| Message ID | 20220620043508.3455616-1-william.xuanziyang@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 69135c572d1f84261a6de2a1268513a7e71753e2 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] net/tls: fix tls_sk_proto_close executed repeatedly | expand |
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Mon, 20 Jun 2022 12:35:08 +0800 you wrote: > After setting the sock ktls, update ctx->sk_proto to sock->sk_prot by > tls_update(), so now ctx->sk_proto->close is tls_sk_proto_close(). When > close the sock, tls_sk_proto_close() is called for sock->sk_prot->close > is tls_sk_proto_close(). But ctx->sk_proto->close() will be executed later > in tls_sk_proto_close(). Thus tls_sk_proto_close() executed repeatedly > occurred. That will trigger the following bug. > > [...] Here is the summary with links: - [net] net/tls: fix tls_sk_proto_close executed repeatedly https://git.kernel.org/netdev/net/c/69135c572d1f You are awesome, thank you!
On Mon, 20 Jun 2022 09:20:12 +0000 patchwork-bot+netdevbpf@kernel.org wrote: > On Mon, 20 Jun 2022 12:35:08 +0800 you wrote: > > After setting the sock ktls, update ctx->sk_proto to sock->sk_prot by > > tls_update(), so now ctx->sk_proto->close is tls_sk_proto_close(). When > > close the sock, tls_sk_proto_close() is called for sock->sk_prot->close > > is tls_sk_proto_close(). But ctx->sk_proto->close() will be executed later > > in tls_sk_proto_close(). Thus tls_sk_proto_close() executed repeatedly > > occurred. That will trigger the following bug. > > > > [...] > > Here is the summary with links: > - [net] net/tls: fix tls_sk_proto_close executed repeatedly > https://git.kernel.org/netdev/net/c/69135c572d1f No, this is not the right fix. The AF_UNIX restructuring has moved the ULP check too late. I'll send a revert and the correct fix.
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index da176411c1b5..46bd5f26338b 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -921,6 +921,9 @@ static void tls_update(struct sock *sk, struct proto *p, { struct tls_context *ctx; + if (sk->sk_prot == p) + return; + ctx = tls_get_ctx(sk); if (likely(ctx)) { ctx->sk_write_space = write_space;
After setting the sock ktls, update ctx->sk_proto to sock->sk_prot by tls_update(), so now ctx->sk_proto->close is tls_sk_proto_close(). When close the sock, tls_sk_proto_close() is called for sock->sk_prot->close is tls_sk_proto_close(). But ctx->sk_proto->close() will be executed later in tls_sk_proto_close(). Thus tls_sk_proto_close() executed repeatedly occurred. That will trigger the following bug. ================================================================= KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:tls_sk_proto_close+0xd8/0xaf0 net/tls/tls_main.c:306 Call Trace: <TASK> tls_sk_proto_close+0x356/0xaf0 net/tls/tls_main.c:329 inet_release+0x12e/0x280 net/ipv4/af_inet.c:428 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x18/0x20 net/socket.c:1365 Updating a proto which is same with sock->sk_prot is incorrect. Add proto and sock->sk_prot equality check at the head of tls_update() to fix it. Fixes: 95fa145479fb ("bpf: sockmap/tls, close can race with map free") Reported-by: syzbot+29c3c12f3214b85ad081@syzkaller.appspotmail.com Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- net/tls/tls_main.c | 3 +++ 1 file changed, 3 insertions(+)