linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net] rxrpc: Fix clearance of Tx/Rx ring when releasing a call
@ 2021-02-03  8:47 David Howells
  2021-02-05  2:20 ` patchwork-bot+netdevbpf
  0 siblings, 1 reply; 2+ messages in thread
From: David Howells @ 2021-02-03  8:47 UTC (permalink / raw)
  To: netdev
  Cc: syzbot+174de899852504e4a74a, syzbot+3d1c772efafd3c38d007,
	Hillf Danton, dhowells, linux-afs, linux-kernel

At the end of rxrpc_release_call(), rxrpc_cleanup_ring() is called to clear
the Rx/Tx skbuff ring, but this doesn't lock the ring whilst it's accessing
it.  Unfortunately, rxrpc_resend() might be trying to retransmit a packet
concurrently with this - and whilst it does lock the ring, this isn't
protection against rxrpc_cleanup_call().

Fix this by removing the call to rxrpc_cleanup_ring() from
rxrpc_release_call().  rxrpc_cleanup_ring() will be called again anyway
from rxrpc_cleanup_call().  The earlier call is just an optimisation to
recycle skbuffs more quickly.

Alternative solutions include rxrpc_release_call() could try to cancel the
work item or wait for it to complete or rxrpc_cleanup_ring() could lock
when accessing the ring (which would require a bh lock).

This can produce a report like the following:

  BUG: KASAN: use-after-free in rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
  Read of size 4 at addr ffff888011606e04 by task kworker/0:0/5
  ...
  Workqueue: krxrpcd rxrpc_process_call
  Call Trace:
   ...
   kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
   rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
   rxrpc_resend net/rxrpc/call_event.c:266 [inline]
   rxrpc_process_call+0x1634/0x1f60 net/rxrpc/call_event.c:412
   process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
   ...

  Allocated by task 2318:
   ...
   sock_alloc_send_pskb+0x793/0x920 net/core/sock.c:2348
   rxrpc_send_data+0xb51/0x2bf0 net/rxrpc/sendmsg.c:358
   rxrpc_do_sendmsg+0xc03/0x1350 net/rxrpc/sendmsg.c:744
   rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:560
   ...

  Freed by task 2318:
   ...
   kfree_skb+0x140/0x3f0 net/core/skbuff.c:704
   rxrpc_free_skb+0x11d/0x150 net/rxrpc/skbuff.c:78
   rxrpc_cleanup_ring net/rxrpc/call_object.c:485 [inline]
   rxrpc_release_call+0x5dd/0x860 net/rxrpc/call_object.c:552
   rxrpc_release_calls_on_socket+0x21c/0x300 net/rxrpc/call_object.c:579
   rxrpc_release_sock net/rxrpc/af_rxrpc.c:885 [inline]
   rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:916
   __sock_release+0xcd/0x280 net/socket.c:597
   ...

  The buggy address belongs to the object at ffff888011606dc0
   which belongs to the cache skbuff_head_cache of size 232

Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
Reported-by: syzbot+174de899852504e4a74a@syzkaller.appspotmail.com
Reported-by: syzbot+3d1c772efafd3c38d007@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
---

 net/rxrpc/call_object.c |    2 --
 1 file changed, 2 deletions(-)

diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
index c845594b663f..4eb91d958a48 100644
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -548,8 +548,6 @@ void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call)
 		rxrpc_disconnect_call(call);
 	if (call->security)
 		call->security->free_call_crypto(call);
-
-	rxrpc_cleanup_ring(call);
 	_leave("");
 }
 



^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH net] rxrpc: Fix clearance of Tx/Rx ring when releasing a call
  2021-02-03  8:47 [PATCH net] rxrpc: Fix clearance of Tx/Rx ring when releasing a call David Howells
@ 2021-02-05  2:20 ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-02-05  2:20 UTC (permalink / raw)
  To: David Howells
  Cc: netdev, syzbot+174de899852504e4a74a, syzbot+3d1c772efafd3c38d007,
	hdanton, linux-afs, linux-kernel

Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Wed, 03 Feb 2021 08:47:56 +0000 you wrote:
> At the end of rxrpc_release_call(), rxrpc_cleanup_ring() is called to clear
> the Rx/Tx skbuff ring, but this doesn't lock the ring whilst it's accessing
> it.  Unfortunately, rxrpc_resend() might be trying to retransmit a packet
> concurrently with this - and whilst it does lock the ring, this isn't
> protection against rxrpc_cleanup_call().
> 
> Fix this by removing the call to rxrpc_cleanup_ring() from
> rxrpc_release_call().  rxrpc_cleanup_ring() will be called again anyway
> from rxrpc_cleanup_call().  The earlier call is just an optimisation to
> recycle skbuffs more quickly.
> 
> [...]

Here is the summary with links:
  - [net] rxrpc: Fix clearance of Tx/Rx ring when releasing a call
    https://git.kernel.org/netdev/net/c/7b5eab57cac4

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-05  2:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-03  8:47 [PATCH net] rxrpc: Fix clearance of Tx/Rx ring when releasing a call David Howells
2021-02-05  2:20 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).