From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: John Fastabend <john.fastabend@gmail.com>, Jakub Sitnicki <jakub@cloudflare.com>, Daniel Borkmann <daniel@iogearbox.net>, Sasha Levin <sashal@kernel.org>, netdev@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH AUTOSEL 4.14 03/35] bpf: sockmap, fix use after free from sleep in psock backlog workqueue Date: Wed, 26 Jun 2019 20:38:51 -0400 [thread overview] Message-ID: <20190627003925.21330-3-sashal@kernel.org> (raw) In-Reply-To: <20190627003925.21330-1-sashal@kernel.org> From: John Fastabend <john.fastabend@gmail.com> [ Upstream commit bd95e678e0f6e18351ecdc147ca819145db9ed7b ] Backlog work for psock (sk_psock_backlog) might sleep while waiting for memory to free up when sending packets. However, while sleeping the socket may be closed and removed from the map by the user space side. This breaks an assumption in sk_stream_wait_memory, which expects the wait queue to be still there when it wakes up resulting in a use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT to avoid the sleep altogether. We already set the flag for the sendpage case but we missed the case were sendmsg is used. Sockmap is currently the only user of skb_send_sock_locked() so only the sockmap paths should be impacted. ================================================================== BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70 Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110 CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 Workqueue: events sk_psock_backlog Call Trace: print_address_description+0x6e/0x2b0 ? remove_wait_queue+0x31/0x70 kasan_report+0xfd/0x177 ? remove_wait_queue+0x31/0x70 ? remove_wait_queue+0x31/0x70 remove_wait_queue+0x31/0x70 sk_stream_wait_memory+0x4dd/0x5f0 ? sk_stream_wait_close+0x1b0/0x1b0 ? wait_woken+0xc0/0xc0 ? tcp_current_mss+0xc5/0x110 tcp_sendmsg_locked+0x634/0x15d0 ? tcp_set_state+0x2e0/0x2e0 ? __kasan_slab_free+0x1d1/0x230 ? kmem_cache_free+0x70/0x140 ? sk_psock_backlog+0x40c/0x4b0 ? process_one_work+0x40b/0x660 ? worker_thread+0x82/0x680 ? kthread+0x1b9/0x1e0 ? ret_from_fork+0x1f/0x30 ? check_preempt_curr+0xaf/0x130 ? iov_iter_kvec+0x5f/0x70 ? kernel_sendmsg_locked+0xa0/0xe0 skb_send_sock_locked+0x273/0x3c0 ? skb_splice_bits+0x180/0x180 ? start_thread+0xe0/0xe0 ? update_min_vruntime.constprop.27+0x88/0xc0 sk_psock_backlog+0xb3/0x4b0 ? strscpy+0xbf/0x1e0 process_one_work+0x40b/0x660 worker_thread+0x82/0x680 ? process_one_work+0x660/0x660 kthread+0x1b9/0x1e0 ? __kthread_create_on_node+0x250/0x250 ret_from_fork+0x1f/0x30 Fixes: 20bf50de3028c ("skbuff: Function to send an skbuf on a socket") Reported-by: Jakub Sitnicki <jakub@cloudflare.com> Tested-by: Jakub Sitnicki <jakub@cloudflare.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Sasha Levin <sashal@kernel.org> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 2b3b0307dd89..6d9fd7d4bdfa 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2299,6 +2299,7 @@ int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset, kv.iov_base = skb->data + offset; kv.iov_len = slen; memset(&msg, 0, sizeof(msg)); + msg.msg_flags = MSG_DONTWAIT; ret = kernel_sendmsg_locked(sk, &msg, &kv, 1, slen); if (ret <= 0) -- 2.20.1
next prev parent reply other threads:[~2019-06-27 0:39 UTC|newest] Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <20190627003925.21330-1-sashal@kernel.org> 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 02/35] samples, bpf: fix to change the buffer size for read() Sasha Levin 2019-06-27 0:38 ` Sasha Levin [this message] 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 05/35] mac80211: mesh: fix RCU warning Sasha Levin 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 06/35] mac80211: free peer keys before vif down in mesh Sasha Levin 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 07/35] mwifiex: Fix possible buffer overflows at parsing bss descriptor Sasha Levin 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 08/35] mwifiex: Abort at too short BSS descriptor element Sasha Levin 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 09/35] iwlwifi: Fix double-free problems in iwl_req_fw_callback() Sasha Levin 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 10/35] bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro Sasha Levin 2019-06-27 0:38 ` [PATCH AUTOSEL 4.14 11/35] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 12/35] netfilter: ipv6: nf_defrag: accept duplicate fragments again Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 13/35] dt-bindings: can: mcp251x: add mcp25625 support Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 14/35] can: mcp251x: add support for mcp25625 Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 15/35] can: m_can: implement errata "Needless activation of MRAF irq" Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 16/35] can: af_can: Fix error path of can_init() Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 17/35] ibmvnic: Refresh device multicast list after reset Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 21/35] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 24/35] mac80211: only warn once on chanctx_conf being NULL Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 25/35] qmi_wwan: add support for QMAP padding in the RX path Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 26/35] qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 27/35] qmi_wwan: extend permitted QMAP mux_id value range Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 29/35] bnx2x: Check if transceiver implements DDM before access Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 31/35] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 32/35] net: lio_core: fix potential sign-extension overflow on large shift Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 34/35] net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() Sasha Levin 2019-06-27 0:39 ` [PATCH AUTOSEL 4.14 35/35] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190627003925.21330-3-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=bpf@vger.kernel.org \ --cc=daniel@iogearbox.net \ --cc=jakub@cloudflare.com \ --cc=john.fastabend@gmail.com \ --cc=linux-kernel@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=stable@vger.kernel.org \ --subject='Re: [PATCH AUTOSEL 4.14 03/35] bpf: sockmap, fix use after free from sleep in psock backlog workqueue' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).