Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-04 04:02:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ebd8327fe7
linux-next/net/tipc
History
Kuniyuki Iwashima 6a2fa13312 tipc: Fix use-after-free of kernel socket in cleanup_bearer(). 
syzkaller reported a use-after-free of UDP kernel socket
in cleanup_bearer() without repro. [0][1]

When bearer_disable() calls tipc_udp_disable(), cleanup
of the UDP kernel socket is deferred by work calling
cleanup_bearer().

tipc_net_stop() waits for such works to finish by checking
tipc_net(net)->wq_count.  However, the work decrements the
count too early before releasing the kernel socket,
unblocking cleanup_net() and resulting in use-after-free.

Let's move the decrement after releasing the socket in
cleanup_bearer().

[0]:
ref_tracker: net notrefcnt@000000009b3d1faf has 1/1 users at
     sk_alloc+0x438/0x608
     inet_create+0x4c8/0xcb0
     __sock_create+0x350/0x6b8
     sock_create_kern+0x58/0x78
     udp_sock_create4+0x68/0x398
     udp_sock_create+0x88/0xc8
     tipc_udp_enable+0x5e8/0x848
     __tipc_nl_bearer_enable+0x84c/0xed8
     tipc_nl_bearer_enable+0x38/0x60
     genl_family_rcv_msg_doit+0x170/0x248
     genl_rcv_msg+0x400/0x5b0
     netlink_rcv_skb+0x1dc/0x398
     genl_rcv+0x44/0x68
     netlink_unicast+0x678/0x8b0
     netlink_sendmsg+0x5e4/0x898
     ____sys_sendmsg+0x500/0x830

[1]:
BUG: KMSAN: use-after-free in udp_hashslot include/net/udp.h:85 [inline]
BUG: KMSAN: use-after-free in udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
 udp_hashslot include/net/udp.h:85 [inline]
 udp_lib_unhash+0x3b8/0x930 net/ipv4/udp.c:1979
 sk_common_release+0xaf/0x3f0 net/core/sock.c:3820
 inet_release+0x1e0/0x260 net/ipv4/af_inet.c:437
 inet6_release+0x6f/0xd0 net/ipv6/af_inet6.c:489
 __sock_release net/socket.c:658 [inline]
 sock_release+0xa0/0x210 net/socket.c:686
 cleanup_bearer+0x42d/0x4c0 net/tipc/udp_media.c:819
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
 kthread+0x531/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244

Uninit was created at:
 slab_free_hook mm/slub.c:2269 [inline]
 slab_free mm/slub.c:4580 [inline]
 kmem_cache_free+0x207/0xc40 mm/slub.c:4682
 net_free net/core/net_namespace.c:454 [inline]
 cleanup_net+0x16f2/0x19d0 net/core/net_namespace.c:647
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xcaf/0x1c90 kernel/workqueue.c:3310
 worker_thread+0xf6c/0x1510 kernel/workqueue.c:3391
 kthread+0x531/0x6b0 kernel/kthread.c:389
 ret_from_fork+0x60/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244

CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.12.0-rc1-00131-gf66ebf37d69c #7 91723d6f74857f70725e1583cba3cf4adc716cfa
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: events cleanup_bearer

Fixes: 26abe14379 ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20241127050512.28438-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-12-03 10:17:43 +01:00
..
addr.c tipc: introduce new unified address type for internal use 2021-03-17 11:51:04 -07:00
addr.h tipc: Remove unused function declarations 2023-08-03 12:51:45 +02:00
bcast.c net: tipc: avoid possible garbage value 2024-09-13 20:03:43 -07:00
bcast.h tipc: update a binding service via broadcast 2020-06-17 08:53:34 -07:00
bearer.c net/tipc: replace deprecated strcpy with strscpy 2024-08-29 12:33:14 -07:00
bearer.h tipc: Remove unused function declarations 2023-08-03 12:51:45 +02:00
core.c tipc: fix use-after-free Read in tipc_named_reinit 2022-06-17 11:39:10 +01:00
core.h tipc: Remove unused struct declaration 2024-07-12 03:41:32 +01:00
crypto.c tipc: fix a potential deadlock on &tx->lock 2023-10-04 13:24:12 -07:00
crypto.h net/tipc: fix tipc header files for kernel-doc 2020-12-01 15:37:41 -08:00
diag.c sock_diag: add module pointer to "struct sock_diag_handler" 2024-01-23 15:13:54 +01:00
discover.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
discover.h tipc: some cleanups in the file discover.c 2018-03-23 13:12:17 -04:00
eth_media.c tipc: constify dev_addr passing 2021-10-13 09:40:46 -07:00
group.c tipc: update address terminology in code 2020-11-27 17:34:01 -08:00
group.h tipc: update address terminology in code 2020-11-27 17:34:01 -08:00
ib_media.c tipc: constify dev_addr passing 2021-10-13 09:40:46 -07:00
Kconfig net: tipc: remove redundant 'bool' from CONFIG_TIPC_{MEDIA_UDP,CRYPTO} 2024-02-07 13:18:43 +00:00
link.c tipc: Consolidate redundant functions 2024-07-12 03:47:43 +01:00
link.h tipc: Remove unused declaration tipc_link_build_bc_sync_msg() 2023-08-09 13:03:14 -07:00
Makefile tipc: rename the module name diag to tipc_diag 2024-02-06 13:47:36 +01:00
monitor.c tipc: use min() to simplify the code 2024-08-26 09:48:53 -07:00
monitor.h tipc: update mon's self addr when node addr generated 2019-11-12 19:45:45 -08:00
msg.c tipc: fix a possible memleak in tipc_buf_append 2024-05-01 18:39:44 -07:00
msg.h net: tipc: remove unused static inlines 2022-01-27 13:53:27 +00:00
name_distr.c net/tipc: Remove unused struct distr_queue_item 2022-09-29 18:48:32 -07:00
name_distr.h tipc: Remove unused function declarations 2023-08-03 12:51:45 +02:00
name_table.c tipc: cleanup unused function 2022-06-17 11:43:57 +01:00
name_table.h tipc: cleanup unused function 2022-06-17 11:43:57 +01:00
net.c tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
net.h tipc: Remove unused function declarations 2023-08-03 12:51:45 +02:00
netlink_compat.c tipc: Remove redundant call to TLV_SPACE() 2023-11-17 02:27:27 +00:00
netlink.c tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING 2023-11-01 22:26:37 -07:00
netlink.h net: tipc: allocate attrs locally instead of using genl_family_attrbuf in compat_dumpit() 2019-10-06 15:44:47 +02:00
node.c tipc: force a dst refcount before doing decryption 2024-06-18 15:08:57 +02:00
node.h tipc: add automatic session key exchange 2020-09-18 13:58:37 -07:00
socket.c net/tipc: make use of the helper macro LIST_HEAD() 2024-09-06 18:10:21 -07:00
socket.h tipc: add stricter control of reserved service types 2020-10-30 08:19:18 -07:00
subscr.c tipc:subscr.c: fix a spelling mistake 2021-06-10 13:48:43 -07:00
subscr.h tipc: fix htmldoc and smatch warnings 2021-03-29 16:28:50 -07:00
sysctl.c net: Remove ctl_table sentinel elements from several networking subsystems 2024-05-03 13:29:42 +01:00
topsrv.c net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
topsrv.h tipc: rename tipc_server to tipc_topsrv 2018-02-16 15:26:34 -05:00
trace.c net/tipc: fix various kernel-doc warnings 2020-12-01 15:37:46 -08:00
trace.h tracing/treewide: Remove second parameter of __assign_str() 2024-05-22 20:14:47 -04:00
udp_media.c tipc: Fix use-after-free of kernel socket in cleanup_bearer(). 2024-12-03 10:17:43 +01:00
udp_media.h tipc: implement configuration of UDP media MTU 2018-04-20 11:04:05 -04:00