From patchwork Tue May 7 17:00:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuniyuki Iwashima X-Patchwork-Id: 13657498 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9017B8F72 for ; Tue, 7 May 2024 17:00:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.95.49.90 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715101235; cv=none; b=OazYTK5RLYFNp+SixbBo26p7k02lVDcabCUp6vguHlAm6nC8Dc0K0KxcDt3ucwiQLQMpZNIfk3dbgLzzCuPGHFbPxKBCxvZWjxJ66g/4TT/h82cF8dKIJFPYNeTs99ozXdrwPoSxZJeV6a1rmSkpp6/wwW3BnZGp+gsPScYz/yU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715101235; c=relaxed/simple; bh=bd1WETvsO6CABJ7voIvj/JpiKukCC3goOgjQ9dlnzII=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=NrYZrVdqa+en0JrvCaoCHvnzU7t7v796aHsv1Ct0iYsQigXx8gqqQnI1DQWl01zkKQI8bnGzaVt2X6sUmIpsvwZabdlUIZDPu/c/6rTrZjENJYWtuGOcikkqw15cVJC7LbYruE2QV98yTfHHCG+nf0XGNou8e/DTGhZn/Z5VjsQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.co.jp; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b=G5BU7uP+; arc=none smtp.client-ip=52.95.49.90 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.co.jp Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b="G5BU7uP+" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1715101234; x=1746637234; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=iTJPLwcSvpddjq1vZWHCBlinu7Uj4V26SH4eg3ZZLp8=; b=G5BU7uP+9QIqfkt7FDUDkjPPuaAU78XNOgLsmqJTmy3ipP2p6ia8Noy2 Y0WODEydc+6qql0G0ClNx9GH7I+GxOg+YuALrGDMJa1EAZwGRF5qzkeXG 9yR/oykC0VtjjPFtyGbiyS3nl1YmuQ+MJFxOWz9Jhu2r+91CQ0YTekXB3 E=; X-IronPort-AV: E=Sophos;i="6.08,142,1712620800"; d="scan'208";a="405360025" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 May 2024 17:00:31 +0000 Received: from EX19MTAUWC002.ant.amazon.com [10.0.21.151:13892] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.2.103:2525] with esmtp (Farcaster) id 2c5717e5-fa9b-46d9-9c3c-02218988cc8a; Tue, 7 May 2024 17:00:30 +0000 (UTC) X-Farcaster-Flow-ID: 2c5717e5-fa9b-46d9-9c3c-02218988cc8a Received: from EX19D004ANA001.ant.amazon.com (10.37.240.138) by EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 7 May 2024 17:00:30 +0000 Received: from 88665a182662.ant.amazon.com (10.187.170.27) by EX19D004ANA001.ant.amazon.com (10.37.240.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 7 May 2024 17:00:27 +0000 From: Kuniyuki Iwashima To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni CC: Kuniyuki Iwashima , Kuniyuki Iwashima , , Billy Jheng Bing-Jhong Subject: [PATCH v1 net] af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Date: Tue, 7 May 2024 10:00:18 -0700 Message-ID: <20240507170018.83385-1-kuniyu@amazon.com> X-Mailer: git-send-email 2.30.2 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D040UWA004.ant.amazon.com (10.13.139.93) To EX19D004ANA001.ant.amazon.com (10.37.240.138) X-Patchwork-Delegate: kuba@kernel.org Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message to the GC candidate and queue_oob() can update unix_sk(sk)->oob_skb concurrently, resulting in NULL pointer dereference. [0] To avoid the race, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock. Note that the same issue exists in the new GC, and the change in queue_oob() can be applied as is. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Modules linked in: CR2: 0000000000000008 Fixes: 1279f9d9dec2 ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.") Reported-by: Billy Jheng Bing-Jhong Signed-off-by: Kuniyuki Iwashima --- net/unix/af_unix.c | 11 +++++++++-- net/unix/garbage.c | 4 +++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 9a6ad5974dff..6ae0370f038f 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -2217,13 +2217,20 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other maybe_add_creds(skb, sock, other); skb_get(skb); + scm_stat_add(other, skb); + + /* oob_skb must be changed under sk_recv_queue's + * lock to avoid the race with GC. + */ + spin_lock(&other->sk_receive_queue.lock); if (ousk->oob_skb) consume_skb(ousk->oob_skb); WRITE_ONCE(ousk->oob_skb, skb); - scm_stat_add(other, skb); - skb_queue_tail(&other->sk_receive_queue, skb); + __skb_queue_tail(&other->sk_receive_queue, skb); + spin_unlock(&other->sk_receive_queue.lock); + sk_send_sigurg(other); unix_state_unlock(other); other->sk_data_ready(other); diff --git a/net/unix/garbage.c b/net/unix/garbage.c index 0104be9d4704..b87e48e2b51b 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c @@ -342,10 +342,12 @@ static void __unix_gc(struct work_struct *work) scan_children(&u->sk, inc_inflight, &hitlist); #if IS_ENABLED(CONFIG_AF_UNIX_OOB) + spin_lock(&u->sk.sk_receive_queue.lock); if (u->oob_skb) { - kfree_skb(u->oob_skb); + WARN_ON_ONCE(skb_unref(u->oob_skb)); u->oob_skb = NULL; } + spin_unlock(&u->sk.sk_receive_queue.lock); #endif }