linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Wei Wang <weiwan@google.com>,
	Eric Dumazet <edumazet@google.com>,
	Christoph Paasch <cpaasch@apple.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 35/86] tcp: make sure listeners dont initialize congestion-control state
Date: Mon, 20 Jul 2020 17:36:31 +0200	[thread overview]
Message-ID: <20200720152754.930710977@linuxfoundation.org> (raw)
In-Reply-To: <20200720152753.138974850@linuxfoundation.org>

From: Christoph Paasch <cpaasch@apple.com>

[ Upstream commit ce69e563b325f620863830c246a8698ccea52048 ]

syzkaller found its way into setsockopt with TCP_CONGESTION "cdg".
tcp_cdg_init() does a kcalloc to store the gradients. As sk_clone_lock
just copies all the memory, the allocated pointer will be copied as
well, if the app called setsockopt(..., TCP_CONGESTION) on the listener.
If now the socket will be destroyed before the congestion-control
has properly been initialized (through a call to tcp_init_transfer), we
will end up freeing memory that does not belong to that particular
socket, opening the door to a double-free:

[   11.413102] ==================================================================
[   11.414181] BUG: KASAN: double-free or invalid-free in tcp_cleanup_congestion_control+0x58/0xd0
[   11.415329]
[   11.415560] CPU: 3 PID: 4884 Comm: syz-executor.5 Not tainted 5.8.0-rc2 #80
[   11.416544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[   11.418148] Call Trace:
[   11.418534]  <IRQ>
[   11.418834]  dump_stack+0x7d/0xb0
[   11.419297]  print_address_description.constprop.0+0x1a/0x210
[   11.422079]  kasan_report_invalid_free+0x51/0x80
[   11.423433]  __kasan_slab_free+0x15e/0x170
[   11.424761]  kfree+0x8c/0x230
[   11.425157]  tcp_cleanup_congestion_control+0x58/0xd0
[   11.425872]  tcp_v4_destroy_sock+0x57/0x5a0
[   11.426493]  inet_csk_destroy_sock+0x153/0x2c0
[   11.427093]  tcp_v4_syn_recv_sock+0xb29/0x1100
[   11.427731]  tcp_get_cookie_sock+0xc3/0x4a0
[   11.429457]  cookie_v4_check+0x13d0/0x2500
[   11.433189]  tcp_v4_do_rcv+0x60e/0x780
[   11.433727]  tcp_v4_rcv+0x2869/0x2e10
[   11.437143]  ip_protocol_deliver_rcu+0x23/0x190
[   11.437810]  ip_local_deliver+0x294/0x350
[   11.439566]  __netif_receive_skb_one_core+0x15d/0x1a0
[   11.441995]  process_backlog+0x1b1/0x6b0
[   11.443148]  net_rx_action+0x37e/0xc40
[   11.445361]  __do_softirq+0x18c/0x61a
[   11.445881]  asm_call_on_stack+0x12/0x20
[   11.446409]  </IRQ>
[   11.446716]  do_softirq_own_stack+0x34/0x40
[   11.447259]  do_softirq.part.0+0x26/0x30
[   11.447827]  __local_bh_enable_ip+0x46/0x50
[   11.448406]  ip_finish_output2+0x60f/0x1bc0
[   11.450109]  __ip_queue_xmit+0x71c/0x1b60
[   11.451861]  __tcp_transmit_skb+0x1727/0x3bb0
[   11.453789]  tcp_rcv_state_process+0x3070/0x4d3a
[   11.456810]  tcp_v4_do_rcv+0x2ad/0x780
[   11.457995]  __release_sock+0x14b/0x2c0
[   11.458529]  release_sock+0x4a/0x170
[   11.459005]  __inet_stream_connect+0x467/0xc80
[   11.461435]  inet_stream_connect+0x4e/0xa0
[   11.462043]  __sys_connect+0x204/0x270
[   11.465515]  __x64_sys_connect+0x6a/0xb0
[   11.466088]  do_syscall_64+0x3e/0x70
[   11.466617]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   11.467341] RIP: 0033:0x7f56046dc469
[   11.467844] Code: Bad RIP value.
[   11.468282] RSP: 002b:00007f5604dccdd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   11.469326] RAX: ffffffffffffffda RBX: 000000000068bf00 RCX: 00007f56046dc469
[   11.470379] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004
[   11.471311] RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000
[   11.472286] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   11.473341] R13: 000000000041427c R14: 00007f5604dcd5c0 R15: 0000000000000003
[   11.474321]
[   11.474527] Allocated by task 4884:
[   11.475031]  save_stack+0x1b/0x40
[   11.475548]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   11.476182]  tcp_cdg_init+0xf0/0x150
[   11.476744]  tcp_init_congestion_control+0x9b/0x3a0
[   11.477435]  tcp_set_congestion_control+0x270/0x32f
[   11.478088]  do_tcp_setsockopt.isra.0+0x521/0x1a00
[   11.478744]  __sys_setsockopt+0xff/0x1e0
[   11.479259]  __x64_sys_setsockopt+0xb5/0x150
[   11.479895]  do_syscall_64+0x3e/0x70
[   11.480395]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   11.481097]
[   11.481321] Freed by task 4872:
[   11.481783]  save_stack+0x1b/0x40
[   11.482230]  __kasan_slab_free+0x12c/0x170
[   11.482839]  kfree+0x8c/0x230
[   11.483240]  tcp_cleanup_congestion_control+0x58/0xd0
[   11.483948]  tcp_v4_destroy_sock+0x57/0x5a0
[   11.484502]  inet_csk_destroy_sock+0x153/0x2c0
[   11.485144]  tcp_close+0x932/0xfe0
[   11.485642]  inet_release+0xc1/0x1c0
[   11.486131]  __sock_release+0xc0/0x270
[   11.486697]  sock_close+0xc/0x10
[   11.487145]  __fput+0x277/0x780
[   11.487632]  task_work_run+0xeb/0x180
[   11.488118]  __prepare_exit_to_usermode+0x15a/0x160
[   11.488834]  do_syscall_64+0x4a/0x70
[   11.489326]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Wei Wang fixed a part of these CDG-malloc issues with commit c12014440750
("tcp: memset ca_priv data to 0 properly").

This patch here fixes the listener-scenario: We make sure that listeners
setting the congestion-control through setsockopt won't initialize it
(thus CDG never allocates on listeners). For those who use AF_UNSPEC to
reuse a socket, tcp_disconnect() is changed to cleanup afterwards.

(The issue can be reproduced at least down to v4.4.x.)

Cc: Wei Wang <weiwan@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Fixes: 2b0a8c9eee81 ("tcp: add CDG congestion control")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp.c      |    3 +++
 net/ipv4/tcp_cong.c |    2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2299,6 +2299,9 @@ int tcp_disconnect(struct sock *sk, int
 	tp->snd_cwnd_cnt = 0;
 	tp->window_clamp = 0;
 	tp->delivered = 0;
+	if (icsk->icsk_ca_ops->release)
+		icsk->icsk_ca_ops->release(sk);
+	memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
 	tcp_set_ca_state(sk, TCP_CA_Open);
 	tp->is_sack_reneg = 0;
 	tcp_clear_retrans(tp);
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -198,7 +198,7 @@ static void tcp_reinit_congestion_contro
 	icsk->icsk_ca_setsockopt = 1;
 	memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
 
-	if (sk->sk_state != TCP_CLOSE)
+	if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
 		tcp_init_congestion_control(sk);
 }
 



  parent reply	other threads:[~2020-07-20 15:42 UTC|newest]

Thread overview: 92+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-20 15:35 [PATCH 4.9 00/86] 4.9.231-rc1 review Greg Kroah-Hartman
2020-07-20 15:35 ` [PATCH 4.9 01/86] KVM: s390: reduce number of IO pins to 1 Greg Kroah-Hartman
2020-07-20 15:35 ` [PATCH 4.9 02/86] gpu: host1x: Detach driver on unregister Greg Kroah-Hartman
2020-07-20 15:35 ` [PATCH 4.9 03/86] spi: spidev: fix a race between spidev_release and spidev_remove Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 04/86] spi: spidev: fix a potential use-after-free in spidev_release() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 05/86] s390/kasan: fix early pgm check handler execution Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 06/86] cifs: update ctime and mtime during truncate Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 07/86] ARM: imx6: add missing put_device() call in imx6q_suspend_init() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 08/86] scsi: mptscsih: Fix read sense data size Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 09/86] net: cxgb4: fix return error value in t4_prep_fw Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 10/86] smsc95xx: check return value of smsc95xx_reset Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 11/86] smsc95xx: avoid memory leak in smsc95xx_bind Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 12/86] ALSA: compress: fix partial_drain completion state Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 13/86] arm64: kgdb: Fix single-step exception handling oops Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 14/86] bnxt_en: fix NULL dereference in case SR-IOV configuration fails Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 15/86] net: macb: mark device wake capable when "magic-packet" property present Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 16/86] ALSA: opl3: fix infoleak in opl3 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 17/86] ALSA: hda - let hs_mic be picked ahead of hp_mic Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 18/86] ALSA: usb-audio: add quirk for MacroSilicon MS2109 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 19/86] KVM: arm64: Fix definition of PAGE_HYP_DEVICE Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 20/86] KVM: x86: bit 8 of non-leaf PDPEs is not reserved Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 21/86] Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 22/86] btrfs: fix fatal extent_buffer readahead vs releasepage race Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 23/86] drm/radeon: fix double free Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 24/86] ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 25/86] ARC: elf: use right ELF_ARCH Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 26/86] s390/mm: fix huge pte soft dirty copying Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 27/86] ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 28/86] l2tp: remove skb_dst_set() from l2tp_xmit_skb() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 29/86] llc: make sure applications use ARPHRD_ETHER Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 30/86] net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 31/86] net: usb: qmi_wwan: add support for Quectel EG95 LTE modem Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 32/86] tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 33/86] tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 34/86] genetlink: remove genl_bind Greg Kroah-Hartman
2020-07-20 15:36 ` Greg Kroah-Hartman [this message]
2020-07-20 15:36 ` [PATCH 4.9 36/86] tcp: md5: do not send silly options in SYNCOOKIES Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 37/86] tcp: md5: allow changing MD5 keys in all socket states Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 38/86] cgroup: fix cgroup_sk_alloc() for sk_clone_lock() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 39/86] cgroup: Fix sock_cgroup_data on big-endian Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 40/86] i2c: eg20t: Load module automatically if ID matches Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 41/86] iio:magnetometer:ak8974: Fix alignment and data leak issues Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 42/86] iio: magnetometer: ak8974: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 43/86] iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 44/86] iio: pressure: zpa2326: handle pm_runtime_get_sync failure Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 45/86] iio:pressure:ms5611 Fix buffer element alignment Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 46/86] iio:health:afe4403 Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 47/86] spi: fix initial SPI_SR value in spi-fsl-dspi Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 48/86] net: dsa: bcm_sf2: Fix node reference count Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 49/86] Revert "usb/ehci-platform: Set PM runtime as active on resume" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 50/86] Revert "usb/xhci-plat: " Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 51/86] Revert "usb/ohci-platform: Fix a warning when hibernating" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 52/86] iio:health:afe4404 Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 53/86] spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock rate Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 54/86] usb: gadget: udc: atmel: fix uninitialized read in debug printk Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 55/86] staging: comedi: verify array index is correct before using it Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 56/86] Revert "thermal: mediatek: fix register index error" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 57/86] ARM: dts: socfpga: Align L2 cache-controller nodename with dtschema Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 58/86] perf stat: Zero all the ena and run array slot stats for interval mode Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 59/86] mtd: rawnand: brcmnand: fix CS0 layout Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 60/86] HID: magicmouse: do not set up autorepeat Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 61/86] usb: core: Add a helper function to check the validity of EP type in URB Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 62/86] ALSA: line6: Perform sanity check for each URB creation Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 63/86] ALSA: usb-audio: Fix race against the error recovery URB submission Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 64/86] USB: c67x00: fix use after free in c67x00_giveback_urb Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 65/86] usb: dwc2: Fix shutdown callback in platform Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 66/86] usb: chipidea: core: add wakeup support for extcon Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 67/86] usb: gadget: function: fix missing spinlock in f_uac1_legacy Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 68/86] USB: serial: iuu_phoenix: fix memory corruption Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 69/86] USB: serial: cypress_m8: enable Simply Automated UPB PIM Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 70/86] USB: serial: ch341: add new Product ID for CH340 Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 71/86] USB: serial: option: add GosunCn GM500 series Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 72/86] USB: serial: option: add Quectel EG95 LTE modem Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 73/86] virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 74/86] fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 75/86] mei: bus: dont clean driver pointer Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 76/86] Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 77/86] uio_pdrv_genirq: fix use without device tree and no interrupt Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 78/86] timer: Fix wheel index calculation on last level Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 79/86] MIPS: Fix build for LTS kernel caused by backporting lpj adjustment Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 80/86] hwmon: (emc2103) fix unable to change fan pwm1_enable attribute Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 81/86] dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 82/86] misc: atmel-ssc: lock with mutex instead of spinlock Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 83/86] arm64: ptrace: Override SPSR.SS when single-stepping is enabled Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 84/86] sched/fair: handle case of task_h_load() returning 0 Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 85/86] irqchip/gic: Atomically update affinity Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 86/86] x86/cpu: Move x86_cache_bits settings Greg Kroah-Hartman
2020-07-20 23:50 ` [PATCH 4.9 00/86] 4.9.231-rc1 review Shuah Khan
2020-07-21 10:14 ` Naresh Kamboju
2020-07-21 13:10 ` Thierry Reding
2020-07-21 13:15 ` Thierry Reding
2020-07-21 16:36 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200720152754.930710977@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=cpaasch@apple.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=weiwan@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).