From patchwork Mon Oct 14 15:38:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835286 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE18119E7ED for ; Mon, 14 Oct 2024 15:38:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920306; cv=none; b=F/XRofGSABQm3DaZ2RCyy6xHMigoOaD6WxOB8dhjRRNEFyOHGl2f58P3g0iN3shzt5pcaZAyacTECx4gQ2fEApCBjUZi4FpbPQ3TazqT/HoX418hgUt6N93nfK8iy57FgJyARAZYcvxV/E1vzlF9Pb8dM0yImOUOviF1VQKbsW4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920306; c=relaxed/simple; bh=1bN+QEotEpIRBT6cXWz23R8634LnGKN+Ky65Id1kG+8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=K6pWutDF11D4XWKuW9dpWkVPpFv59r/VT0OC7dbJSJOYAoudoT/vRS1DtAt4xkpYqEmefwLQoLv5XSW/hJeVYnXtg4zNSig7g4u6fl3CDAFfoqcv37WArWMJax/qfZtgeKEPSg2WGmYo+YUvz4HmkbIFW8GGwY4ngsWBrzTKq7A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=RJNDVQ1e; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="RJNDVQ1e" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-37d473c4bb6so3471147f8f.3 for ; Mon, 14 Oct 2024 08:38:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920303; x=1729525103; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oRUPHKnK+G7iaw/aUVaZN8QnmGwAZh5z1e5fpZvzMzU=; b=RJNDVQ1eKw80sPypm9wytcdbY4bKkip70lRcKlrDqwnKq89gcFV3E9Ml50zx5PWpiL CDK52zTEyZx4XxoMaulb37d4piZbghUzQ+JbGf+r5F23uxPBi7a/U9sPES9+Ea/Q/f2D 8p7rfrQT2YwtCMRYzJNkmrKH8gN+V13g1AdXy5xo6cGZ2/x6kVZFmIjviHKrymm57erx 5P2g8tNAtOGzFXPDbf1ebe2sM8gaxTyIgWIJ+OjfEvPUBtPUEVqlmO7ppz6W8E30qMuM WeMWefrYfQ4SxNLJEsnBkXjRYIKlKgN9yUPRUrH7OCLO5FgEZf5kIp+PrLQVjBWZlWS7 cHCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920303; x=1729525103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oRUPHKnK+G7iaw/aUVaZN8QnmGwAZh5z1e5fpZvzMzU=; b=W9rw+vw/muL3mIUJ0VQHvVAOkU+odDZW2v2yAFrdJXTwc3UaBIJhtuYGLUSPNvVsCo w2sYHDfuVMvugX+gPWExBsTcFKwR/GpG9OBr9c2MOH0Zu/P/nyiziWt2Emh3jI01CcTL o66mCzNMzc50wmKFMoNw/FQvT1CePPbXR8HjnvUG2EaLA3HZ6oB2aWS085W7C4tI3Fo5 nAgVSp8Ig+OzXmOL3mxq8Nl1jfTaqPIg6yuwHKlGl9ziuHv5b0tS+wUZ5Ybc4cmTHS9Q T0OCtqoHiSNLQcLHeM3b1U4ZtGwa01wyQAuxOgznniMfLTpDJd1P8oJl/ckc5Rt0o5qd WP7w== X-Forwarded-Encrypted: i=1; AJvYcCXjSGJfGE7eZrK9WFLUeo16N2o0AIQToShIVv79Z1RvLsN6eWD2M05aaTIL2qFeXJre8N0E1LKhflRG@vger.kernel.org X-Gm-Message-State: AOJu0YxqaGM38PLYyYf+9VDbGVEUI1TRNsVYeiOg3U5g044tHjE12741 7Of/nKA9BeWaKYLW1+lgjoW4yFN33TlT0dQpIlGtdOOMMTmnOGx7R4Cwe7H19lA= X-Google-Smtp-Source: AGHT+IEaE6C7r4ltNMskXO+tjNMKt9+qcANcSAGt9ehXwYkCcmFGRyHWUT3EcbTB5H99ngatuL8/sw== X-Received: by 2002:a5d:4f8a:0:b0:37c:d1ea:f1ce with SMTP id ffacd0b85a97d-37d5ff8db28mr6535195f8f.25.1728920303012; Mon, 14 Oct 2024 08:38:23 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.20 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:22 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 1/9] af_packet: avoid erroring out after sock_init_data() in packet_create() Date: Mon, 14 Oct 2024 16:38:00 +0100 Message-Id: <20241014153808.51894-2-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this pointer and cause use-after-free. Suggested-by: Eric Dumazet Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Willem de Bruijn Reviewed-by: Eric Dumazet --- net/packet/af_packet.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index f8942062f776..99ae27d1e4dc 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3421,17 +3421,17 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, if (sock->type == SOCK_PACKET) sock->ops = &packet_ops_spkt; + po = pkt_sk(sk); + err = packet_alloc_pending(po); + if (err) + goto out_sk_free; + sock_init_data(sock, sk); - po = pkt_sk(sk); init_completion(&po->skb_completion); sk->sk_family = PF_PACKET; po->num = proto; - err = packet_alloc_pending(po); - if (err) - goto out2; - packet_cached_dev_reset(po); sk->sk_destruct = packet_sock_destruct; @@ -3463,7 +3463,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, sock_prot_inuse_add(net, &packet_proto, 1); return 0; -out2: +out_sk_free: sk_free(sk); out: return err; From patchwork Mon Oct 14 15:38:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835287 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E34C01AC885 for ; Mon, 14 Oct 2024 15:38:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920308; cv=none; b=J+d9chMQD9dYHnpn1LbRgpbaCx7MbaFHGODbq+nMm5N4DJn+7CtWygHLMqSlOOI4NMuXYWG82pogpkZouIPqIymazxnZzNGu9AFahEJ5TcMQgNmE876Rsiwfc0Nl8vuzB+FVFCyUzDdEZzW0mLm79so51rhLTxQiFn1hO4NLJ1c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920308; c=relaxed/simple; bh=Za6d2/ag0cx5W3bmCrv67Ur4+k+VPgr8uvsyupNoJnM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=PZWY2nJC0SHoQ+GMq8Dvzx5P4+qoLXar0aPWmMeBcu1Z0K9yLa5z7YsjSbURPdKdrtjZqU9/jRVOCSCL0zHnlPN0QyZDrU3YtJCAHD1IHJa/h65aKXzbCniV5P2Uwl0GTxisd6LPlnMxGbgwfE8ZHRhUmww3C6wnNlx+LN/yPtk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=ADSl8+Xy; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="ADSl8+Xy" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-37d50fad249so2830314f8f.1 for ; Mon, 14 Oct 2024 08:38:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920305; x=1729525105; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=ADSl8+XydpCyUMT7zL3I7Xvi1Ix5wGUH5Qfk/p+HOYeLzB30nwmpsZnljcSmMl7gL1 f5gBFjsvjemCwOTBAn3BFfZok4/J5eKhgkR0d6LFhagydEQ9CXJVOiZeSuHbZh8IZ6Pl 4h+6QorPYZhw6NlENAoq5NXcVoV8SDgtaQFj+jV982TyCAhFCVV6luDMEjtEs7rHKnMg /CmjdtmnHerbQskx0gIUQFY4YluRL9dyg1C8jsGY57vCFoUF/RbPAP4xLWAJvi0UxtMy XhHNJZf0yIKgG9BlSHM8EIcMrPHPEc/6RFaVJdP9/HnrpApP7NF7p0Nwpp5905fxo0n0 jBWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920305; x=1729525105; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=Zk1n4eYk+tRwcmiWtMXS+OCZjVwS0lBfNCPJ7L7wi/G5PKK63hrB28wkxmCyQGLMNl Nn5eASgh6F/eD6ZCRKqf+GJMhOAGZrkiRIz0zg3+b9qnCsjkLxGechZBCQ/eAr1QN+Zs hNlpW6dRpTyITknZfA41QbaJsIUk7W+ksPCBtdbBi1aj8rWvKSl+/C1ypp5NAztdyGzX u/cpGESUyY5ln5gNvEQiMofms8CuOnDNgRDorY+lxhso62Md4pd6roJ7OXIIDrn44rwg Lbr1VlTo4v6q1kQmnhzvGPk6wrsVhae7LqCS6WwsK1EpPEqmMbyvaqvX/zH0lM0W572A CpCA== X-Forwarded-Encrypted: i=1; AJvYcCWAX3coSg+84wM/438wnp0qt3gfNa0BVVOVZ8vlTgaGx7FE34VAwFbnYCEv0QZeefFIRqIs5k/3b/ax@vger.kernel.org X-Gm-Message-State: AOJu0YwxEMnHe8Ogm64PQIqA9ahOHVm3cHfB/nXN0zPOkV1m7BsVNvbD rAHP9XThJ1ouQaheq86rXv10En6bvRf9JU96+LhsWVSOLn2kayAZ7CJuk9JvWWg= X-Google-Smtp-Source: AGHT+IGI3bnawMCR2rBPHOoSypef3VQX2phi9r/huSmV/cqlV/2kFbNe9+Hj1byHQxm9DpEINFWl2w== X-Received: by 2002:a5d:5c88:0:b0:37d:4ebe:1647 with SMTP id ffacd0b85a97d-37d61afacedmr5574208f8f.49.1728920305128; Mon, 14 Oct 2024 08:38:25 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.23 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:24 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 2/9] Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() Date: Mon, 14 Oct 2024 16:38:01 +0100 Message-Id: <20241014153808.51894-3-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/bluetooth/l2cap_sock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index ba437c6f6ee5..18e89e764f3b 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1886,6 +1886,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, chan = l2cap_chan_create(); if (!chan) { sk_free(sk); + sock->sk = NULL; return NULL; } From patchwork Mon Oct 14 15:38:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835288 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C9631B4F2B for ; Mon, 14 Oct 2024 15:38:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920311; cv=none; b=aaZRb+NqwwX7k6V2qB/5hWDDhNNk3Ez0WF7Kuqw5Uh/WkJI6DJcGwgvw8G0Y7l+mpIK/IJjuMzG7DUzRNVlCOqVNV+WRuKpnXCvnVNZ9EMfGOTN6i9XrbBAgXXeYylc+5Ln/ozmzu5n5kNd3VrJcP324nlYY/2Eab2i0WRRz5m4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920311; c=relaxed/simple; bh=GvHicGdC5gF55ThXSZt1O/NLZ5Cy+z1ts4hoVbPvBIE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=o7bWrchavbiDR8ZAkW6E21HQOsVfej5ipEdq/S/yhTRXG2RZ0HTY2iocjScj9TQIq+wtgU+y1nmS4fqFp/4fbsY7hZAK+E+BU0HGE3Fxdm5/7ofY3z51MLd2XQLbV6AuS/HSUJkS58gmLe9oG/h74vC91nORi+geCN2L6qSYyXY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=c9tESvC1; arc=none smtp.client-ip=209.85.128.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="c9tESvC1" Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4311420b63fso33470295e9.2 for ; Mon, 14 Oct 2024 08:38:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920307; x=1729525107; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JRe2C+foWbcov6G7P3m7UzBNc36wNTYgM3II8ClmqRs=; b=c9tESvC14rgTwhPvzYHqFoBqPQ1vxoiSX9RhESYC7q2TQJ1kln8f9U0YbQTpSsJVhI zPNsB/6rBD7N8OO9qL72i1c/7UWYUZHTY6XU+IY8qdRE9MSZY30TVt/kJalkzIH/PQRs zXZ0zjyT7+394U6mIBXd/gk20oBgk7lcL0P61DL9aOYqPXotBypDGiRp7/gJTBTRQwyB 6QLU6HGBB98cyYowz8Tpl+ajRXZELGmFoCReTE02JwUcM5GqhHG6M8lJaI2SsV+TkbKa lWLM41dklrpcVMOwugPg7MuztTS2zJ/VHzeqHh1yP4CQmasICfMt+YnLRPKMA6Ob3PDF D8LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920307; x=1729525107; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JRe2C+foWbcov6G7P3m7UzBNc36wNTYgM3II8ClmqRs=; b=xPT80oW4Aifhhkkfj5AYHQCpx5xnnk2Vw6B6rJI6VHXVUwrAbNO0O+d74+kUu1K0dn EpxGFlyuzEsxg4UC7JKWAE2aUWHw/Sl+6qYyiKJ1Y7VVKtFhRX0UyBXCqOw0Tkj1uHoe znvjZNuaFPWX0rRtbjmnDWsmiVsMVZxfwS/FSJmoqHszVOrb+Pg4v2QYXMDkIqU4Kb9/ 4tE7Y8bxYweIuyWLNW1PMYniV4sFmCD62z9t38FRoTllA7JrzjqeBM4rNgk16jDYFvnT 1jlF79pP8g4pG7GOsEMiDuNFXHfN+Jch+BaJ8lLNVYdODhpVov2eV0QdyOkS47S9noei lWdA== X-Forwarded-Encrypted: i=1; AJvYcCUGJy91oPcMlIrZ3Elg5+iP+C9r0rHdQsKpDdhfVk+RXnQkRwT74BBGEER7V7zX9vNl5asro68AvM2X@vger.kernel.org X-Gm-Message-State: AOJu0YzJCRXwSNrC4+sMJpbKc0Pjxzb0zx/MhjrrIgkAeHRQsBKz4Qmi f9HNjBAieL4Nmoxs0Z7gyP41mUpHqyyjceiDol/zOEU6O6XYFuThbL0MPRxkW/g= X-Google-Smtp-Source: AGHT+IE4BazPIerb4dni+agrzlUjCsWIGS3LpWQM7q1t/kfeDsxhJlB9u9/bMMZmGbUUqKUZP+ZMNQ== X-Received: by 2002:a05:600c:1c09:b0:429:e6bb:a436 with SMTP id 5b1f17b1804b1-431255dc867mr78702245e9.9.1728920307425; Mon, 14 Oct 2024 08:38:27 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.25 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:26 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 3/9] Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() Date: Mon, 14 Oct 2024 16:38:02 +0100 Message-Id: <20241014153808.51894-4-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/bluetooth/rfcomm/sock.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index f48250e3f2e1..355e1a1698f5 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -274,13 +274,13 @@ static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, struct rfcomm_dlc *d; struct sock *sk; - sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); - if (!sk) + d = rfcomm_dlc_alloc(prio); + if (!d) return NULL; - d = rfcomm_dlc_alloc(prio); - if (!d) { - sk_free(sk); + sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); + if (!sk) { + rfcomm_dlc_free(d); return NULL; } From patchwork Mon Oct 14 15:38:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835289 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 743D51BFE01 for ; Mon, 14 Oct 2024 15:38:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920313; cv=none; b=hqU1DtAwWe0eTNbLtNZ1ZAu+TSCUChWtUUvzygRErpgbeJanC2Rs9q8J8IrjtSvO9N3hZ92nDtJAPyMbb9DOYdXmGyFJTK2eMgNkGaOOMPlqR9/Iejy/G9ov8yqhyrdh49Ff9ZgUK5wluxMTc8yfzlQzHEiFbwIGDM+j0YLheHI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920313; c=relaxed/simple; bh=VxIucDQGPpRIS63YRPMZymbS4KIO0Xi6qKhd8KI+CEM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=YDgwAdFaiX+u4deaqemutxqezcqhlaApSTn69lH0On9QhquEXLc/5a4reInl+2708t/+iuQNJFK+PCHhGO0cIulMbPCgqWDuhjEhnOYQ/vY3y3aPN9vlNao7+G2FHG65610suD4GGkPQU+qtWN686Ch1scDYj0Iym4bWktPuMb8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=Vad1vHip; arc=none smtp.client-ip=209.85.221.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="Vad1vHip" Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-37d5038c653so2713930f8f.2 for ; Mon, 14 Oct 2024 08:38:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920310; x=1729525110; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=O6Xk7yX7Ph55Lc4GYMDFLX+bnVww2jUFr9G7tdaf2DM=; b=Vad1vHipC/p2/XtODd31RqwRkdJZEMHRVgRy9SG4NqIzw1iQazmgdAiU4BluBxi13O ftd3QpSLOHPqR++Xq91lCMX5jl1KHqq+pILVUmMwKHrAypQ1BQmsRoGfkirLF/dZqKiV McsooJuI1ae0ZKXKTeDZv9PtB34ff3ZYUsX2irH515TPamHMYR9uPxkr66Tivz0kJlGh LJOfy+pzwCFZleHT5d2X3rfkWSc2X//UmxQ/6KE87y3twdOwy0wAa6E6NDeIXNPeqSBz FwUjPSZ4QY14yW3hxgOda15xCEpEgb2RbDLPp3tDGtTp+fQ/wHe6y3hS3N2MmorCWg3E u+pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920310; x=1729525110; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O6Xk7yX7Ph55Lc4GYMDFLX+bnVww2jUFr9G7tdaf2DM=; b=rybkSpKZ1mtx6qM5dltVjywpH0RTOdh/AI+YrO0lUmgWoIXyiM7w2zN3R/GzP7E+l8 jYEgiXgtIJg82Q37pP8cVe3dLVelOc6U7wjD0hB4N0DNpWWLssdZlUBgsbtxBXTzRccv qdjKLKjCfR5oiX2CzUm+I0xN7A8TVQuE5sTPvKGjOeBQRoYii5llRGlEHoVKH2gS3Q69 itDKzxpQZPhudZmVfh9rVPvzhT3fhtgUdHkVI8dS3GFzYCftbx5ddllxPZruynQQyBMa IGTsXZ+7KrX/5Q8vosY4DrAT4LwAqSdmt0wgFNh8Wj0qiMs+Z+LUSYVP2m4a+Vk5bd1Y nPig== X-Forwarded-Encrypted: i=1; AJvYcCUmMvR4F2il8vMCFcEZkerTNlcyG91qQjZeq7KF9W2jQ9ap9afUz+l0qBLuQE2AGYh4OA07tT9VUpOj@vger.kernel.org X-Gm-Message-State: AOJu0YzD8Ho2PG6MH1Rkq99yZwONYScv5GVAGLwKNhlpGWJtjUm1eL54 tuszeJqF4fqdG0D9qJ24HFvCG/DGkohe1QLXu7gdC0Mda5rYlX1jVpodfeO2PDY= X-Google-Smtp-Source: AGHT+IFOjny/ZC5vM2XSWOXaR36r1j+H8geu/8duRN5SiAObjYA/9oL5xKSu3VUf7L1WrDRmThqGmA== X-Received: by 2002:a5d:6687:0:b0:374:b3a3:3f83 with SMTP id ffacd0b85a97d-37d552cb66cmr10142454f8f.53.1728920309727; Mon, 14 Oct 2024 08:38:29 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.27 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:29 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin , Vincent Mailhol Subject: [PATCH net-next v3 4/9] net: af_can: do not leave a dangling sk pointer in can_create() Date: Mon, 14 Oct 2024 16:38:03 +0100 Message-Id: <20241014153808.51894-5-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. Signed-off-by: Ignat Korchagin Reviewed-by: Vincent Mailhol Reviewed-by: Kuniyuki Iwashima Reviewed-by: Marc Kleine-Budde --- net/can/af_can.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/can/af_can.c b/net/can/af_can.c index 707576eeeb58..01f3fbb3b67d 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol, /* release sk on errors */ sock_orphan(sk); sock_put(sk); + sock->sk = NULL; } errout: From patchwork Mon Oct 14 15:38:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835290 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AACC1C304B for ; Mon, 14 Oct 2024 15:38:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920315; cv=none; b=sDRUfZ9aivaFqt/CPXZSpLLAJVFZVMxp7vJ2GesePjHxSRzmMgfQByFW8dPEPrgor+/HF1BrneA4nbqSrOnSuPh1tuU8uwrbSkZOSK54ZoMIA0PbbLrdC8JtTc/7WxcG5idQdRU+Piggx5Z+p1KVJnm99ZoaEjoEjz9WWOLI6ss= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920315; c=relaxed/simple; bh=XZyeSxYL0Rt6XzD7DrYNwyUkhIbWdcwwkzg4XCE56kc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=CcqefABVITYYrKaXub2otuDehbzGdBwt71HPecT/PvOCponjsDUwrYxE54+3j3AEMibEw0iMytworIZP6mXCg6xSudLGfK7gWUdSSUOQv9QBTxvjmVVO8EsIggN6L3QuI6jRJdgs36zDnWX8ykDqV1XFloMlmqbT7SXGrYyQe18= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=MdISMh2T; arc=none smtp.client-ip=209.85.221.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="MdISMh2T" Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-37d3ecad390so3494950f8f.1 for ; Mon, 14 Oct 2024 08:38:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920312; x=1729525112; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LbHwWEpfmVr6vDfNAIj04FaBgRdnLx3F1Vt3RjTwrtE=; b=MdISMh2TxSBfUoqF8lTK+6J6uQKXbIMCfJrZTk/6CZNGiMzcPt68ImPAUhDH1m1dsz YJt23V5EHT/3HQhGRkewF6ynT3sir8fRvYKPU7kHtDC7q3OixowsoNhWb9pr6RCUlAfy ugZw/0YAW4yk2J9nc5U91yhNcRty7slQaA1wNFo9x374UmFLU7WFxsQmOYUoMH/654Br qdLOyIjIyUFEoQbmjsivrBkTGwSRSEeA2j5+FxjuGVJ/ufP4iIHrZZOyW846EWEnklg5 s8VTZaN7tu9iW2Rz2rC+fz/1in2k3sDZhLeAlrvIDgtEBfmH+vhn0o/K+iyniUo3b95p v3lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920312; x=1729525112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LbHwWEpfmVr6vDfNAIj04FaBgRdnLx3F1Vt3RjTwrtE=; b=Zv5YuTh9XOhNGpCk3SF8OnoADrH7wX8FGRW+KzowB4yRrkgYKCve+b0rB/XeB5ESNV FcChpKkrFCvtLgNrfqkGmCLJRszcKEXKFs+RvOjZovhJy1g+OyWV2Rc7F4isGjia9HxZ YdbywIWPLVphuBGc3EQWakR461mIuuRtSFae58EPwwv7brWnCFhftorbx25WrCnWywQB UqQUuvBkKrT8l6dhAr01mGf+52A96SYiiPDqSBKwwAUoCg0MQnzrU7FiToU33nuy8Toz FflfjOa2GYH4mjMpsOpi1Ne1X7Hpw7te9NJWhvC5D7xZp749vnvig1++bcwAId19pOrG pFJw== X-Forwarded-Encrypted: i=1; AJvYcCVkBadYk+BpnuZ7utc6kl2y2qz97CSBo8RH4euNhaS+zf3FEZ8ithsR7tEMZSUFBX5wlEj6vSkmwoc0@vger.kernel.org X-Gm-Message-State: AOJu0Yw+jEecXXxVKj6Y7Sp/21PHBBMrljDzju18TLTb+2foU5JRc3ob NDQNOQJKC++16Nb5BbH4Q6W0Q6IAe9sGVfaDUphOc2eY58gsf51LMvJ07VHvIk4= X-Google-Smtp-Source: AGHT+IFpRrcvyLwLdEFLQDdJiBx0O5p4UCoiCY7EDrHsmjdj7yCbqKDU3xbbCNWtcTob1sB2WmybtA== X-Received: by 2002:a5d:504e:0:b0:37c:ce3c:e15d with SMTP id ffacd0b85a97d-37d551d9cb7mr8770131f8f.14.1728920311872; Mon, 14 Oct 2024 08:38:31 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.29 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:31 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 5/9] net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() Date: Mon, 14 Oct 2024 16:38:04 +0100 Message-Id: <20241014153808.51894-6-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow use-after-free. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin Reviewed-by: Miquel Raynal Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/ieee802154/socket.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index 990a83455dcf..18d267921bb5 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -1043,19 +1043,21 @@ static int ieee802154_create(struct net *net, struct socket *sock, if (sk->sk_prot->hash) { rc = sk->sk_prot->hash(sk); - if (rc) { - sk_common_release(sk); - goto out; - } + if (rc) + goto out_sk_release; } if (sk->sk_prot->init) { rc = sk->sk_prot->init(sk); if (rc) - sk_common_release(sk); + goto out_sk_release; } out: return rc; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } static const struct net_proto_family ieee802154_family_ops = { From patchwork Mon Oct 14 15:38:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835291 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B29721C7B77 for ; Mon, 14 Oct 2024 15:38:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920317; cv=none; b=asxOboO7N3WxloSh1qikTzo3+Je3gikNXdmVfNkMYOFHsZqT7zseMumh3Pf2cWVytclqiRoeP1jEgp8FQaQnTmm+oZimNISP2g+ogKEXVz+pbzKxudzE54yIarGRSfyLvnI3COYXCagYtMkU1w/xYyzOCQ37ubqhF4157iimAxc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920317; c=relaxed/simple; bh=TykJJMM5IzwfbahmKZJTnRFTzpHvJ80eOgoE0YjZMYM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QK/igDEJE5AUEShOPQKgNCqx9qGdygQxpATIb7U546G0aH8zHGGeoprciVIWvKvffpbOHTaZn7qtw7w/CBNlhEXoFRpr7lQT1nzTCIF38rUKa4Fu02je/SIU2q/qIISjr/eRsif7/+Uv/Nze/ETkUhOhPprNH3RWk6bkkICB2KA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=c3QI9aUK; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="c3QI9aUK" Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-37d533b5412so2047597f8f.2 for ; Mon, 14 Oct 2024 08:38:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920314; x=1729525114; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=c3QI9aUKu6Bi2Q+b8cXS2JW0XWkQrdIxfWRocPjUJ4ipX/DnkFkgfFSoH96GxQjskv H+s5a4sZHs/D1d604fpqEK01TyCQyKdFJfgkd5WKBzAQ4YFDKPAuRNsEujbfaEd0wOhk U2hsj7sc/AdfjvUi3lHThlaDFMkKysLdxdMTn4G92x94laSnlToVfQ6jeu7c7CEluJLR X7FY8MsnnN/Lg7qWc2A6dzJdJOp1vw6kW+mXrHEJdVrmmt/tKVS+YhzaH1YxoMHJrjNA ENQozVzUkLa+X1wb/Djdwd/P4v7UX4Lz8Znxc0zcjnVBrmGvRw90fT6hrOYEPY+RxGlk mttA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920314; x=1729525114; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=sMJaNNayxctC+tgmLIHmGSPwU8/SMHSeEIMuMi+mBn1z3CU2P5bE39EZKhjEhFAgvv Rx1gNaHsFk9jPtw2SPSD0OedxMkQoE9JpuHnWOGwOl0dgP1SFZ9mWt6wkz8PQ2qW5Zbg 8vm/KZniAfmljQ/RntGgXvMkmwCGXg4TaKOHj+oR64ubXJKHWKZs2ZeR1rcs6gr6Gzij GLhNO223h9TGfMMsYrl80m3VQn4m2Do8k59sDbkBpJzxgoOJBt6MIAOF2yx+xkTprzvG HPu1ml2ffMsuxmtvgg0E8PnU54YIDWiyU4ZA214MTUzYNgg8ZfqJOIS6DWQVHs+7fqlU PspQ== X-Forwarded-Encrypted: i=1; AJvYcCUbTbPpg1vZrLRxPtpEt4Rqf6NlFUsJspB5eDhKQy4wWzg4F407KC1sT0hGqh4dVCHvWo/Ov3Gq0KyZ@vger.kernel.org X-Gm-Message-State: AOJu0Yz5JTqnANB6lYxqdQFBbaq/PPTlSZWtllDn12oGjDcF5Kg7hPPS hHUzBvlAogpk+jifBEvpHO6uDnmTSvy6MdcZ3yi1UxIc0bsxvsybti6Ygh7QGrM= X-Google-Smtp-Source: AGHT+IEK1fXfdN4ULr/3sLohnKiPnjVrQV68cRQbTA59WSVC//oUJKPx9zNQVb7mUdYnIwSncrGyLA== X-Received: by 2002:a5d:688f:0:b0:37d:50e1:b3e1 with SMTP id ffacd0b85a97d-37d551b79c7mr8936288f8f.16.1728920313945; Mon, 14 Oct 2024 08:38:33 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.32 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:33 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 6/9] net: inet: do not leave a dangling sk pointer in inet_create() Date: Mon, 14 Oct 2024 16:38:05 +0100 Message-Id: <20241014153808.51894-7-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/ipv4/af_inet.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index b24d74616637..8095e82de808 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -376,32 +376,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, inet->inet_sport = htons(inet->inet_num); /* Add to protocol hash chains. */ err = sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err = sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (!kern) { err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } From patchwork Mon Oct 14 15:38:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835292 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A92471C9DFD for ; Mon, 14 Oct 2024 15:38:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920319; cv=none; b=d3J45Wj/A2efVYRaQLa3bvvf3FB+nET+iqMB2Uv7qOWidtTjLkhmERqvp+rWkFNGDRNnElY2zxFoQaDbZOaTOSq6in/ZQuavs4Z2oXD/KanxcRzLgEpOWPOoqdZ0b0jLA84AWY29ZHsiZvoRkqjT8piOrnMf71iZodGQdOU7Q+M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920319; c=relaxed/simple; bh=B2jIOs9L3gzL5PsTv6zAjfQ7uhJ1V7bXBI/aVWUwbYc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=SEyEW7ValQQ4NakAqHkDP6wHicDOgeLvxd+JEMSO05WCAmSM6VP2ZBwcYDSYtbkRP08J5102uxuJSUB7rvac60gJ8w///m+a92ZVA9P6J9Hq4Ert4NfH/aV1JQir7JFDRhJ+6sZYKs51iYTZoIikTqaiuVsDVl9bKmKG63E3SV0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=SPE1k1J7; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="SPE1k1J7" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4311c285bc9so30789255e9.3 for ; Mon, 14 Oct 2024 08:38:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920316; x=1729525116; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=SPE1k1J7Xyw6fn9/LNdrjheqnufXMsYV46py4ESfUl8mdSQlzej5qYsDZxYEqdy3Up lST2arihYhJAwrVaDiWxPAFAr4Kt4TnwUQphBB3t4qBwZYf1XR3RwMypulxICZ3wuFBd uuWzv8EwfsWL4c32V/yhFBeLUCCJGJIqzyhx/JssqBwUi4gXm/ldf5EUnFUgUBtqenBj EPr/x3GYJnXxTHj31QR3Modr7kjEEwkfF7siPzXobiFKcN3OktPrDOhQCo9rb5onB6+c G7h/H0h3VT7biQSEsl7BXXKHnMFuRWKbaC9AG2jhYAwwEd7N3E9fIgoJOP9oEFjoxwWb r+sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920316; x=1729525116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=Qnmt2YeWqldWfnUCczeOTTk6jDiGftgYy35PWR1h4p1GgsbpuECz8pPekcHXu+tiMb RbyUJbGg1LskQAR3kow2o6J46oTUvybME2yqT/56Tt+FBBvKwNvvkjF9pd0UXmyGpQzX drv20x3QGFqaCMVemG/eF3uFb8SxzbAAXfvTtAH9XBzf6FWXV5vw8cajpCR62/lQzDc3 sAq8Pq4p0dCuYTk4gG41ZEyrQnV+/NtaPWhd1g1d/UhyHOqgke2xsVBNzKFqPgo8b6v1 o2TDYx2F1ukGfkqbNKBkobxHSWOZjoMoBrEwy/el54tWY6VtIJ6bQtS3/e1A43OWa/4E qKcQ== X-Forwarded-Encrypted: i=1; AJvYcCWRMhQvouMfqJ1kZPFiTWSnJY9wuqBWCgyFK3fG3II8CtrUXfJKcpN4B4YNNdE9kAJmwex30x1mfC9t@vger.kernel.org X-Gm-Message-State: AOJu0Yys95h2Rdq4zCmu5wtQnv6BvedaR7zwQDY77P72YQqhkdJtsDYF Fx5iC7clEPd6n30xMEPSwtVLi2XMJstxoETOVCO8ZYyJNZ2khIpRsoajItWjZsc= X-Google-Smtp-Source: AGHT+IEIDg1NkYP+jkdfN8/Qy2bbNOJCew4tzqQ4wU+J4Bx2YgcvD/tGgxkQdWC68y3Hu3c+jOjjEA== X-Received: by 2002:a05:600c:1d0b:b0:42c:ba83:3f01 with SMTP id 5b1f17b1804b1-4311ded4265mr95708305e9.8.1728920315951; Mon, 14 Oct 2024 08:38:35 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.34 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:35 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 7/9] net: inet6: do not leave a dangling sk pointer in inet6_create() Date: Mon, 14 Oct 2024 16:38:06 +0100 Message-Id: <20241014153808.51894-8-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 sock_init_data() attaches the allocated sk pointer to the provided sock object. If inet6_create() fails later, the sk object is released, but the sock object retains the dangling sk pointer, which may cause use-after-free later. Clear the sock sk pointer on error. Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/ipv6/af_inet6.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ba69b86f1c7d..f60ec8b0f8ea 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -252,31 +252,29 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, */ inet->inet_sport = htons(inet->inet_num); err = sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err = sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (!kern) { err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, From patchwork Mon Oct 14 15:38:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835293 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 862C91CACE5 for ; Mon, 14 Oct 2024 15:38:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920321; cv=none; b=KXF0ufqFZgvojNMKhYGGedNom/edsD3hQLHO6gf+zAO7gytHUqCp98UB3yl1pXDA2UUYZnW9eRX2f48//QMP92fD71yvCxJSwOR5vEaGo5NvFILpkdtqLgAJ9AuOBxUzyZjG0E/yfA2apjIASd5wZDjlLCMK0r73c6P6N8EMKFo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920321; c=relaxed/simple; bh=tpRnxtvyDHesMuGsYGGagBR2XeIwxtaApq6sfrvnYrY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fGN0R08nHI4IxfGRHODXI9Rl3pm+ZDcZBPXOpABGpWoQA1cxOMVY0n8bUe6YA9WDQP0H/waEjr4kayx4Gx1lg0WFrwsh7CCA4u4TivCRSZPQFadFc/xsDU8ID7roI9h32fNThGvqiOL5B9ZQudOPMLrQmHGEPOpc0GlUuHZl5xc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=gHmxVmqE; arc=none smtp.client-ip=209.85.221.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="gHmxVmqE" Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-37d4821e6b4so2737385f8f.3 for ; Mon, 14 Oct 2024 08:38:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920318; x=1729525118; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NRdyGf4lfZr6TznDuyWqYCBTl3G4Nizl8+blfyYvkoE=; b=gHmxVmqEAq2H3WSZdMhuCmkb7TtWIvdeoxB74oty9UCExauTw/LyGcw1zxvAxXy+dl atl6R+YmvG/iOTONZWptqoYAvtsk18MOlOEoxma5Wm9/yUeJwdWl2m7eHekbakfFlNsp 3WRnxaf09V5yQcY4IoY6C+Cn9sYW+fDiuUm5RphdLf0PVLs2lzP1O8RgC/9rKGMfn7MT V6zcXMCuSi4hB+mipouR6I9AqQY03la+55wgk4ESopEG5IFPB6HGn4BzXSeHR5OS1/ef 25NRI8f0N7QtIu4fS/wpbbzKeoqkr8TXRr5iXDmJam0flodQyZ9ydnUGbxvSGqVh0tS8 iGRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920318; x=1729525118; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NRdyGf4lfZr6TznDuyWqYCBTl3G4Nizl8+blfyYvkoE=; b=PBy5gBk1DQ6r0j4iWi2wXAkYiiQMFQe+duajED8peayoPPGkhZck96QVnnxRRMbqvo /AORjvX/xyXUzyTvW9+X1rQCcp167AIHuFrVYerYyXVqvZUq9or9cxyCsh/uGj/ISLcU J5uYmwplK6c6BH8WmdD+9LpqrWiQ0bjdOFzXuxAAy6qP/UUWPrduIbUD7XF9Z3FvHytv aKY8TWIbx9GmK2urAzaA5RMWLRx3knxHoiYzcSaLgzPxZ4ORWfeCoLAGidkLEQ0T1Al0 hgyQqKO9HeG7PXe+MUhVSyx+/95JUYcKSou6EbfsMQRP/ofCG5TOUvixVqTmbGgrxaT8 Ddog== X-Forwarded-Encrypted: i=1; AJvYcCUtEBYudmfLtZpwtljtQeGXfpkOfKOjZlNOBros8dqCosvLhO1yRo1ik+ns7piJ9dflFC97sfa3iAw4@vger.kernel.org X-Gm-Message-State: AOJu0YxgiOXMbpjYgTK3OVlKuSfVEaQoba8Lru6mTrppsFSnxPvrvX6t RpS9UHBxOJiyXGyxrqVFOSPHZXPebz5eGAdIGLC1O3UFZTsz/ynHfUBb15H8OGc= X-Google-Smtp-Source: AGHT+IEvSESGNKtr3mfQllscjnvWPixVZXXYDJK2VErqCT7tUm2cqjBB5hZh+pW+OcOgTVIOFBIPag== X-Received: by 2002:adf:e908:0:b0:37d:3def:2a82 with SMTP id ffacd0b85a97d-37d5529acb1mr9092817f8f.36.1728920318048; Mon, 14 Oct 2024 08:38:38 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.36 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:37 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 8/9] net: warn, if pf->create does not clear sock->sk on error Date: Mon, 14 Oct 2024 16:38:07 +0100 Message-Id: <20241014153808.51894-9-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 All pf->create implementations have been fixed now to clear sock->sk on error, when they deallocate the allocated sk object. Put a warning in place to make sure we don't break this promise in the future. Suggested-by: Kuniyuki Iwashima Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/socket.c b/net/socket.c index 24b404299015..9a8e4452b9b2 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1576,9 +1576,9 @@ int __sock_create(struct net *net, int family, int type, int protocol, err = pf->create(net, sock, protocol, kern); if (err < 0) { /* ->create should release the allocated sock->sk object on error - * but it may leave the dangling pointer + * and make sure sock->sk is set to NULL to avoid use-after-free */ - sock->sk = NULL; + DEBUG_NET_WARN_ON_ONCE(sock->sk); goto out_module_put; } From patchwork Mon Oct 14 15:38:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13835294 Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E8911CCED6 for ; Mon, 14 Oct 2024 15:38:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920323; cv=none; b=kE9nByeGkW9nBJ0UavZTNeSxqpoamP5Bh2BkWEbaMO0gRI69NfDAUEL3wPUYGPGMXSSDacCvJBgr7vgokUZXZaTRP+jgDwLmKle81gcIIuOxkKgfneR+izsmjLua4Kkxl8Y8naYuSNVj5Y2OGGawViZ9VJQHiVOrNuP/YqEcDCM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728920323; c=relaxed/simple; bh=vc7OmTLH/01Z8jEmhW2hCpr6OvlMbxkqSwuRPTgWIpI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=P3Xl0Heo8Mdd6ELCP/LpRGUd4ljYzkkj1lU/brDa+QEWy5Thl/ykOg+wTUUJqa0SjwqX4rNsI/vxUBh1T+yTOYpPPmJUg6bBEsOnz6KdBQrIAUCvICAcEkkje9WB9/u0QiPJ0IeuwqSVUxjHDlWB+FKFwz7FKESaMFLguTOTljY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=dLXBS2w2; arc=none smtp.client-ip=209.85.167.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="dLXBS2w2" Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-539e690479cso1987389e87.3 for ; Mon, 14 Oct 2024 08:38:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728920320; x=1729525120; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ItWQLKHEonR5Y2Gfm40nvdSQUxBxC+w2AGE8qbV4gnc=; b=dLXBS2w2f1B913FYyVksZ5CxT2FB/P+tRs39uNyDlb1TLRWeUYT/QYawOi8x+N/P+A 5aQHYM+8mrlX7YEBLYq8XLQBif1j4y89y7ftPmjBbwEOjVsnOyZaA6MccY0LRNw9Sh2G tekWzAPCmS56R6wJRU6tmBWaZ5GkEmcQjGoK0K4jRC3RM3vHaKsC98ZF1nxUAZgBHM+d Km1YwFDgIDCPIejfnApah6wZQCkqro9Nb0q8WndtlIUTpGV/iq6rl5BRz0263+HpQwin ym+efHn4fKC1o991FRtxIXc0i7f5Y1lqe+K5B+K0kDgacoM/HiIcd3HUZFM+zv7Vajvk U3vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728920320; x=1729525120; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ItWQLKHEonR5Y2Gfm40nvdSQUxBxC+w2AGE8qbV4gnc=; b=QPgl/24sGhxSPlk26LZbq/NbOz0F8V/xllQKgMxzeXA7/vXmrkJQAA9ZLMsXtWetO+ 3+ooOXgiwMfKsOD+mjIs9Fiys97LnDrAmb/xEqxz+2MjD9mSMDh6lC0d/R8zIXNgfFg9 6QBLam/Nsb78gmMr9AuHywalC1o71xaEj6hcHGfkkhDlBUyWrx7gqADN52Fo0+ZmJHao UQ511H+LZEjvdEvS+xerBchBjM8oG8dBybZfrTTi51a38CeXLOLPZ8YUTKZoX/ybJJV0 Oc6z99b42xQ33hC5xH9aVoa4/H+KdVqjWLaI2G4RgGw/+dBBrtewKloLUDGHYiDpR6PL UMXw== X-Forwarded-Encrypted: i=1; AJvYcCXOXQ/QN9dWY3katB70kKdNGClcCUE/x+2BsEsptS2Wz5ROIOBSC1bOvq0+z3aYH0jWuCxldB5hXs1u@vger.kernel.org X-Gm-Message-State: AOJu0YwFFGZF5VsY99u9cBZFcJGQKBy5+albTN5RW/pT6KM1Z94yK2ma t5fWGcF4aPz583YgF5aa9dG/81C4XRH0Vz3V9Va8yW6e0tachsoDmRM+vsVZjYs= X-Google-Smtp-Source: AGHT+IEttcKfkHe5cPisVJHUtmgl4wcFxdt3iQxg/FUhY3c3ela4IwMd9TUcQCCkSzxomrcD8IPSrQ== X-Received: by 2002:a05:6512:3083:b0:539:8ade:2d0 with SMTP id 2adb3069b0e04-539e57282c7mr4527098e87.51.1728920320165; Mon, 14 Oct 2024 08:38:40 -0700 (PDT) Received: from localhost.localdomain ([2a09:bac5:50cb:432::6b:93]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d4b6a8940sm11725913f8f.6.2024.10.14.08.38.38 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 14 Oct 2024 08:38:39 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH net-next v3 9/9] Revert "net: do not leave a dangling sk pointer, when socket creation fails" Date: Mon, 14 Oct 2024 16:38:08 +0100 Message-Id: <20241014153808.51894-10-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241014153808.51894-1-ignat@cloudflare.com> References: <20241014153808.51894-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This reverts commit 6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2. inet/inet6->create() implementations have been fixed to explicitly NULL the allocated sk object on error. A warning was put in place to make sure any future changes will not leave a dangling pointer in pf->create() implementations. So this code is now redundant. Suggested-by: Kuniyuki Iwashima Signed-off-by: Ignat Korchagin Reviewed-by: Kuniyuki Iwashima Reviewed-by: Eric Dumazet --- net/core/sock.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 083d438d8b6f..a9391cb796a2 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3830,9 +3830,6 @@ void sk_common_release(struct sock *sk) sk->sk_prot->unhash(sk); - if (sk->sk_socket) - sk->sk_socket->sk = NULL; - /* * In this point socket cannot receive new packets, but it is possible * that some packets are in flight because some CPU runs receiver and