From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Dirk van der Merwe <dirk.vandermerwe@netronome.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.1 37/55] net/tls: fix page double free on TX cleanup
Date: Tue, 2 Jul 2019 10:01:45 +0200 [thread overview]
Message-ID: <20190702080126.051692389@linuxfoundation.org> (raw)
In-Reply-To: <20190702080124.103022729@linuxfoundation.org>
From: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
[ Upstream commit 9354544cbccf68da1b047f8fb7b47630e3c8a59d ]
With commit 94850257cf0f ("tls: Fix tls_device handling of partial records")
a new path was introduced to cleanup partial records during sk_proto_close.
This path does not handle the SW KTLS tx_list cleanup.
This is unnecessary though since the free_resources calls for both
SW and offload paths will cleanup a partial record.
The visible effect is the following warning, but this bug also causes
a page double free.
WARNING: CPU: 7 PID: 4000 at net/core/stream.c:206 sk_stream_kill_queues+0x103/0x110
RIP: 0010:sk_stream_kill_queues+0x103/0x110
RSP: 0018:ffffb6df87e07bd0 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff8c21db4971c0 RCX: 0000000000000007
RDX: ffffffffffffffa0 RSI: 000000000000001d RDI: ffff8c21db497270
RBP: ffff8c21db497270 R08: ffff8c29f4748600 R09: 000000010020001a
R10: ffffb6df87e07aa0 R11: ffffffff9a445600 R12: 0000000000000007
R13: 0000000000000000 R14: ffff8c21f03f2900 R15: ffff8c21f03b8df0
Call Trace:
inet_csk_destroy_sock+0x55/0x100
tcp_close+0x25d/0x400
? tcp_check_oom+0x120/0x120
tls_sk_proto_close+0x127/0x1c0
inet_release+0x3c/0x60
__sock_release+0x3d/0xb0
sock_close+0x11/0x20
__fput+0xd8/0x210
task_work_run+0x84/0xa0
do_exit+0x2dc/0xb90
? release_sock+0x43/0x90
do_group_exit+0x3a/0xa0
get_signal+0x295/0x720
do_signal+0x36/0x610
? SYSC_recvfrom+0x11d/0x130
exit_to_usermode_loop+0x69/0xb0
do_syscall_64+0x173/0x180
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x7fe9b9abc10d
RSP: 002b:00007fe9b19a1d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 0000000000000006 RCX: 00007fe9b9abc10d
RDX: 0000000000000002 RSI: 0000000000000080 RDI: 00007fe948003430
RBP: 00007fe948003410 R08: 00007fe948003430 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00005603739d9080
R13: 00007fe9b9ab9f90 R14: 00007fe948003430 R15: 0000000000000000
Fixes: 94850257cf0f ("tls: Fix tls_device handling of partial records")
Signed-off-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/tls.h | 15 ---------------
net/tls/tls_main.c | 3 ++-
2 files changed, 2 insertions(+), 16 deletions(-)
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -347,21 +347,6 @@ static inline bool tls_is_partially_sent
return !!ctx->partially_sent_record;
}
-static inline int tls_complete_pending_work(struct sock *sk,
- struct tls_context *ctx,
- int flags, long *timeo)
-{
- int rc = 0;
-
- if (unlikely(sk->sk_write_pending))
- rc = wait_on_pending_writer(sk, timeo);
-
- if (!rc && tls_is_partially_sent_record(ctx))
- rc = tls_push_partial_record(sk, ctx, flags);
-
- return rc;
-}
-
static inline bool tls_is_pending_open_record(struct tls_context *tls_ctx)
{
return tls_ctx->pending_open_record_frags;
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -279,7 +279,8 @@ static void tls_sk_proto_close(struct so
goto skip_tx_cleanup;
}
- if (!tls_complete_pending_work(sk, ctx, 0, &timeo))
+ if (unlikely(sk->sk_write_pending) &&
+ !wait_on_pending_writer(sk, &timeo))
tls_handle_open_record(sk, 0);
/* We need these for tls_sw_fallback handling of other packets */
next prev parent reply other threads:[~2019-07-02 8:04 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-02 8:01 [PATCH 5.1 00/55] 5.1.16-stable review Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 01/55] arm64: Dont unconditionally add -Wno-psabi to KBUILD_CFLAGS Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 02/55] Revert "x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP" Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 03/55] qmi_wwan: Fix out-of-bounds read Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 04/55] fs/proc/array.c: allow reporting eip/esp for all coredumping threads Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 05/55] mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 06/55] fs/binfmt_flat.c: make load_flat_shared_library() work Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 07/55] clk: tegra210: Fix default rates for HDA clocks Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 08/55] clk: socfpga: stratix10: fix divider entry for the emac clocks Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 09/55] drm/i915: Force 2*96 MHz cdclk on glk/cnl when audio power is enabled Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 10/55] drm/i915: Save the old CDCLK atomic state Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 11/55] drm/i915: Remove redundant store of logical CDCLK state Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 12/55] drm/i915: Skip modeset for cdclk changes if possible Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 13/55] mm: soft-offline: return -EBUSY if set_hwpoison_free_buddy_page() fails Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 14/55] mm: hugetlb: soft-offline: dissolve_free_huge_page() return zero on !PageHuge Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 15/55] mm/page_idle.c: fix oops because end_pfn is larger than max_pfn Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 16/55] mm, swap: fix THP swap out Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 17/55] dm init: fix incorrect uses of kstrndup() Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 18/55] dm log writes: make sure super sector log updates are written in order Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 19/55] io_uring: ensure req->file is cleared on allocation Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 20/55] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 21/55] x86/speculation: Allow guests to use SSBD even if host does not Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 22/55] x86/microcode: Fix the microcode load on CPU hotplug for real Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 23/55] x86/resctrl: Prevent possible overrun during bitmap operations Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 24/55] mm: fix page cache convergence regression Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 25/55] efi/memreserve: deal with memreserve entries in unmapped memory Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 26/55] NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 27/55] cpu/speculation: Warn on unsupported mitigations= parameter Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 28/55] SUNRPC: Fix up calculation of client message length Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 29/55] irqchip/mips-gic: Use the correct local interrupt map registers Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 30/55] af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 31/55] bonding: Always enable vlan tx offload Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 32/55] ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 33/55] net/packet: fix memory leak in packet_set_ring() Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 34/55] net: remove duplicate fetch in sock_getsockopt Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 35/55] net: stmmac: fixed new system time seconds value calculation Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 36/55] net: stmmac: set IC bit when transmitting frames with HW timestamp Greg Kroah-Hartman
2019-07-02 8:01 ` Greg Kroah-Hartman [this message]
2019-07-02 8:01 ` [PATCH 5.1 38/55] sctp: change to hold sk after auth shkey is created successfully Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 39/55] team: Always enable vlan tx offload Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 40/55] tipc: change to use register_pernet_device Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 41/55] tipc: check msg->req data len in tipc_nl_compat_bearer_disable Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 42/55] tun: wake up waitqueues after IFF_UP is set Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 43/55] net: aquantia: fix vlans not working over bridged network Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 44/55] bpf: simplify definition of BPF_FIB_LOOKUP related flags Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 45/55] bpf: lpm_trie: check left child of last leftmost node for NULL Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 46/55] bpf: fix nested bpf tracepoints with per-cpu data Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 47/55] bpf: fix unconnected udp hooks Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 48/55] bpf: udp: Avoid calling reuseports bpf_prog from udp_gro Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 49/55] bpf: udp: ipv6: Avoid running reuseports bpf_prog from __udp6_lib_err Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 50/55] arm64: futex: Avoid copying out uninitialised stack in failed cmpxchg() Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 5.1 51/55] bpf, arm64: use more scalable stadd over ldxr / stxr loop in xadd Greg Kroah-Hartman
2019-07-03 2:02 ` Sasha Levin
2019-07-03 7:24 ` Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 5.1 52/55] futex: Update comments and docs about return values of arch futex code Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 5.1 53/55] RDMA: Directly cast the sockaddr union to sockaddr Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 5.1 54/55] fanotify: update connector fsid cache on add mark Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 5.1 55/55] tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb Greg Kroah-Hartman
2019-07-02 14:32 ` [PATCH 5.1 00/55] 5.1.16-stable review kernelci.org bot
2019-07-02 17:39 ` Naresh Kamboju
2019-07-03 9:11 ` Greg Kroah-Hartman
2019-07-02 18:06 ` Jiunn Chang
2019-07-02 21:09 ` Kelsey Skunberg
2019-07-02 22:56 ` shuah
2019-07-03 9:12 ` Greg Kroah-Hartman
2019-07-03 6:26 ` Shreeya Patel
2019-07-03 10:21 ` Jon Hunter
2019-07-03 10:49 ` Greg Kroah-Hartman
2019-07-04 5:27 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190702080126.051692389@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dirk.vandermerwe@netronome.com \
--cc=jakub.kicinski@netronome.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).