From patchwork Mon Oct 14 15:38:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835266 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B376519E98B for ; Mon, 14 Oct 2024 15:38:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920306; cv=none; b=u6RwvXcYrxkLmWIsPdzVMTt/sdkUi+28Y67T+7f9BoPIU9u4DNVFQnzJMnq+NnULL4XR226gOCh8rGhdHM9Qh1sHjiJLND9W+64kBga1fGu+YMprEatfgfsfrid6ZpO14RFHHJZPi4Lpq6T3fU+lcIBNR91IOAnKF5cpPOxkDEY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920306; c=relaxed/simple; bh=1bN+QEotEpIRBT6cXWz23R8634LnGKN+Ky65Id1kG+8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=K6pWutDF11D4XWKuW9dpWkVPpFv59r/VT0OC7dbJSJOYAoudoT/vRS1DtAt4xkpYqEmefwLQoLv5XSW/hJeVYnXtg4zNSig7g4u6fl3CDAFfoqcv37WArWMJax/qfZtgeKEPSg2WGmYo+YUvz4HmkbIFW8GGwY4ngsWBrzTKq7A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=RJNDVQ1e; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="RJNDVQ1e" Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-37d473c4bb6so3471145f8f.3 for ; Mon, 14 Oct 2024 08:38:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920303; x=1729525103; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oRUPHKnK+G7iaw/aUVaZN8QnmGwAZh5z1e5fpZvzMzU=; b=RJNDVQ1eKw80sPypm9wytcdbY4bKkip70lRcKlrDqwnKq89gcFV3E9Ml50zx5PWpiL CDK52zTEyZx4XxoMaulb37d4piZbghUzQ+JbGf+r5F23uxPBi7a/U9sPES9+Ea/Q/f2D 8p7rfrQT2YwtCMRYzJNkmrKH8gN+V13g1AdXy5xo6cGZ2/x6kVZFmIjviHKrymm57erx 5P2g8tNAtOGzFXPDbf1ebe2sM8gaxTyIgWIJ+OjfEvPUBtPUEVqlmO7ppz6W8E30qMuM WeMWefrYfQ4SxNLJEsnBkXjRYIKlKgN9yUPRUrH7OCLO5FgEZf5kIp+PrLQVjBWZlWS7 cHCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920303; x=1729525103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oRUPHKnK+G7iaw/aUVaZN8QnmGwAZh5z1e5fpZvzMzU=; b=wBeuDjfuzrWP7W2WTV99YxD1RyIM0I9j8DHSNqk+CLxOLXPr+8vG8M+LYl8F/q7e0Q nZfA0n+pKvRAxOApUyzdaAaIzCHDP4UKguGLySELuIkOyJTp6Iel/tOZpp+EItqP3TiT PRyaj6ceWY7Asim1OKzSwHfhLdh/bJGAZrwS0DDO2izTpi2EPeaRutESPn/J7CEsnJJa rGhDhy8IWX3dzKbRyYcCt4mUL5Bt8TOoQisw8NGX3LB9JfPY98H1XnQlBqvcayQapKgf tYkNRb2xzu8py43iDqFM+ELNKiR4vN7CRuPuCfbFfurcuseTgw20p8LWmSp5Fb6IluwV pYHA== X-Forwarded-Encrypted: i=1; AJvYcCXdxh/2Cp6SRo5G2m1CNV8Q1dDQU3bMu1Y0WA7nmPs4f+OKpBfuS7mDS6/C/js5AxNHcLCq0jM=@vger.kernel.org X-Gm-Message-State: AOJu0YzZXtefYCEim/atIm+zqW6W+Y7XcO5+2z1k3fpbk4K+Yi5wsAoz hHw6AuXHsOuHmKDMGkH8N8CYW0jB+Q54Y+5T6q7Ft0yLdCopuhPoNTexZjAZd1Y= X-Google-Smtp-Source: AGHT+IEaE6C7r4ltNMskXO+tjNMKt9+qcANcSAGt9ehXwYkCcmFGRyHWUT3EcbTB5H99ngatuL8/sw== X-Received: by 2002:a5d:4f8a:0:b0:37c:d1ea:f1ce with SMTP id ffacd0b85a97d-37d5ff8db28mr6535195f8f.25.1728920303012; Mon, 14 Oct 2024 08:38:23 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.20 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:22 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 1/9] af_packet: avoid erroring out after sock_init_data() in packet_create() Date: Mon, 14 Oct 2024 16:38:00 +0100 Message-Id: <20241014153808.51894-2-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this pointer and cause use-after-free. Suggested-by: Eric Dumazet Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Willem de Bruijn Reviewed-by: Eric Dumazet --- net/packet/af_packet.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index f8942062f776..99ae27d1e4dc 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3421,17 +3421,17 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, if (sock->type == SOCK_PACKET) sock->ops = &packet_ops_spkt; + po = pkt_sk(sk); + err = packet_alloc_pending(po); + if (err) + goto out_sk_free; + sock_init_data(sock, sk); - po = pkt_sk(sk); init_completion(&po->skb_completion); sk->sk_family = PF_PACKET; po->num = proto; - err = packet_alloc_pending(po); - if (err) - goto out2; - packet_cached_dev_reset(po); sk->sk_destruct = packet_sock_destruct; @@ -3463,7 +3463,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, sock_prot_inuse_add(net, &packet_proto, 1); return 0; -out2: +out_sk_free: sk_free(sk); out: return err; From patchwork Mon Oct 14 15:38:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835267 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E74B51AC88B for ; Mon, 14 Oct 2024 15:38:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920308; cv=none; b=ngkJI7khwjMErcqIeSrYZzgm0/4i5JOfjYGgdBSeAYdesy3eaWSNzcQBK3ERoMEib5qfTo9uDbnffgtNLnletZXrKKUT/apx/4/fOdUsmUb2T5BxtGSCZkWMcQK0S+Gu0uybLegCzLLBBiEJqVUzlEwMOfUT28GoOvqrJr1BLa0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920308; c=relaxed/simple; bh=Za6d2/ag0cx5W3bmCrv67Ur4+k+VPgr8uvsyupNoJnM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=PZWY2nJC0SHoQ+GMq8Dvzx5P4+qoLXar0aPWmMeBcu1Z0K9yLa5z7YsjSbURPdKdrtjZqU9/jRVOCSCL0zHnlPN0QyZDrU3YtJCAHD1IHJa/h65aKXzbCniV5P2Uwl0GTxisd6LPlnMxGbgwfE8ZHRhUmww3C6wnNlx+LN/yPtk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=ADSl8+Xy; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="ADSl8+Xy" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-37d518f9abcso2403571f8f.2 for ; Mon, 14 Oct 2024 08:38:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920305; x=1729525105; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=ADSl8+XydpCyUMT7zL3I7Xvi1Ix5wGUH5Qfk/p+HOYeLzB30nwmpsZnljcSmMl7gL1 f5gBFjsvjemCwOTBAn3BFfZok4/J5eKhgkR0d6LFhagydEQ9CXJVOiZeSuHbZh8IZ6Pl 4h+6QorPYZhw6NlENAoq5NXcVoV8SDgtaQFj+jV982TyCAhFCVV6luDMEjtEs7rHKnMg /CmjdtmnHerbQskx0gIUQFY4YluRL9dyg1C8jsGY57vCFoUF/RbPAP4xLWAJvi0UxtMy XhHNJZf0yIKgG9BlSHM8EIcMrPHPEc/6RFaVJdP9/HnrpApP7NF7p0Nwpp5905fxo0n0 jBWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920305; x=1729525105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=ERLrBNT8W8qBqOjyYE/quOcXm7LRMXLyWLdGpHOhV6dc/sH7WQm0Ab5kLUVHoPY5f5 G/F8Uz8zsN8y04HRILK/EZYPHi7+UwPyAtb4rzEUK+HFN2c8589gG4OFRN87dFhAj9fs nj9olKSDdvPpxB9fQYDUiQTL0PRqJgAnEj2mJUpxnu4vwVM75FePQw9p639yv0PFsZVN As81QpHi9CZnd3y83C8V2JIlip+vXzjm/dfQS7EwSMxFZOc44Xfm17vwyw5EgZtKrAc5 FmsS3JwSPMLe9z4TBoDj6n9IpBBsqj9qFuteM/EpNGR4v5j6cZVv7ZnwW/v0nz7xRPKa GCKA== X-Forwarded-Encrypted: i=1; AJvYcCW7F3A3KXHhKQRoA1vNMwC9l8y6MoqctbaUNHzKkeiMpdK/76sDvDOVSe07LMFn9QfXCF9FOyc=@vger.kernel.org X-Gm-Message-State: AOJu0YzQRPKfbaZW0slLQDm/6sk93DqNqWdWFDxSCoAxGdt1oRHSOIMG cdgFpivNfpO7ALgfQx7yfRVdQosJNZmcYNe5yUCTT05/ExafGfaTLRTnD3HK0Fc= X-Google-Smtp-Source: AGHT+IGI3bnawMCR2rBPHOoSypef3VQX2phi9r/huSmV/cqlV/2kFbNe9+Hj1byHQxm9DpEINFWl2w== X-Received: by 2002:a5d:5c88:0:b0:37d:4ebe:1647 with SMTP id ffacd0b85a97d-37d61afacedmr5574208f8f.49.1728920305128; Mon, 14 Oct 2024 08:38:25 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.23 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:24 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 2/9] Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() Date: Mon, 14 Oct 2024 16:38:01 +0100 Message-Id: <20241014153808.51894-3-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/bluetooth/l2cap_sock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index ba437c6f6ee5..18e89e764f3b 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1886,6 +1886,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, chan = l2cap_chan_create(); if (!chan) { sk_free(sk); + sock->sk = NULL; return NULL; } From patchwork Mon Oct 14 15:38:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835268 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41B0F1B4F2E for ; Mon, 14 Oct 2024 15:38:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920311; cv=none; b=HEMmda6vmZKpjK3XUta9RfjGcu3B2EImSJ2PVmmV4WtEKX23K2MC4ZMMv8k5jZHCUvKf6xwoKdoNxyf5CWxX6AUG5yZmaoG4tYIJEPCHgOV6yA6ABAcqA6HSzDK8zHRP0mdZ6lv+gMlWKYPlV39Vv8F6LJKuPSs8RwoP+qFzGU4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920311; c=relaxed/simple; bh=GvHicGdC5gF55ThXSZt1O/NLZ5Cy+z1ts4hoVbPvBIE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=o7bWrchavbiDR8ZAkW6E21HQOsVfej5ipEdq/S/yhTRXG2RZ0HTY2iocjScj9TQIq+wtgU+y1nmS4fqFp/4fbsY7hZAK+E+BU0HGE3Fxdm5/7ofY3z51MLd2XQLbV6AuS/HSUJkS58gmLe9oG/h74vC91nORi+geCN2L6qSYyXY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=c9tESvC1; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="c9tESvC1" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4311420b63fso33470315e9.2 for ; Mon, 14 Oct 2024 08:38:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920307; x=1729525107; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JRe2C+foWbcov6G7P3m7UzBNc36wNTYgM3II8ClmqRs=; b=c9tESvC14rgTwhPvzYHqFoBqPQ1vxoiSX9RhESYC7q2TQJ1kln8f9U0YbQTpSsJVhI zPNsB/6rBD7N8OO9qL72i1c/7UWYUZHTY6XU+IY8qdRE9MSZY30TVt/kJalkzIH/PQRs zXZ0zjyT7+394U6mIBXd/gk20oBgk7lcL0P61DL9aOYqPXotBypDGiRp7/gJTBTRQwyB 6QLU6HGBB98cyYowz8Tpl+ajRXZELGmFoCReTE02JwUcM5GqhHG6M8lJaI2SsV+TkbKa lWLM41dklrpcVMOwugPg7MuztTS2zJ/VHzeqHh1yP4CQmasICfMt+YnLRPKMA6Ob3PDF D8LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920307; x=1729525107; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JRe2C+foWbcov6G7P3m7UzBNc36wNTYgM3II8ClmqRs=; b=FTAL4ZlYQagu3nQLeBb0dzXRgyw2BbOBVSkEjKW/43650QsZcYdmyXTfkcgaFKbdaC 7On/N+L9JMs7P97JQnWrBKDC7HF1UjhekAkz8D83Diw/xQR2HR8J4JTrJjrMKIoYX3gI gZuD/0YkzxVQcXFA5qY0ATQMdr4k6DytzhtFAxJxRq1EsJbrRnjvzDLgkdUdL1PHb5nx 7mhteqK7nqRPnX33IDRQLNcuLuEMNf9cUbCgEVsV3w9cHpIEdr0fLY8vkuYP6RBOeCWS CfA4UbLaj6Tmq1dVw4G1nbMWVvjSbjA7rrrNGPiwsDXUzHBs2flmyzHM0DZtu4MqsQO7 lKtw== X-Forwarded-Encrypted: i=1; AJvYcCXJYhNlXFqOEosvyel149QFY2T0B/w5llCKjA2Xa/wm9WiqNHbaKUJC0uHERnzGQN2WhdCwZrM=@vger.kernel.org X-Gm-Message-State: AOJu0YzB7EDOduJEv/Qvol7KpE8Ch/CDKYxj14NicQwXxa6tRZGX4z5b vA8B0ftSYExI8nP2FHAm0Hk1oYuoJ+z7Ib87JY3d8Iaxrd4hnhhVwOE10ncJkLI= X-Google-Smtp-Source: AGHT+IE4BazPIerb4dni+agrzlUjCsWIGS3LpWQM7q1t/kfeDsxhJlB9u9/bMMZmGbUUqKUZP+ZMNQ== X-Received: by 2002:a05:600c:1c09:b0:429:e6bb:a436 with SMTP id 5b1f17b1804b1-431255dc867mr78702245e9.9.1728920307425; Mon, 14 Oct 2024 08:38:27 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.25 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:26 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 3/9] Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() Date: Mon, 14 Oct 2024 16:38:02 +0100 Message-Id: <20241014153808.51894-4-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/bluetooth/rfcomm/sock.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index f48250e3f2e1..355e1a1698f5 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -274,13 +274,13 @@ static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, struct rfcomm_dlc *d; struct sock *sk; - sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); - if (!sk) + d = rfcomm_dlc_alloc(prio); + if (!d) return NULL; - d = rfcomm_dlc_alloc(prio); - if (!d) { - sk_free(sk); + sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); + if (!sk) { + rfcomm_dlc_free(d); return NULL; } From patchwork Mon Oct 14 15:38:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835269 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A95D1BD01F for ; Mon, 14 Oct 2024 15:38:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920313; cv=none; b=d0BlHqQAnrJZk+cK8MZRdzoxZLbL0Rc3ki+8vYIr85ky0qfaHbkOKZwXkIbyvsUIZCbgSXQllECD6iRPzaddCnSYm/o4daK7o+Kchwipowywg8Vso+NKrTlhZpVoTCDELP9D+Xm5tPCCPMUOx4ndKHeoZ6qAIWCxlIlJ+1T5Cm0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920313; c=relaxed/simple; bh=VxIucDQGPpRIS63YRPMZymbS4KIO0Xi6qKhd8KI+CEM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=YDgwAdFaiX+u4deaqemutxqezcqhlaApSTn69lH0On9QhquEXLc/5a4reInl+2708t/+iuQNJFK+PCHhGO0cIulMbPCgqWDuhjEhnOYQ/vY3y3aPN9vlNao7+G2FHG65610suD4GGkPQU+qtWN686Ch1scDYj0Iym4bWktPuMb8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=Vad1vHip; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="Vad1vHip" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-37d4ba20075so2896448f8f.0 for ; Mon, 14 Oct 2024 08:38:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920310; x=1729525110; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=O6Xk7yX7Ph55Lc4GYMDFLX+bnVww2jUFr9G7tdaf2DM=; b=Vad1vHipC/p2/XtODd31RqwRkdJZEMHRVgRy9SG4NqIzw1iQazmgdAiU4BluBxi13O ftd3QpSLOHPqR++Xq91lCMX5jl1KHqq+pILVUmMwKHrAypQ1BQmsRoGfkirLF/dZqKiV McsooJuI1ae0ZKXKTeDZv9PtB34ff3ZYUsX2irH515TPamHMYR9uPxkr66Tivz0kJlGh LJOfy+pzwCFZleHT5d2X3rfkWSc2X//UmxQ/6KE87y3twdOwy0wAa6E6NDeIXNPeqSBz FwUjPSZ4QY14yW3hxgOda15xCEpEgb2RbDLPp3tDGtTp+fQ/wHe6y3hS3N2MmorCWg3E u+pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920310; x=1729525110; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O6Xk7yX7Ph55Lc4GYMDFLX+bnVww2jUFr9G7tdaf2DM=; b=Pw4PSQu5Nt1SwFfFiEOAx5nYBQifpSrldkK06bFDr78WdFUuOS/LqxHstK5OPluxmp Wu0LNdoJIPOGkCHtaY7U/N/hYjtqAE+0Lw94PWNmbPlFLGvI/u47ddP9TzErDrhgoOd1 rn5YH9o/tyxkQKqjjWlUfeemWRnXMiHUGERGDooY7dMTfA+61ut8c8k+bDYEoEZVGo90 IjoXiTauURirlFukutYfJbUvAzq0FMddkXLl4DcRu1DjNiijpISlPaHvHRkycpHyQa8/ FQ2Z3hHoRVL6GcKmG7MZ5qDnl/fTccNHxCs1vrXvfD2kfkEDn7dD7vD0QH04HTaktZLX JjFg== X-Forwarded-Encrypted: i=1; AJvYcCX+fCFajzjroXWnKbhCCQwkgORsVS59xSEwvKS0ZUqMYtXYHyEolLHSdNFCy2DcOly5ivOFXsg=@vger.kernel.org X-Gm-Message-State: AOJu0Yz8UU1uxMnZ/1/PvtjnvcUOGW8nUQTeT1L/vbc91HuFuV2CVCY7 PZXuzOzQkenAY0+o//FY52dtT8n16RaxoPs6m9JniW1ADeTCFFtS2fuVcol9xfo= X-Google-Smtp-Source: AGHT+IFOjny/ZC5vM2XSWOXaR36r1j+H8geu/8duRN5SiAObjYA/9oL5xKSu3VUf7L1WrDRmThqGmA== X-Received: by 2002:a5d:6687:0:b0:374:b3a3:3f83 with SMTP id ffacd0b85a97d-37d552cb66cmr10142454f8f.53.1728920309727; Mon, 14 Oct 2024 08:38:29 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.27 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:29 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin , Vincent Mailhol Subject: [PATCH net-next v3 4/9] net: af_can: do not leave a dangling sk pointer in can_create() Date: Mon, 14 Oct 2024 16:38:03 +0100 Message-Id: <20241014153808.51894-5-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. Signed-off-by: Ignat Korchagin Reviewed-by: Vincent Mailhol Reviewed-by: Kuniyuki Iwashima Reviewed-by: Marc Kleine-Budde --- net/can/af_can.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/can/af_can.c b/net/can/af_can.c index 707576eeeb58..01f3fbb3b67d 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol, /* release sk on errors */ sock_orphan(sk); sock_put(sk); + sock->sk = NULL; } errout: From patchwork Mon Oct 14 15:38:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835270 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FF601C3300 for ; Mon, 14 Oct 2024 15:38:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920315; cv=none; b=rILomcJI1sP7vR0p/SCmuJD3YAUkkrNrYcKXb1y7xrjw9lD9TZhqX6IFF3qLmdRj02S3CtIKLliVw+9azVtbRyYmA7EWtCpUGqq8Ig5DNDge7KIN9V63MOrXMk0qwaCf0iK8y8RP/m1lZx3Yx/O9ySaMIdD0JcKUptVywfi/lRk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920315; c=relaxed/simple; bh=XZyeSxYL0Rt6XzD7DrYNwyUkhIbWdcwwkzg4XCE56kc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=CcqefABVITYYrKaXub2otuDehbzGdBwt71HPecT/PvOCponjsDUwrYxE54+3j3AEMibEw0iMytworIZP6mXCg6xSudLGfK7gWUdSSUOQv9QBTxvjmVVO8EsIggN6L3QuI6jRJdgs36zDnWX8ykDqV1XFloMlmqbT7SXGrYyQe18= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=MdISMh2T; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="MdISMh2T" Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-37d4612da0fso3193835f8f.0 for ; Mon, 14 Oct 2024 08:38:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920312; x=1729525112; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LbHwWEpfmVr6vDfNAIj04FaBgRdnLx3F1Vt3RjTwrtE=; b=MdISMh2TxSBfUoqF8lTK+6J6uQKXbIMCfJrZTk/6CZNGiMzcPt68ImPAUhDH1m1dsz YJt23V5EHT/3HQhGRkewF6ynT3sir8fRvYKPU7kHtDC7q3OixowsoNhWb9pr6RCUlAfy ugZw/0YAW4yk2J9nc5U91yhNcRty7slQaA1wNFo9x374UmFLU7WFxsQmOYUoMH/654Br qdLOyIjIyUFEoQbmjsivrBkTGwSRSEeA2j5+FxjuGVJ/ufP4iIHrZZOyW846EWEnklg5 s8VTZaN7tu9iW2Rz2rC+fz/1in2k3sDZhLeAlrvIDgtEBfmH+vhn0o/K+iyniUo3b95p v3lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920312; x=1729525112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LbHwWEpfmVr6vDfNAIj04FaBgRdnLx3F1Vt3RjTwrtE=; b=ZhGqwq6/KzGEgASsjRhjwtlDm5L79mLJbG9jm93tAbLqI3Ma7a2YEtiD7e0aZWawOy zLnPQSNMeB9kKKq8n+p9VzXdOVvTYlBPHSr6ztIcnda8w3kvU8HjjNmahktBPhudyuza YNVD8l+JMwkmSpE2eTO+vX4p9cZilmncidQlX6SsyRCD/RKS7vfJI9at07O/L0dEhkjd nO7piDaPAOz/ldRisOk+PvM1ccUHqjVN3rcOeBXSk1D/XoGB3emNzqSyFst2OkAf1eyQ uQWHWD4CgG0T2/lzQomUeG643a4lKEiRZ2rUi04qhawPHH+7nNPleW80Vkzo4Y7uGn+D cSfQ== X-Forwarded-Encrypted: i=1; AJvYcCVt7LAp05zc+FwD7DkLGiAKXp69KQnO3i4HCRAKXIPtw0ghVcfW0wWCWBqdK4rdOSTyDFPlZQM=@vger.kernel.org X-Gm-Message-State: AOJu0Yz0cdiIjxulVTNoLGhTbeb5RzjRFPahhp6dbyG7A07eaTPUJETY wgstW0GQeAGaZdZvKzY3i6FUrCyjuzrr4e4MkBTGhuLN1KrcHotP79GTgiDzr1k= X-Google-Smtp-Source: AGHT+IFpRrcvyLwLdEFLQDdJiBx0O5p4UCoiCY7EDrHsmjdj7yCbqKDU3xbbCNWtcTob1sB2WmybtA== X-Received: by 2002:a5d:504e:0:b0:37c:ce3c:e15d with SMTP id ffacd0b85a97d-37d551d9cb7mr8770131f8f.14.1728920311872; Mon, 14 Oct 2024 08:38:31 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.29 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:31 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 5/9] net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() Date: Mon, 14 Oct 2024 16:38:04 +0100 Message-Id: <20241014153808.51894-6-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow use-after-free. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin Reviewed-by: Miquel Raynal Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/ieee802154/socket.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index 990a83455dcf..18d267921bb5 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -1043,19 +1043,21 @@ static int ieee802154_create(struct net *net, struct socket *sock, if (sk->sk_prot->hash) { rc = sk->sk_prot->hash(sk); - if (rc) { - sk_common_release(sk); - goto out; - } + if (rc) + goto out_sk_release; } if (sk->sk_prot->init) { rc = sk->sk_prot->init(sk); if (rc) - sk_common_release(sk); + goto out_sk_release; } out: return rc; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } static const struct net_proto_family ieee802154_family_ops = { From patchwork Mon Oct 14 15:38:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835271 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 847391C7608 for ; Mon, 14 Oct 2024 15:38:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920317; cv=none; b=lZT7rWgzHwK4t9rgr55Lvj7gkN+IrKn0HBJoRl+vQmQisXC2vascy4DyhZEIThXBZOEpTs1ETi3RQApewT64H0Gofr1BnHSwzt82zU9aIalRKQ5LZVS4tXNILoPxFaRSDRxBq/foQNbeBH/ckSxGI1Yi2Tsc7b0DEafLRLLNIx8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920317; c=relaxed/simple; bh=TykJJMM5IzwfbahmKZJTnRFTzpHvJ80eOgoE0YjZMYM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QK/igDEJE5AUEShOPQKgNCqx9qGdygQxpATIb7U546G0aH8zHGGeoprciVIWvKvffpbOHTaZn7qtw7w/CBNlhEXoFRpr7lQT1nzTCIF38rUKa4Fu02je/SIU2q/qIISjr/eRsif7/+Uv/Nze/ETkUhOhPprNH3RWk6bkkICB2KA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=c3QI9aUK; arc=none smtp.client-ip=209.85.221.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="c3QI9aUK" Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-37d5689eea8so1898154f8f.1 for ; Mon, 14 Oct 2024 08:38:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920314; x=1729525114; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=c3QI9aUKu6Bi2Q+b8cXS2JW0XWkQrdIxfWRocPjUJ4ipX/DnkFkgfFSoH96GxQjskv H+s5a4sZHs/D1d604fpqEK01TyCQyKdFJfgkd5WKBzAQ4YFDKPAuRNsEujbfaEd0wOhk U2hsj7sc/AdfjvUi3lHThlaDFMkKysLdxdMTn4G92x94laSnlToVfQ6jeu7c7CEluJLR X7FY8MsnnN/Lg7qWc2A6dzJdJOp1vw6kW+mXrHEJdVrmmt/tKVS+YhzaH1YxoMHJrjNA ENQozVzUkLa+X1wb/Djdwd/P4v7UX4Lz8Znxc0zcjnVBrmGvRw90fT6hrOYEPY+RxGlk mttA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920314; x=1729525114; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=fyxy5Ya24Z0UlCVDqIAGz66CmTr/Cb/Bb+jGObAKrWmGmGIXzdNiFwWXGZJfuKdnj0 lWgiJcxqn/YZHsL8ucBBL2ovipoNH7rdUpbV4c4ny8FDHFynCaTk41MV4GG56K91DqbW bTy112UCFK8FYGv+kZTkRpQdxdZjL2WWxZuemjZ+PZASTO6I0689pDcZ8WIyorVmltAV +XJgwStBZGYg3c1PMLu7a9mVc+ZZG7RJ4e3XbxS/g2Kge1IvS5scIRk1DifJVYdugtPf iUYpBKsDUrEUrCr43iLrznIQ3fomX9ephQKIdawamGRSSLztuy6hpnRzYKNdnqHKU6y9 VUQw== X-Forwarded-Encrypted: i=1; AJvYcCWCwO83MQqZeerbfbSMA5XjBDPiv8Xz5V1lLJdfKbzydZEbH1rMsFvB413lPi5xAqsaxNLHuOE=@vger.kernel.org X-Gm-Message-State: AOJu0Ywd/CAX91wWjUkBIbcd09kKkni4jcuBq+f3pXE8KL2+IpMDxZAR eHIYVTCxIjsl83WGhqGBKzlf/jGDEfQYLJokVFqKCsO1pCA54Z5OVEpgCQVdOoM= X-Google-Smtp-Source: AGHT+IEK1fXfdN4ULr/3sLohnKiPnjVrQV68cRQbTA59WSVC//oUJKPx9zNQVb7mUdYnIwSncrGyLA== X-Received: by 2002:a5d:688f:0:b0:37d:50e1:b3e1 with SMTP id ffacd0b85a97d-37d551b79c7mr8936288f8f.16.1728920313945; Mon, 14 Oct 2024 08:38:33 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.32 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:33 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 6/9] net: inet: do not leave a dangling sk pointer in inet_create() Date: Mon, 14 Oct 2024 16:38:05 +0100 Message-Id: <20241014153808.51894-7-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/ipv4/af_inet.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index b24d74616637..8095e82de808 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -376,32 +376,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, inet->inet_sport = htons(inet->inet_num); /* Add to protocol hash chains. */ err = sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err = sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (!kern) { err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } From patchwork Mon Oct 14 15:38:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835272 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA3B71C9EA7 for ; Mon, 14 Oct 2024 15:38:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920319; cv=none; b=nZtmdey5XdY+FgmOMf6tULx4CTlFqhkn3zIv0JhP85r0XPlEKUkMxz0hRFvAOFS5RN2suiEzatoJ2TAtWoJxiYZ//J1DJ/b02Ck4un5f9OYVVGJiMWcjhNsqTExb1aBzbOnhBlxivx8vDfrXCMm6oR4XeHI7tJ1n+FDAodG0Fc8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920319; c=relaxed/simple; bh=B2jIOs9L3gzL5PsTv6zAjfQ7uhJ1V7bXBI/aVWUwbYc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=SEyEW7ValQQ4NakAqHkDP6wHicDOgeLvxd+JEMSO05WCAmSM6VP2ZBwcYDSYtbkRP08J5102uxuJSUB7rvac60gJ8w///m+a92ZVA9P6J9Hq4Ert4NfH/aV1JQir7JFDRhJ+6sZYKs51iYTZoIikTqaiuVsDVl9bKmKG63E3SV0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=SPE1k1J7; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="SPE1k1J7" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4311c285bc9so30789265e9.3 for ; Mon, 14 Oct 2024 08:38:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920316; x=1729525116; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=SPE1k1J7Xyw6fn9/LNdrjheqnufXMsYV46py4ESfUl8mdSQlzej5qYsDZxYEqdy3Up lST2arihYhJAwrVaDiWxPAFAr4Kt4TnwUQphBB3t4qBwZYf1XR3RwMypulxICZ3wuFBd uuWzv8EwfsWL4c32V/yhFBeLUCCJGJIqzyhx/JssqBwUi4gXm/ldf5EUnFUgUBtqenBj EPr/x3GYJnXxTHj31QR3Modr7kjEEwkfF7siPzXobiFKcN3OktPrDOhQCo9rb5onB6+c G7h/H0h3VT7biQSEsl7BXXKHnMFuRWKbaC9AG2jhYAwwEd7N3E9fIgoJOP9oEFjoxwWb r+sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920316; x=1729525116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=rg7T4IaOVwUKJUj2ae/dOdsIFVgzAZsPEZL3b0T5pGmT7+ihETqpsAZ/MTdZBj9VQR wuFWO27AJcuCkrJESgZ3FmmEu0tRGyR6z+hwYwK7kHBMKylS8lT1MGgIvgd/kEcVEBKL ntbX7sHaYElfYCw0Xo3uBrUtCo1w2voXgoRa/6g5cdcoqGmNnVY1xOYMrg7choOhmj5u rsEzWroAwhQG7yqjtwKtotD/bWy6k+QkOwYSl5zs76ekFQBLaWmUeh4fkfUVSjPGi5C9 YrkgFcagPmM8wiOOLuOS0qCJy8HwdgcuwUTlmVQlUHIebKyfitePeVU7RpUZsQ8EugDY sOCw== X-Forwarded-Encrypted: i=1; AJvYcCUdcRRxHzRim2q38XU7fOshDWn6VAtgjzFuMQY2GXe06Dn5qYQdr1juNj0NlVi7dX6ZPoCxLVg=@vger.kernel.org X-Gm-Message-State: AOJu0YwlVyohqlNMpQmxiB/qYZ4juQyRAZF7QMwFPsquzIG1jn55Qj3r LszIzLdXcldffibcMhy83mvFAP6Saawa5XgBAFzqOf8o5ojcGQn1YEeqqmNzO2c= X-Google-Smtp-Source: AGHT+IEIDg1NkYP+jkdfN8/Qy2bbNOJCew4tzqQ4wU+J4Bx2YgcvD/tGgxkQdWC68y3Hu3c+jOjjEA== X-Received: by 2002:a05:600c:1d0b:b0:42c:ba83:3f01 with SMTP id 5b1f17b1804b1-4311ded4265mr95708305e9.8.1728920315951; Mon, 14 Oct 2024 08:38:35 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.34 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:35 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 7/9] net: inet6: do not leave a dangling sk pointer in inet6_create() Date: Mon, 14 Oct 2024 16:38:06 +0100 Message-Id: <20241014153808.51894-8-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org sock_init_data() attaches the allocated sk pointer to the provided sock object. If inet6_create() fails later, the sk object is released, but the sock object retains the dangling sk pointer, which may cause use-after-free later. Clear the sock sk pointer on error. Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/ipv6/af_inet6.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ba69b86f1c7d..f60ec8b0f8ea 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -252,31 +252,29 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, */ inet->inet_sport = htons(inet->inet_num); err = sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err = sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (!kern) { err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, From patchwork Mon Oct 14 15:38:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835273 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5D381CACF8 for ; Mon, 14 Oct 2024 15:38:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920321; cv=none; b=RrNp35bRQiuTQbRxdsOhuxg+aNnuuCMU1QCs1zsegVDEbizkvkZonX8M15732xhUhUnPd0WZyKNMQE7xBUCS+B3lwkD6jUH4xVg3VqRwmDVEt1tAVs+MmtGIj5hSkWT2Wv08SATtX2EHHdA3f3zIwHqe+MbT4SEdiSTg8jlCoEE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920321; c=relaxed/simple; bh=tpRnxtvyDHesMuGsYGGagBR2XeIwxtaApq6sfrvnYrY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fGN0R08nHI4IxfGRHODXI9Rl3pm+ZDcZBPXOpABGpWoQA1cxOMVY0n8bUe6YA9WDQP0H/waEjr4kayx4Gx1lg0WFrwsh7CCA4u4TivCRSZPQFadFc/xsDU8ID7roI9h32fNThGvqiOL5B9ZQudOPMLrQmHGEPOpc0GlUuHZl5xc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=gHmxVmqE; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="gHmxVmqE" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-37d518f9abcso2403738f8f.2 for ; Mon, 14 Oct 2024 08:38:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920318; x=1729525118; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NRdyGf4lfZr6TznDuyWqYCBTl3G4Nizl8+blfyYvkoE=; b=gHmxVmqEAq2H3WSZdMhuCmkb7TtWIvdeoxB74oty9UCExauTw/LyGcw1zxvAxXy+dl atl6R+YmvG/iOTONZWptqoYAvtsk18MOlOEoxma5Wm9/yUeJwdWl2m7eHekbakfFlNsp 3WRnxaf09V5yQcY4IoY6C+Cn9sYW+fDiuUm5RphdLf0PVLs2lzP1O8RgC/9rKGMfn7MT V6zcXMCuSi4hB+mipouR6I9AqQY03la+55wgk4ESopEG5IFPB6HGn4BzXSeHR5OS1/ef 25NRI8f0N7QtIu4fS/wpbbzKeoqkr8TXRr5iXDmJam0flodQyZ9ydnUGbxvSGqVh0tS8 iGRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920318; x=1729525118; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NRdyGf4lfZr6TznDuyWqYCBTl3G4Nizl8+blfyYvkoE=; b=LTtK4RzEtAqzU1c1h0hbZu3HdKjm/V8nbGPxTK2pknpHTK5XkirqvwGABnnH2mvwj0 tT0sQsztaY+gE+/aJ9JgbvxTNzpOOxfhrixM43y/fiiKgH1q7NbNlpBIh0fkyEu/zftP tpYmxQXV2W9A4FWsfwnNI3RnFoamWMBWganMORCWBH/K7oCDbsjzNmcwAAAkW/BItsVY mL+EDTfZHurCVfhObY+qf1Lzv8S1xmDaYT+xpwjtwKMV6lahsHBriNQ4dpP27e3sRwr1 xiPgtSZqQE2H/yLoebDzOGEbhmGHebjpQsNnMgQQDf3USIiLsdZnrO7wAXwjpvF/5Hqt mqcw== X-Forwarded-Encrypted: i=1; AJvYcCXS/9nJx1LkE0IBEr2S8LuEV/yjCPsRWr9jKevaltK+HXbX8lzdUwODvfFr5CtintB2GNnYewc=@vger.kernel.org X-Gm-Message-State: AOJu0Yyh2mpxvX4nGKX4XatBwSzZ1MNbkXjIfwkmNHCN73V0j5dXm6eC uYaX66eZJBzYNXL9mBZk3Ql/zhdvPt5QHKlp9w5psus3JE0zgsUd8+1VK84a1No= X-Google-Smtp-Source: AGHT+IEvSESGNKtr3mfQllscjnvWPixVZXXYDJK2VErqCT7tUm2cqjBB5hZh+pW+OcOgTVIOFBIPag== X-Received: by 2002:adf:e908:0:b0:37d:3def:2a82 with SMTP id ffacd0b85a97d-37d5529acb1mr9092817f8f.36.1728920318048; Mon, 14 Oct 2024 08:38:38 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.36 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:37 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 8/9] net: warn, if pf->create does not clear sock->sk on error Date: Mon, 14 Oct 2024 16:38:07 +0100 Message-Id: <20241014153808.51894-9-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org All pf->create implementations have been fixed now to clear sock->sk on error, when they deallocate the allocated sk object. Put a warning in place to make sure we don't break this promise in the future. Suggested-by: Kuniyuki Iwashima Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/socket.c b/net/socket.c index 24b404299015..9a8e4452b9b2 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1576,9 +1576,9 @@ int __sock_create(struct net *net, int family, int type, int protocol, err = pf->create(net, sock, protocol, kern); if (err < 0) { /* ->create should release the allocated sock->sk object on error - * but it may leave the dangling pointer + * and make sure sock->sk is set to NULL to avoid use-after-free */ - sock->sk = NULL; + DEBUG_NET_WARN_ON_ONCE(sock->sk); goto out_module_put; } From patchwork Mon Oct 14 15:38:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835274 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E77B1CCB5D for ; Mon, 14 Oct 2024 15:38:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920325; cv=none; b=QLiRfcZBn5qH2Dxh3qNo5CHf4w+lirfhGfARA2tA13VET4rmV04cJu013Mn22YRGBJhOyKafisuyPqKs6fRZeZWssVAuF/xe0UaNZfhIvXCLxH0VA2dEzT+3qJ6U6sPLfW4g2sIQVi+H5vNTV4b2uyRSSctfCETOP47f36fLWeo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920325; c=relaxed/simple; bh=vc7OmTLH/01Z8jEmhW2hCpr6OvlMbxkqSwuRPTgWIpI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=AH2/thjR6CmTsXypJe3Aaz/I2Jfb2iu1l2orHedZYuYrk9CcA3XSAo2el4DKiVADvifIQphUJ/5/ToqTFH3G8QHTWEkWcPz4MGPOyYbNoy5iOLQTqQzWMRaeCodRpDxbiKqK2qyh3j5F4Mj0JMuKiuWKAEwunr7PJlyDu0OPS9I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=dLXBS2w2; arc=none smtp.client-ip=209.85.167.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="dLXBS2w2" Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-539e63c8678so1984254e87.0 for ; Mon, 14 Oct 2024 08:38:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920320; x=1729525120; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ItWQLKHEonR5Y2Gfm40nvdSQUxBxC+w2AGE8qbV4gnc=; b=dLXBS2w2f1B913FYyVksZ5CxT2FB/P+tRs39uNyDlb1TLRWeUYT/QYawOi8x+N/P+A 5aQHYM+8mrlX7YEBLYq8XLQBif1j4y89y7ftPmjBbwEOjVsnOyZaA6MccY0LRNw9Sh2G tekWzAPCmS56R6wJRU6tmBWaZ5GkEmcQjGoK0K4jRC3RM3vHaKsC98ZF1nxUAZgBHM+d Km1YwFDgIDCPIejfnApah6wZQCkqro9Nb0q8WndtlIUTpGV/iq6rl5BRz0263+HpQwin ym+efHn4fKC1o991FRtxIXc0i7f5Y1lqe+K5B+K0kDgacoM/HiIcd3HUZFM+zv7Vajvk U3vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920320; x=1729525120; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ItWQLKHEonR5Y2Gfm40nvdSQUxBxC+w2AGE8qbV4gnc=; b=MjwF3SPlxWibVymv+5IB3SofGgX6CMSivNay5nTBW6eXSRG+EFY4V3U8jZW9A5eLN1 55dd18k1k8NjN7IYmojtp7ZblHtDv4kHeFJJ6KGOE22y7L1dNIIcWv2JfoVHOObmGafq DdJ7q7EXqEY4pM6Gbg2Xp8bWsSiHmMkKZnqg1EmFO7+f1cIGVU/feDW7qEzlqhni/0w+ 0qHKhbCIkHibyT8CX/6VdsBApViNZwjpp4MeDyWY+6RVFlUsAC7NwmwnMSaWJkNqcAhP ebAogvByY/FHZl6WanTACilS3vLzQe7RlckvacClgd2ayIaBmX2UtaxXyjkWUVBlYsRZ 2qIA== X-Forwarded-Encrypted: i=1; AJvYcCXndN4Lge7f8ZJHUS+OhUlHsAwQ5X80L2bH+xZt8h9IlRSAPWKSCe8EPZgWVE4TUvWowPavebc=@vger.kernel.org X-Gm-Message-State: AOJu0YyDwrUcL6XF3TR5u5osz4QMYH6dKKhUm0i0HJBvVx7aMOaqJ2RF z6ogkRJStsNVDPtVdTlDAlTjLa4So7SkmtMMr/BwpG8aKzNS6THrrb3ah2ejw3g= X-Google-Smtp-Source: AGHT+IEttcKfkHe5cPisVJHUtmgl4wcFxdt3iQxg/FUhY3c3ela4IwMd9TUcQCCkSzxomrcD8IPSrQ== X-Received: by 2002:a05:6512:3083:b0:539:8ade:2d0 with SMTP id 2adb3069b0e04-539e57282c7mr4527098e87.51.1728920320165; Mon, 14 Oct 2024 08:38:40 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.38 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:39 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 9/9] Revert "net: do not leave a dangling sk pointer, when socket creation fails" Date: Mon, 14 Oct 2024 16:38:08 +0100 Message-Id: <20241014153808.51894-10-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org This reverts commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2. inet/inet6->create() implementations have been fixed to explicitly NULL the allocated sk object on error. A warning was put in place to make sure any future changes will not leave a dangling pointer in pf->create() implementations. So this code is now redundant. Suggested-by: Kuniyuki Iwashima Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/core/sock.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 083d438d8b6f..a9391cb796a2 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3830,9 +3830,6 @@ void sk_common_release(struct sock *sk) sk->sk_prot->unhash(sk); - if (sk->sk_socket) - sk->sk_socket->sk = NULL; - /* * In this point socket cannot receive new packets, but it is possible * that some packets are in flight because some CPU runs receiver and