John Fastabend bd95e678e0 bpf: sockmap, fix use after free from sleep in psock backlog workqueue ... Backlog work for psock (sk_psock_backlog) might sleep while waiting for memory to free up when sending packets. However, while sleeping the socket may be closed and removed from the map by the user space side. This breaks an assumption in sk_stream_wait_memory, which expects the wait queue to be still there when it wakes up resulting in a use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT to avoid the sleep altogether. We already set the flag for the sendpage case but we missed the case were sendmsg is used. Sockmap is currently the only user of skb_send_sock_locked() so only the sockmap paths should be impacted. ================================================================== BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70 Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110 CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 Workqueue: events sk_psock_backlog Call Trace: print_address_description+0x6e/0x2b0 ? remove_wait_queue+0x31/0x70 kasan_report+0xfd/0x177 ? remove_wait_queue+0x31/0x70 ? remove_wait_queue+0x31/0x70 remove_wait_queue+0x31/0x70 sk_stream_wait_memory+0x4dd/0x5f0 ? sk_stream_wait_close+0x1b0/0x1b0 ? wait_woken+0xc0/0xc0 ? tcp_current_mss+0xc5/0x110 tcp_sendmsg_locked+0x634/0x15d0 ? tcp_set_state+0x2e0/0x2e0 ? __kasan_slab_free+0x1d1/0x230 ? kmem_cache_free+0x70/0x140 ? sk_psock_backlog+0x40c/0x4b0 ? process_one_work+0x40b/0x660 ? worker_thread+0x82/0x680 ? kthread+0x1b9/0x1e0 ? ret_from_fork+0x1f/0x30 ? check_preempt_curr+0xaf/0x130 ? iov_iter_kvec+0x5f/0x70 ? kernel_sendmsg_locked+0xa0/0xe0 skb_send_sock_locked+0x273/0x3c0 ? skb_splice_bits+0x180/0x180 ? start_thread+0xe0/0xe0 ? update_min_vruntime.constprop.27+0x88/0xc0 sk_psock_backlog+0xb3/0x4b0 ? strscpy+0xbf/0x1e0 process_one_work+0x40b/0x660 worker_thread+0x82/0x680 ? process_one_work+0x660/0x660 kthread+0x1b9/0x1e0 ? __kthread_create_on_node+0x250/0x250 ret_from_fork+0x1f/0x30 Fixes: 20bf50de30 ("skbuff: Function to send an skbuf on a socket") Reported-by: Jakub Sitnicki <jakub@cloudflare.com> Tested-by: Jakub Sitnicki <jakub@cloudflare.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>		2019-05-24 23:18:42 +02:00
..
6lowpan	6lowpan: Off by one handling ->nexthdr	2019-04-23 19:09:58 +02:00
9p	9p/net: fix memory leak in p9_client_create	2019-03-13 11:50:04 +01:00
802
8021q	vlan: Mark expected switch fall-through	2019-05-20 11:38:55 -07:00
appletalk	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2019-05-02 22:14:21 -04:00
atm	net: atm: clean up a range check	2019-05-05 10:25:52 -07:00
ax25	net: ax25: fix misuse of %x	2019-04-21 10:37:26 -07:00
batman-adv	This feature/cleanup patchset includes the following patches:	2019-05-09 09:44:17 -07:00
bluetooth	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2019-05-07 22:03:58 -07:00
bpf	bpf: Introduce bpf sk local storage	2019-04-27 09:07:04 -07:00
bpfilter	treewide: prefix header search paths with $(srctree)/	2019-05-18 11:49:57 +09:00
bridge	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2019-05-13 08:55:15 -07:00
caif	net: caif: fix the value of size argument of snprintf	2019-05-17 11:31:15 -07:00
can	netlink: make validation more configurable for future strictness	2019-04-27 17:07:21 -04:00
ceph	AFS fixes	2019-05-16 17:00:13 -07:00
core	bpf: sockmap, fix use after free from sleep in psock backlog workqueue	2019-05-24 23:18:42 +02:00
dcb	netlink: make validation more configurable for future strictness	2019-04-27 17:07:21 -04:00
dccp	net: dccp : proto: remove Unneeded variable "err"	2019-05-12 13:21:30 -07:00
decnet	netlink: make validation more configurable for future strictness	2019-04-27 17:07:21 -04:00
dns_resolver	dns_resolver: Allow used keys to be invalidated	2019-05-15 17:35:54 +01:00
dsa	net: dsa: Initialize DSA_SKB_CB(skb)->deferred_xmit variable	2019-05-12 13:19:46 -07:00
ethernet	net: ethernet: support of_get_mac_address new ERR_PTR error	2019-05-07 12:22:47 -07:00
hsr	genetlink: optionally validate strictly/dumps	2019-04-27 17:07:22 -04:00
ieee802154	genetlink: optionally validate strictly/dumps	2019-04-27 17:07:22 -04:00
ife
ipv4	net: Treat sock->sk_drops as an unsigned int when printing	2019-05-19 10:31:10 -07:00
ipv6	net: Treat sock->sk_drops as an unsigned int when printing	2019-05-19 10:31:10 -07:00
iucv
kcm	kcm: switch order of device registration to fix a crash	2019-04-01 14:59:20 -07:00
key	xfrm: clean up xfrm protocol checks	2019-03-26 08:35:36 +01:00
l2tp	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2019-05-07 17:22:09 -07:00
l3mdev
lapb
llc	llc: Check address length before reading address field	2019-04-12 10:25:03 -07:00
mac80211	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2019-05-02 22:14:21 -04:00
mac802154
mpls	netlink: make validation more configurable for future strictness	2019-04-27 17:07:21 -04:00
ncsi	genetlink: optionally validate strictly/dumps	2019-04-27 17:07:22 -04:00
netfilter	net: replace CONFIG_DEBUG_KERNEL with CONFIG_DEBUG_MISC	2019-05-14 19:52:50 -07:00
netlabel	genetlink: optionally validate strictly/dumps	2019-04-27 17:07:22 -04:00
netlink	net: Treat sock->sk_drops as an unsigned int when printing	2019-05-19 10:31:10 -07:00
netrom	net: rework SIOCGSTAMP ioctl handling	2019-04-19 14:07:40 -07:00
nfc	genetlink: optionally validate strictly/dumps	2019-04-27 17:07:22 -04:00
nsh
openvswitch	openvswitch: Replace removed NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT)	2019-05-08 09:43:15 -07:00
packet	packet: Fix error path in packet_init	2019-05-09 13:45:46 -07:00
phonet	net: Treat sock->sk_drops as an unsigned int when printing	2019-05-19 10:31:10 -07:00
psample	genetlink: optionally validate strictly/dumps	2019-04-27 17:07:22 -04:00
qrtr	net: qrtr: Fix message type of outgoing packets	2019-05-20 20:50:31 -04:00
rds	mm/gup: change GUP fast to use flags rather than a write 'bool'	2019-05-14 09:47:46 -07:00
rfkill	*: convert stream-like files from nonseekable_open -> stream_open	2019-05-06 17:46:41 +03:00
rose	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2019-04-25 23:52:29 -04:00
rxrpc	rxrpc: Allow the kernel to mark a call as being non-interruptible	2019-05-16 16:25:20 +01:00
sched	net/sched: avoid double free on matchall reoffload	2019-05-08 16:34:58 -07:00
sctp	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2019-05-07 22:03:58 -07:00
smc	5.2 Merge Window pull request	2019-05-09 09:02:46 -07:00
strparser	net: strparser: make it explicitly non-modular	2019-04-22 21:50:54 -07:00
sunrpc	This pull consists mostly of nfsd container work:	2019-05-15 18:21:43 -07:00
switchdev	switchdev: Remove unused transaction item queue	2019-03-01 21:35:19 -08:00
tipc	tipc: fix modprobe tipc failed after switch order of device registration	2019-05-20 10:45:43 -07:00
tls	net/tls: handle errors from padding_length()	2019-05-09 16:37:39 -07:00
unix	datagram: remove rendundant 'peeked' argument	2019-04-08 09:51:54 -07:00
vmw_vsock	vsock/virtio: Initialize core virtio vsock before registering the driver	2019-05-18 10:50:28 -07:00
wimax	genetlink: optionally validate strictly/dumps	2019-04-27 17:07:22 -04:00
wireless	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2019-05-07 22:03:58 -07:00
x25	net: rework SIOCGSTAMP ioctl handling	2019-04-19 14:07:40 -07:00
xdp	mm/gup: replace get_user_pages_longterm() with FOLL_LONGTERM	2019-05-14 09:47:45 -07:00
xfrm	xfrm: ressurrect "Fix uninitialized memory read in _decode_session4"	2019-05-16 14:14:47 -07:00
compat.c	net: rework SIOCGSTAMP ioctl handling	2019-04-19 14:07:40 -07:00
Kconfig	net: devlink: select NET_DEVLINK from drivers	2019-03-24 14:55:31 -04:00
Makefile	net: split out functions related to registering inflight socket files	2019-02-28 08:24:23 -07:00
socket.c	net: fix kernel-doc warnings for socket.c	2019-05-19 10:33:22 -07:00
sysctl_net.c