From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Wei Wang <weiwan@google.com>,
Eric Dumazet <edumazet@google.com>,
Christoph Paasch <cpaasch@apple.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 35/86] tcp: make sure listeners dont initialize congestion-control state
Date: Mon, 20 Jul 2020 17:36:31 +0200 [thread overview]
Message-ID: <20200720152754.930710977@linuxfoundation.org> (raw)
In-Reply-To: <20200720152753.138974850@linuxfoundation.org>
From: Christoph Paasch <cpaasch@apple.com>
[ Upstream commit ce69e563b325f620863830c246a8698ccea52048 ]
syzkaller found its way into setsockopt with TCP_CONGESTION "cdg".
tcp_cdg_init() does a kcalloc to store the gradients. As sk_clone_lock
just copies all the memory, the allocated pointer will be copied as
well, if the app called setsockopt(..., TCP_CONGESTION) on the listener.
If now the socket will be destroyed before the congestion-control
has properly been initialized (through a call to tcp_init_transfer), we
will end up freeing memory that does not belong to that particular
socket, opening the door to a double-free:
[ 11.413102] ==================================================================
[ 11.414181] BUG: KASAN: double-free or invalid-free in tcp_cleanup_congestion_control+0x58/0xd0
[ 11.415329]
[ 11.415560] CPU: 3 PID: 4884 Comm: syz-executor.5 Not tainted 5.8.0-rc2 #80
[ 11.416544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 11.418148] Call Trace:
[ 11.418534] <IRQ>
[ 11.418834] dump_stack+0x7d/0xb0
[ 11.419297] print_address_description.constprop.0+0x1a/0x210
[ 11.422079] kasan_report_invalid_free+0x51/0x80
[ 11.423433] __kasan_slab_free+0x15e/0x170
[ 11.424761] kfree+0x8c/0x230
[ 11.425157] tcp_cleanup_congestion_control+0x58/0xd0
[ 11.425872] tcp_v4_destroy_sock+0x57/0x5a0
[ 11.426493] inet_csk_destroy_sock+0x153/0x2c0
[ 11.427093] tcp_v4_syn_recv_sock+0xb29/0x1100
[ 11.427731] tcp_get_cookie_sock+0xc3/0x4a0
[ 11.429457] cookie_v4_check+0x13d0/0x2500
[ 11.433189] tcp_v4_do_rcv+0x60e/0x780
[ 11.433727] tcp_v4_rcv+0x2869/0x2e10
[ 11.437143] ip_protocol_deliver_rcu+0x23/0x190
[ 11.437810] ip_local_deliver+0x294/0x350
[ 11.439566] __netif_receive_skb_one_core+0x15d/0x1a0
[ 11.441995] process_backlog+0x1b1/0x6b0
[ 11.443148] net_rx_action+0x37e/0xc40
[ 11.445361] __do_softirq+0x18c/0x61a
[ 11.445881] asm_call_on_stack+0x12/0x20
[ 11.446409] </IRQ>
[ 11.446716] do_softirq_own_stack+0x34/0x40
[ 11.447259] do_softirq.part.0+0x26/0x30
[ 11.447827] __local_bh_enable_ip+0x46/0x50
[ 11.448406] ip_finish_output2+0x60f/0x1bc0
[ 11.450109] __ip_queue_xmit+0x71c/0x1b60
[ 11.451861] __tcp_transmit_skb+0x1727/0x3bb0
[ 11.453789] tcp_rcv_state_process+0x3070/0x4d3a
[ 11.456810] tcp_v4_do_rcv+0x2ad/0x780
[ 11.457995] __release_sock+0x14b/0x2c0
[ 11.458529] release_sock+0x4a/0x170
[ 11.459005] __inet_stream_connect+0x467/0xc80
[ 11.461435] inet_stream_connect+0x4e/0xa0
[ 11.462043] __sys_connect+0x204/0x270
[ 11.465515] __x64_sys_connect+0x6a/0xb0
[ 11.466088] do_syscall_64+0x3e/0x70
[ 11.466617] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 11.467341] RIP: 0033:0x7f56046dc469
[ 11.467844] Code: Bad RIP value.
[ 11.468282] RSP: 002b:00007f5604dccdd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 11.469326] RAX: ffffffffffffffda RBX: 000000000068bf00 RCX: 00007f56046dc469
[ 11.470379] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004
[ 11.471311] RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000
[ 11.472286] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 11.473341] R13: 000000000041427c R14: 00007f5604dcd5c0 R15: 0000000000000003
[ 11.474321]
[ 11.474527] Allocated by task 4884:
[ 11.475031] save_stack+0x1b/0x40
[ 11.475548] __kasan_kmalloc.constprop.0+0xc2/0xd0
[ 11.476182] tcp_cdg_init+0xf0/0x150
[ 11.476744] tcp_init_congestion_control+0x9b/0x3a0
[ 11.477435] tcp_set_congestion_control+0x270/0x32f
[ 11.478088] do_tcp_setsockopt.isra.0+0x521/0x1a00
[ 11.478744] __sys_setsockopt+0xff/0x1e0
[ 11.479259] __x64_sys_setsockopt+0xb5/0x150
[ 11.479895] do_syscall_64+0x3e/0x70
[ 11.480395] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 11.481097]
[ 11.481321] Freed by task 4872:
[ 11.481783] save_stack+0x1b/0x40
[ 11.482230] __kasan_slab_free+0x12c/0x170
[ 11.482839] kfree+0x8c/0x230
[ 11.483240] tcp_cleanup_congestion_control+0x58/0xd0
[ 11.483948] tcp_v4_destroy_sock+0x57/0x5a0
[ 11.484502] inet_csk_destroy_sock+0x153/0x2c0
[ 11.485144] tcp_close+0x932/0xfe0
[ 11.485642] inet_release+0xc1/0x1c0
[ 11.486131] __sock_release+0xc0/0x270
[ 11.486697] sock_close+0xc/0x10
[ 11.487145] __fput+0x277/0x780
[ 11.487632] task_work_run+0xeb/0x180
[ 11.488118] __prepare_exit_to_usermode+0x15a/0x160
[ 11.488834] do_syscall_64+0x4a/0x70
[ 11.489326] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Wei Wang fixed a part of these CDG-malloc issues with commit c12014440750
("tcp: memset ca_priv data to 0 properly").
This patch here fixes the listener-scenario: We make sure that listeners
setting the congestion-control through setsockopt won't initialize it
(thus CDG never allocates on listeners). For those who use AF_UNSPEC to
reuse a socket, tcp_disconnect() is changed to cleanup afterwards.
(The issue can be reproduced at least down to v4.4.x.)
Cc: Wei Wang <weiwan@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Fixes: 2b0a8c9eee81 ("tcp: add CDG congestion control")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 3 +++
net/ipv4/tcp_cong.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2299,6 +2299,9 @@ int tcp_disconnect(struct sock *sk, int
tp->snd_cwnd_cnt = 0;
tp->window_clamp = 0;
tp->delivered = 0;
+ if (icsk->icsk_ca_ops->release)
+ icsk->icsk_ca_ops->release(sk);
+ memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
tcp_set_ca_state(sk, TCP_CA_Open);
tp->is_sack_reneg = 0;
tcp_clear_retrans(tp);
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -198,7 +198,7 @@ static void tcp_reinit_congestion_contro
icsk->icsk_ca_setsockopt = 1;
memset(icsk->icsk_ca_priv, 0, sizeof(icsk->icsk_ca_priv));
- if (sk->sk_state != TCP_CLOSE)
+ if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
tcp_init_congestion_control(sk);
}
next prev parent reply other threads:[~2020-07-20 15:42 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-20 15:35 [PATCH 4.9 00/86] 4.9.231-rc1 review Greg Kroah-Hartman
2020-07-20 15:35 ` [PATCH 4.9 01/86] KVM: s390: reduce number of IO pins to 1 Greg Kroah-Hartman
2020-07-20 15:35 ` [PATCH 4.9 02/86] gpu: host1x: Detach driver on unregister Greg Kroah-Hartman
2020-07-20 15:35 ` [PATCH 4.9 03/86] spi: spidev: fix a race between spidev_release and spidev_remove Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 04/86] spi: spidev: fix a potential use-after-free in spidev_release() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 05/86] s390/kasan: fix early pgm check handler execution Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 06/86] cifs: update ctime and mtime during truncate Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 07/86] ARM: imx6: add missing put_device() call in imx6q_suspend_init() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 08/86] scsi: mptscsih: Fix read sense data size Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 09/86] net: cxgb4: fix return error value in t4_prep_fw Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 10/86] smsc95xx: check return value of smsc95xx_reset Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 11/86] smsc95xx: avoid memory leak in smsc95xx_bind Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 12/86] ALSA: compress: fix partial_drain completion state Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 13/86] arm64: kgdb: Fix single-step exception handling oops Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 14/86] bnxt_en: fix NULL dereference in case SR-IOV configuration fails Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 15/86] net: macb: mark device wake capable when "magic-packet" property present Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 16/86] ALSA: opl3: fix infoleak in opl3 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 17/86] ALSA: hda - let hs_mic be picked ahead of hp_mic Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 18/86] ALSA: usb-audio: add quirk for MacroSilicon MS2109 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 19/86] KVM: arm64: Fix definition of PAGE_HYP_DEVICE Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 20/86] KVM: x86: bit 8 of non-leaf PDPEs is not reserved Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 21/86] Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 22/86] btrfs: fix fatal extent_buffer readahead vs releasepage race Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 23/86] drm/radeon: fix double free Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 24/86] ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 25/86] ARC: elf: use right ELF_ARCH Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 26/86] s390/mm: fix huge pte soft dirty copying Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 27/86] ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 28/86] l2tp: remove skb_dst_set() from l2tp_xmit_skb() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 29/86] llc: make sure applications use ARPHRD_ETHER Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 30/86] net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 31/86] net: usb: qmi_wwan: add support for Quectel EG95 LTE modem Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 32/86] tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 33/86] tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 34/86] genetlink: remove genl_bind Greg Kroah-Hartman
2020-07-20 15:36 ` Greg Kroah-Hartman [this message]
2020-07-20 15:36 ` [PATCH 4.9 36/86] tcp: md5: do not send silly options in SYNCOOKIES Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 37/86] tcp: md5: allow changing MD5 keys in all socket states Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 38/86] cgroup: fix cgroup_sk_alloc() for sk_clone_lock() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 39/86] cgroup: Fix sock_cgroup_data on big-endian Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 40/86] i2c: eg20t: Load module automatically if ID matches Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 41/86] iio:magnetometer:ak8974: Fix alignment and data leak issues Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 42/86] iio: magnetometer: ak8974: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 43/86] iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 44/86] iio: pressure: zpa2326: handle pm_runtime_get_sync failure Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 45/86] iio:pressure:ms5611 Fix buffer element alignment Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 46/86] iio:health:afe4403 Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 47/86] spi: fix initial SPI_SR value in spi-fsl-dspi Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 48/86] net: dsa: bcm_sf2: Fix node reference count Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 49/86] Revert "usb/ehci-platform: Set PM runtime as active on resume" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 50/86] Revert "usb/xhci-plat: " Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 51/86] Revert "usb/ohci-platform: Fix a warning when hibernating" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 52/86] iio:health:afe4404 Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 53/86] spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock rate Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 54/86] usb: gadget: udc: atmel: fix uninitialized read in debug printk Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 55/86] staging: comedi: verify array index is correct before using it Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 56/86] Revert "thermal: mediatek: fix register index error" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 57/86] ARM: dts: socfpga: Align L2 cache-controller nodename with dtschema Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 58/86] perf stat: Zero all the ena and run array slot stats for interval mode Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 59/86] mtd: rawnand: brcmnand: fix CS0 layout Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 60/86] HID: magicmouse: do not set up autorepeat Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 61/86] usb: core: Add a helper function to check the validity of EP type in URB Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 62/86] ALSA: line6: Perform sanity check for each URB creation Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.9 63/86] ALSA: usb-audio: Fix race against the error recovery URB submission Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 64/86] USB: c67x00: fix use after free in c67x00_giveback_urb Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 65/86] usb: dwc2: Fix shutdown callback in platform Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 66/86] usb: chipidea: core: add wakeup support for extcon Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 67/86] usb: gadget: function: fix missing spinlock in f_uac1_legacy Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 68/86] USB: serial: iuu_phoenix: fix memory corruption Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 69/86] USB: serial: cypress_m8: enable Simply Automated UPB PIM Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 70/86] USB: serial: ch341: add new Product ID for CH340 Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 71/86] USB: serial: option: add GosunCn GM500 series Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 72/86] USB: serial: option: add Quectel EG95 LTE modem Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 73/86] virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 74/86] fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 75/86] mei: bus: dont clean driver pointer Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 76/86] Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 77/86] uio_pdrv_genirq: fix use without device tree and no interrupt Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 78/86] timer: Fix wheel index calculation on last level Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 79/86] MIPS: Fix build for LTS kernel caused by backporting lpj adjustment Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 80/86] hwmon: (emc2103) fix unable to change fan pwm1_enable attribute Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 81/86] dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 82/86] misc: atmel-ssc: lock with mutex instead of spinlock Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 83/86] arm64: ptrace: Override SPSR.SS when single-stepping is enabled Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 84/86] sched/fair: handle case of task_h_load() returning 0 Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 85/86] irqchip/gic: Atomically update affinity Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.9 86/86] x86/cpu: Move x86_cache_bits settings Greg Kroah-Hartman
2020-07-20 23:50 ` [PATCH 4.9 00/86] 4.9.231-rc1 review Shuah Khan
2020-07-21 10:14 ` Naresh Kamboju
2020-07-21 13:10 ` Thierry Reding
2020-07-21 13:15 ` Thierry Reding
2020-07-21 16:36 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200720152754.930710977@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=weiwan@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).