Stable Archive on lore.kernel.org
 help / color / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Santosh Shilimkar <santosh.shilimkar@oracle.com>,
	Hulk Robot <hulkci@huawei.com>, Mao Wenan <maowenan@huawei.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 21/69] net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().
Date: Mon, 15 Apr 2019 20:58:39 +0200
Message-ID: <20190415183730.348122928@linuxfoundation.org> (raw)
In-Reply-To: <20190415183726.036654568@linuxfoundation.org>

From: Mao Wenan <maowenan@huawei.com>

[ Upstream commit cb66ddd156203daefb8d71158036b27b0e2caf63 ]

When it is to cleanup net namespace, rds_tcp_exit_net() will call
rds_tcp_kill_sock(), if t_sock is NULL, it will not call
rds_conn_destroy(), rds_conn_path_destroy() and rds_tcp_conn_free() to free
connection, and the worker cp_conn_w is not stopped, afterwards the net is freed in
net_drop_ns(); While cp_conn_w rds_connect_worker() will call rds_tcp_conn_path_connect()
and reference 'net' which has already been freed.

In rds_tcp_conn_path_connect(), rds_tcp_set_callbacks() will set t_sock = sock before
sock->ops->connect, but if connect() is failed, it will call
rds_tcp_restore_callbacks() and set t_sock = NULL, if connect is always
failed, rds_connect_worker() will try to reconnect all the time, so
rds_tcp_kill_sock() will never to cancel worker cp_conn_w and free the
connections.

Therefore, the condition !tc->t_sock is not needed if it is going to do
cleanup_net->rds_tcp_exit_net->rds_tcp_kill_sock, because tc->t_sock is always
NULL, and there is on other path to cancel cp_conn_w and free
connection. So this patch is to fix this.

rds_tcp_kill_sock():
...
if (net != c_net || !tc->t_sock)
...
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

==================================================================
BUG: KASAN: use-after-free in inet_create+0xbcc/0xd28
net/ipv4/af_inet.c:340
Read of size 4 at addr ffff8003496a4684 by task kworker/u8:4/3721

CPU: 3 PID: 3721 Comm: kworker/u8:4 Not tainted 5.1.0 #11
Hardware name: linux,dummy-virt (DT)
Workqueue: krdsd rds_connect_worker
Call trace:
 dump_backtrace+0x0/0x3c0 arch/arm64/kernel/time.c:53
 show_stack+0x28/0x38 arch/arm64/kernel/traps.c:152
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x120/0x188 lib/dump_stack.c:113
 print_address_description+0x68/0x278 mm/kasan/report.c:253
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x21c/0x348 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x30/0x40 mm/kasan/report.c:429
 inet_create+0xbcc/0xd28 net/ipv4/af_inet.c:340
 __sock_create+0x4f8/0x770 net/socket.c:1276
 sock_create_kern+0x50/0x68 net/socket.c:1322
 rds_tcp_conn_path_connect+0x2b4/0x690 net/rds/tcp_connect.c:114
 rds_connect_worker+0x108/0x1d0 net/rds/threads.c:175
 process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
 worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
 kthread+0x2f0/0x378 kernel/kthread.c:255
 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117

Allocated by task 687:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xd4/0x180 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x14/0x20 mm/kasan/kasan.c:490
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slub.c:2705 [inline]
 slab_alloc mm/slub.c:2713 [inline]
 kmem_cache_alloc+0x14c/0x388 mm/slub.c:2718
 kmem_cache_zalloc include/linux/slab.h:697 [inline]
 net_alloc net/core/net_namespace.c:384 [inline]
 copy_net_ns+0xc4/0x2d0 net/core/net_namespace.c:424
 create_new_namespaces+0x300/0x658 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xa0/0x198 kernel/nsproxy.c:206
 ksys_unshare+0x340/0x628 kernel/fork.c:2577
 __do_sys_unshare kernel/fork.c:2645 [inline]
 __se_sys_unshare kernel/fork.c:2643 [inline]
 __arm64_sys_unshare+0x38/0x58 kernel/fork.c:2643
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:47 [inline]
 el0_svc_common+0x168/0x390 arch/arm64/kernel/syscall.c:83
 el0_svc_handler+0x60/0xd0 arch/arm64/kernel/syscall.c:129
 el0_svc+0x8/0xc arch/arm64/kernel/entry.S:960

Freed by task 264:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x114/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0x10/0x18 mm/kasan/kasan.c:528
 slab_free_hook mm/slub.c:1370 [inline]
 slab_free_freelist_hook mm/slub.c:1397 [inline]
 slab_free mm/slub.c:2952 [inline]
 kmem_cache_free+0xb8/0x3a8 mm/slub.c:2968
 net_free net/core/net_namespace.c:400 [inline]
 net_drop_ns.part.6+0x78/0x90 net/core/net_namespace.c:407
 net_drop_ns net/core/net_namespace.c:406 [inline]
 cleanup_net+0x53c/0x6d8 net/core/net_namespace.c:569
 process_one_work+0x6e8/0x1700 kernel/workqueue.c:2153
 worker_thread+0x3b0/0xdd0 kernel/workqueue.c:2296
 kthread+0x2f0/0x378 kernel/kthread.c:255
 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:1117

The buggy address belongs to the object at ffff8003496a3f80
 which belongs to the cache net_namespace of size 7872
The buggy address is located 1796 bytes inside of
 7872-byte region [ffff8003496a3f80, ffff8003496a5e40)
The buggy address belongs to the page:
page:ffff7e000d25a800 count:1 mapcount:0 mapping:ffff80036ce4b000
index:0x0 compound_mapcount: 0
flags: 0xffffe0000008100(slab|head)
raw: 0ffffe0000008100 dead000000000100 dead000000000200 ffff80036ce4b000
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8003496a4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8003496a4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8003496a4680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8003496a4700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8003496a4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 467fa15356ac("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rds/tcp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -530,7 +530,7 @@ static void rds_tcp_kill_sock(struct net
 	list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
 		struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
 
-		if (net != c_net || !tc->t_sock)
+		if (net != c_net)
 			continue;
 		if (!list_has_conn(&tmp_list, tc->t_cpath->cp_conn)) {
 			list_move_tail(&tc->t_tcp_node, &tmp_list);



  parent reply index

Thread overview: 88+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-15 18:58 [PATCH 4.14 00/69] 4.14.112-stable review Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 01/69] net: sfp: move sfp_register_socket call from sfp_remove to sfp_probe Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 02/69] x86/power: Fix some ordering bugs in __restore_processor_context() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 03/69] x86/power/64: Use struct desc_ptr for the IDT in struct saved_context Greg Kroah-Hartman
2019-04-15 20:07   ` Pavel Machek
2019-04-15 18:58 ` [PATCH 4.14 04/69] x86/power/32: Move SYSENTER MSR restoration to fix_processor_context() Greg Kroah-Hartman
2019-04-15 20:07   ` Pavel Machek
2019-04-15 22:07     ` Sasha Levin
2019-04-15 18:58 ` [PATCH 4.14 05/69] x86/power: Make restore_processor_context() sane Greg Kroah-Hartman
2019-04-15 20:04   ` Pavel Machek
2019-04-15 20:18     ` Andy Lutomirski
2019-04-16 11:56       ` Pavel Machek
2019-04-16 13:22         ` Sasha Levin
2019-04-15 18:58 ` [PATCH 4.14 06/69] drm/i915/gvt: do not let pin count of shadow mm go negative Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 07/69] powerpc/tm: Limit TM code inside PPC_TRANSACTIONAL_MEM Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 08/69] kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 09/69] x86: vdso: Use $LD instead of $CC to link Greg Kroah-Hartman
2019-04-26 11:41   ` Rantala, Tommi T. (Nokia - FI/Espoo)
2019-04-26 12:48     ` Nathan Chancellor
2019-04-26 13:23       ` Rantala, Tommi T. (Nokia - FI/Espoo)
2019-04-26 13:34         ` Nathan Chancellor
2019-04-27 13:54           ` gregkh
2019-04-15 18:58 ` [PATCH 4.14 10/69] x86/vdso: Drop implicit common-page-size linker flag Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 11/69] lib/string.c: implement a basic bcmp Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 12/69] stating: ccree: revert "staging: ccree: fix leak of import() after init()" Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 13/69] arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 14/69] tty: mark Siemens R3964 line discipline as BROKEN Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 15/69] tty: ldisc: add sysctl to prevent autoloading of ldiscs Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 16/69] ipv6: Fix dangling pointer when ipv6 fragment Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 17/69] ipv6: sit: reset ip header pointer in ipip6_rcv Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 18/69] kcm: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 19/69] net-gro: Fix GRO flush when receiving a GSO packet Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 20/69] net/mlx5: Decrease default mr cache size Greg Kroah-Hartman
2019-04-15 18:58 ` Greg Kroah-Hartman [this message]
2019-04-15 18:58 ` [PATCH 4.14 22/69] net/sched: fix ->get helper of the matchall cls Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 23/69] openvswitch: fix flow actions reallocation Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 24/69] qmi_wwan: add Olicard 600 Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 25/69] sctp: initialize _pad of sockaddr_in before copying to user memory Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 26/69] tcp: Ensure DCTCP reacts to losses Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 27/69] vrf: check accept_source_route on the original netdevice Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 28/69] net/mlx5e: Fix error handling when refreshing TIRs Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 29/69] net/mlx5e: Add a lock on tir list Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 30/69] nfp: validate the return code from dev_queue_xmit() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 31/69] bnxt_en: Improve RX consumer index validity check Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 32/69] bnxt_en: Reset device on RX buffer errors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 33/69] net/sched: act_sample: fix divide by zero in the traffic path Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 34/69] netns: provide pure entropy for net_hash_mix() Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 35/69] net: ethtool: not call vzalloc for zero sized memory request Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 36/69] ALSA: seq: Fix OOB-reads from strlcpy Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 37/69] ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 38/69] hv_netvsc: Fix unwanted wakeup after tx_disable Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 39/69] arm64: dts: rockchip: fix rk3328 sdmmc0 write errors Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 40/69] parisc: Detect QEMU earlier in boot process Greg Kroah-Hartman
2019-04-15 18:58 ` [PATCH 4.14 41/69] parisc: regs_return_value() should return gpr28 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 42/69] alarmtimer: Return correct remaining time Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 43/69] drm/udl: add a release method and delay modeset teardown Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 44/69] include/linux/bitrev.h: fix constant bitrev Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 45/69] ASoC: fsl_esai: fix channel swap issue when stream starts Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 46/69] Btrfs: do not allow trimming when a fs is mounted with the nologreplay option Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 47/69] btrfs: prop: fix zstd compression parameter validation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 48/69] btrfs: prop: fix vanished compression property after failed set Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 49/69] block: do not leak memory in bio_copy_user_iov() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 50/69] block: fix the return errno for direct IO Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 51/69] genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 52/69] genirq: Initialize request_mutex if CONFIG_SPARSE_IRQ=n Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 53/69] virtio: Honour may_reduce_num in vring_create_virtqueue Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 54/69] ARM: dts: am335x-evmsk: Correct the regulators for the audio codec Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 55/69] ARM: dts: am335x-evm: " Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 56/69] ARM: dts: at91: Fix typo in ISC_D0 on PC9 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 57/69] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 58/69] arm64: dts: rockchip: fix rk3328 rgmii high tx error rate Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 59/69] arm64: backtrace: Dont bother trying to unwind the userspace stack Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 60/69] xen: Prevent buffer overflow in privcmd ioctl Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 61/69] sched/fair: Do not re-read ->h_load_next during hierarchical load calculation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 62/69] xtensa: fix return_address Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 63/69] x86/perf/amd: Resolve race condition when disabling PMC Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 64/69] x86/perf/amd: Resolve NMI latency issues for active PMCs Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 65/69] x86/perf/amd: Remove need to check "running" bit in NMI handler Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 66/69] PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 67/69] dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 68/69] arm64: dts: rockchip: fix vcc_host1_5v pin assign on rk3328-rock64 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 4.14 69/69] arm64: dts: rockchip: Fix vcc_host1_5v GPIO polarity " Greg Kroah-Hartman
2019-04-16  0:04 ` [PATCH 4.14 00/69] 4.14.112-stable review kernelci.org bot
2019-04-16  4:29 ` Naresh Kamboju
2019-04-16 10:33 ` Jon Hunter
2019-04-16 16:30 ` Guenter Roeck
2019-04-16 21:40 ` shuah
2019-04-16 22:17 ` Bharath Vedartham

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190415183730.348122928@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=hulkci@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maowenan@huawei.com \
    --cc=santosh.shilimkar@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org
	public-inbox-index stable

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git