stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Jakub Sitnicki <jakub@cloudflare.com>,
	John Fastabend <john.fastabend@gmail.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 09/91] bpf: sockmap, fix use after free from sleep in psock backlog workqueue
Date: Fri, 12 Jul 2019 14:18:12 +0200	[thread overview]
Message-ID: <20190712121621.912490271@linuxfoundation.org> (raw)
In-Reply-To: <20190712121621.422224300@linuxfoundation.org>

[ Upstream commit bd95e678e0f6e18351ecdc147ca819145db9ed7b ]

Backlog work for psock (sk_psock_backlog) might sleep while waiting
for memory to free up when sending packets. However, while sleeping
the socket may be closed and removed from the map by the user space
side.

This breaks an assumption in sk_stream_wait_memory, which expects the
wait queue to be still there when it wakes up resulting in a
use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT
to avoid the sleep altogether. We already set the flag for the
sendpage case but we missed the case were sendmsg is used.
Sockmap is currently the only user of skb_send_sock_locked() so only
the sockmap paths should be impacted.

==================================================================
BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70
Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110

CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
Workqueue: events sk_psock_backlog
Call Trace:
 print_address_description+0x6e/0x2b0
 ? remove_wait_queue+0x31/0x70
 kasan_report+0xfd/0x177
 ? remove_wait_queue+0x31/0x70
 ? remove_wait_queue+0x31/0x70
 remove_wait_queue+0x31/0x70
 sk_stream_wait_memory+0x4dd/0x5f0
 ? sk_stream_wait_close+0x1b0/0x1b0
 ? wait_woken+0xc0/0xc0
 ? tcp_current_mss+0xc5/0x110
 tcp_sendmsg_locked+0x634/0x15d0
 ? tcp_set_state+0x2e0/0x2e0
 ? __kasan_slab_free+0x1d1/0x230
 ? kmem_cache_free+0x70/0x140
 ? sk_psock_backlog+0x40c/0x4b0
 ? process_one_work+0x40b/0x660
 ? worker_thread+0x82/0x680
 ? kthread+0x1b9/0x1e0
 ? ret_from_fork+0x1f/0x30
 ? check_preempt_curr+0xaf/0x130
 ? iov_iter_kvec+0x5f/0x70
 ? kernel_sendmsg_locked+0xa0/0xe0
 skb_send_sock_locked+0x273/0x3c0
 ? skb_splice_bits+0x180/0x180
 ? start_thread+0xe0/0xe0
 ? update_min_vruntime.constprop.27+0x88/0xc0
 sk_psock_backlog+0xb3/0x4b0
 ? strscpy+0xbf/0x1e0
 process_one_work+0x40b/0x660
 worker_thread+0x82/0x680
 ? process_one_work+0x660/0x660
 kthread+0x1b9/0x1e0
 ? __kthread_create_on_node+0x250/0x250
 ret_from_fork+0x1f/0x30

Fixes: 20bf50de3028c ("skbuff: Function to send an skbuf on a socket")
Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/skbuff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 8b5768113acd..9b9f696281a9 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2302,6 +2302,7 @@ int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset,
 		kv.iov_base = skb->data + offset;
 		kv.iov_len = slen;
 		memset(&msg, 0, sizeof(msg));
+		msg.msg_flags = MSG_DONTWAIT;
 
 		ret = kernel_sendmsg_locked(sk, &msg, &kv, 1, slen);
 		if (ret <= 0)
-- 
2.20.1




  parent reply	other threads:[~2019-07-12 12:22 UTC|newest]

Thread overview: 99+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-12 12:18 [PATCH 4.19 00/91] 4.19.59-stable review Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 01/91] crypto: talitos - fix hash on SEC1 Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 02/91] crypto: talitos - rename alternative AEAD algos Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 03/91] soc: brcmstb: Fix error path for unsupported CPUs Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 04/91] soc: bcm: brcmstb: biuctrl: Register writes require a barrier Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 05/91] Input: elantech - enable middle button support on 2 ThinkPads Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 06/91] samples, bpf: fix to change the buffer size for read() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 07/91] samples, bpf: suppress compiler warning Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 08/91] mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() Greg Kroah-Hartman
2019-07-12 12:18 ` Greg Kroah-Hartman [this message]
2019-07-12 12:18 ` [PATCH 4.19 10/91] soundwire: stream: fix out of boundary access on port properties Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 11/91] staging:iio:ad7150: fix threshold mode config bit Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 12/91] mac80211: mesh: fix RCU warning Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 13/91] mac80211: free peer keys before vif down in mesh Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 14/91] mwifiex: Fix possible buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 15/91] iwlwifi: Fix double-free problems in iwl_req_fw_callback() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 16/91] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 17/91] soundwire: intel: set dai min and max channels correctly Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 18/91] dt-bindings: can: mcp251x: add mcp25625 support Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 19/91] can: mcp251x: add support for mcp25625 Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 20/91] can: m_can: implement errata "Needless activation of MRAF irq" Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 21/91] can: af_can: Fix error path of can_init() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 22/91] net: phy: rename Asix Electronics PHY driver Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 23/91] ibmvnic: Do not close unopened driver during reset Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 24/91] ibmvnic: Refresh device multicast list after reset Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 25/91] ibmvnic: Fix unchecked return codes of memory allocations Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 26/91] ARM: dts: am335x phytec boards: Fix cd-gpios active level Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 27/91] s390/boot: disable address-of-packed-member warning Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 28/91] drm/vmwgfx: Honor the sg list segment size limitation Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 29/91] drm/vmwgfx: fix a warning due to missing dma_parms Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 30/91] riscv: Fix udelay in RV32 Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 31/91] Input: imx_keypad - make sure keyboard can always wake up system Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 32/91] KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 33/91] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 34/91] ARM: davinci: da850-evm: call regulator_has_full_constraints() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 35/91] ARM: davinci: da8xx: specify dma_coherent_mask for lcdc Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 36/91] mac80211: only warn once on chanctx_conf being NULL Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 37/91] mac80211: do not start any work during reconfigure flow Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 38/91] bpf, devmap: Fix premature entry free on destroying map Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 39/91] bpf, devmap: Add missing bulk queue free Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 40/91] bpf, devmap: Add missing RCU read lock on flush Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 41/91] bpf, x64: fix stack layout of JITed bpf code Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 42/91] qmi_wwan: add support for QMAP padding in the RX path Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 43/91] qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 44/91] qmi_wwan: extend permitted QMAP mux_id value range Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 45/91] mmc: core: complete HS400 before checking status Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 46/91] md: fix for divide error in status_resync Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 47/91] bnx2x: Check if transceiver implements DDM before access Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 48/91] drm: return -EFAULT if copy_to_user() fails Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 49/91] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 50/91] net: lio_core: fix potential sign-extension overflow on large shift Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 51/91] scsi: qedi: Check targetname while finding boot target information Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 52/91] quota: fix a problem about transfer quota Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 53/91] net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 54/91] NFS4: Only set creation opendata if O_CREAT Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 55/91] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Greg Kroah-Hartman
2019-07-12 12:18 ` [PATCH 4.19 56/91] fscrypt: dont set policy for a dead directory Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 57/91] udf: Fix incorrect final NOT_ALLOCATED (hole) extent length Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 58/91] media: stv0297: fix frequency range limit Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 59/91] ALSA: usb-audio: Fix parse of UAC2 Extension Units Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 60/91] ALSA: hda/realtek - Headphone Mic cant record after S3 Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 61/91] block, bfq: NULL out the bic when its no longer valid Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 62/91] perf pmu: Fix uncore PMU alias list for ARM64 Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 63/91] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 64/91] x86/tls: Fix possible spectre-v1 in do_get_thread_area() Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 65/91] Documentation: Add section about CPU vulnerabilities for Spectre Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 66/91] Documentation/admin: Remove the vsyscall=native documentation Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 67/91] mwifiex: Abort at too short BSS descriptor element Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 68/91] mwifiex: Dont abort on small, spec-compliant vendor IEs Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 69/91] USB: serial: ftdi_sio: add ID for isodebug v1 Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 70/91] USB: serial: option: add support for GosunCn ME3630 RNDIS mode Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 71/91] Revert "serial: 8250: Dont service RX FIFO if interrupts are disabled" Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 72/91] p54usb: Fix race between disconnect and firmware loading Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 73/91] usb: gadget: ether: Fix race between gether_disconnect and rx_submit Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 74/91] usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset() Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 75/91] usb: renesas_usbhs: add a workaround for a race condition of workqueue Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 76/91] drivers/usb/typec/tps6598x.c: fix portinfo width Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 77/91] drivers/usb/typec/tps6598x.c: fix 4CC cmd write Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 78/91] staging: comedi: dt282x: fix a null pointer deref on interrupt Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 79/91] staging: comedi: amplc_pci230: fix " Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 80/91] HID: Add another Primax PIXART OEM mouse quirk Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 81/91] lkdtm: support llvm-objcopy Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 82/91] binder: fix memory leak in error path Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 83/91] carl9170: fix misuse of device driver API Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 84/91] VMCI: Fix integer overflow in VMCI handle arrays Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 85/91] MIPS: Remove superfluous check for __linux__ Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 86/91] staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 87/91] staging: bcm2835-camera: Replace spinlock protecting context_map with mutex Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 88/91] staging: bcm2835-camera: Ensure all buffers are returned on disable Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 89/91] staging: bcm2835-camera: Remove check of the number of buffers supplied Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 90/91] staging: bcm2835-camera: Handle empty EOS buffers whilst streaming Greg Kroah-Hartman
2019-07-12 12:19 ` [PATCH 4.19 91/91] staging: rtl8712: reduce stack usage, again Greg Kroah-Hartman
2019-07-12 13:36 ` [PATCH 4.19 00/91] 4.19.59-stable review Jon Hunter
2019-07-12 22:06 ` shuah
2019-07-12 23:53 ` kernelci.org bot
2019-07-13  1:50 ` Naresh Kamboju
2019-07-13 20:39 ` Luke Nowakowski-Krijger
2019-07-13 22:05 ` Guenter Roeck
2019-07-14  5:34 ` Kelsey Skunberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190712121621.912490271@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=daniel@iogearbox.net \
    --cc=jakub@cloudflare.com \
    --cc=john.fastabend@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).