-bot+netdevbpf
2021-04-09 10:26 ` Eric Dumazet
2021-04-19 22:12 ` Al Viro
2021-04-20  9:09 ` Leon Romanovsky
2021-04-20  9:11   ` Leon Romanovsky
2021-04-21 14:19     ` Krzysztof Kozlowski
2021-04-21 15:36       ` Leon Romanovsky

Linux-RDMA Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-rdma/0 linux-rdma/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-rdma linux-rdma/ https://lore.kernel.org/linux-rdma \
		linux-rdma@vger.kernel.org
	public-inbox-index linux-rdma

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-rdma


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git