Commit 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
introduced a bug for af_unix SEQPACKET type. In unix_shutdown, the
unhash function will call prot->unhash(), which is NULL for SEQPACKET.
And kernel will panic. On ARM32, it will show following messages: (it
likely affects x86 too).
Fix the bug by checking the sk->type first.
Kernel log:
<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address
00000000
pgd = 2fba1ffb
*pgd=00000000
Internal error: Oops: 80000005 [#1] PREEMPT SMP THUMB2
Modules linked in:
CPU: 1 PID: 1999 Comm: falkon Tainted: G W
5.14.0-rc5-01175-g94531cfcbe79-dirty #9240
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
PC is at 0x0
LR is at unix_shutdown+0x81/0x1a8
pc : [<00000000>] lr : [<c08f3311>] psr: 600f0013
sp : e45aff70 ip : e463a3c0 fp : beb54f04
r10: 00000125 r9 : e45ae000 r8 : c4a56664
r7 : 00000001 r6 : c4a56464 r5 : 00000001 r4 : c4a56400
r3 : 00000000 r2 : c5a6b180 r1 : 00000000 r0 : c4a56400
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 50c5387d Table: 05aa804a DAC: 00000051
Register r0 information: slab PING start c4a56400 pointer offset 0
Register r1 information: NULL pointer
Register r2 information: slab task_struct start c5a6b180 pointer offset 0
Register r3 information: NULL pointer
Register r4 information: slab PING start c4a56400 pointer offset 0
Register r5 information: non-paged memory
Register r6 information: slab PING start c4a56400 pointer offset 100
Register r7 information: non-paged memory
Register r8 information: slab PING start c4a56400 pointer offset 612
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-paged memory
Register r11 information: non-paged memory
Register r12 information: slab filp start e463a3c0 pointer offset 0
Process falkon (pid: 1999, stack limit = 0x9ec48895)
Stack: (0xe45aff70 to 0xe45b0000)
ff60: e45ae000 c5f26a00 00000000 00000125
ff80: c0100264 c07f7fa3 beb54f04 fffffff7 00000001 e6f3fc0e b5e5e9ec beb54ec4
ffa0: b5da0ccc c010024b b5e5e9ec beb54ec4 0000000f 00000000 00000000 beb54ebc
ffc0: b5e5e9ec beb54ec4 b5da0ccc 00000125 beb54f58 00785238 beb5529c beb54f04
ffe0: b5da1e24 beb54eac b301385c b62b6ee8 600f0030 0000000f 00000000 00000000
[<c08f3311>] (unix_shutdown) from [<c07f7fa3>] (__sys_shutdown+0x2f/0x50)
[<c07f7fa3>] (__sys_shutdown) from [<c010024b>]
(__sys_trace_return+0x1/0x16)
Exception stack(0xe45affa8 to 0xe45afff0)
Signed-off-by: Jiang Wang <[email protected]>
Reported-by: Dmitry Osipenko <[email protected]>
Tested-by: Dmitry Osipenko <[email protected]>
---
net/unix/af_unix.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 443c49081636..6965bc578a80 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2847,7 +2847,8 @@ static int unix_shutdown(struct socket *sock, int mode)
int peer_mode = 0;
const struct proto *prot = READ_ONCE(other->sk_prot);
- prot->unhash(other);
+ if (sk->sk_type == SOCK_STREAM)
+ prot->unhash(other);
if (mode&RCV_SHUTDOWN)
peer_mode |= SEND_SHUTDOWN;
if (mode&SEND_SHUTDOWN)
--
2.20.1
From: Jiang Wang <[email protected]>
Date: Sat, 21 Aug 2021 03:50:44 +0000
> Commit 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
> introduced a bug for af_unix SEQPACKET type. In unix_shutdown, the
> unhash function will call prot->unhash(), which is NULL for SEQPACKET.
> And kernel will panic. On ARM32, it will show following messages: (it
> likely affects x86 too).
>
> Fix the bug by checking the sk->type first.
>
> Kernel log:
> <--- cut here ---
> Unable to handle kernel NULL pointer dereference at virtual address
> 00000000
> pgd = 2fba1ffb
> *pgd=00000000
> Internal error: Oops: 80000005 [#1] PREEMPT SMP THUMB2
> Modules linked in:
> CPU: 1 PID: 1999 Comm: falkon Tainted: G W
> 5.14.0-rc5-01175-g94531cfcbe79-dirty #9240
> Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
> PC is at 0x0
> LR is at unix_shutdown+0x81/0x1a8
> pc : [<00000000>] lr : [<c08f3311>] psr: 600f0013
> sp : e45aff70 ip : e463a3c0 fp : beb54f04
> r10: 00000125 r9 : e45ae000 r8 : c4a56664
> r7 : 00000001 r6 : c4a56464 r5 : 00000001 r4 : c4a56400
> r3 : 00000000 r2 : c5a6b180 r1 : 00000000 r0 : c4a56400
> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 50c5387d Table: 05aa804a DAC: 00000051
> Register r0 information: slab PING start c4a56400 pointer offset 0
> Register r1 information: NULL pointer
> Register r2 information: slab task_struct start c5a6b180 pointer offset 0
> Register r3 information: NULL pointer
> Register r4 information: slab PING start c4a56400 pointer offset 0
> Register r5 information: non-paged memory
> Register r6 information: slab PING start c4a56400 pointer offset 100
> Register r7 information: non-paged memory
> Register r8 information: slab PING start c4a56400 pointer offset 612
> Register r9 information: non-slab/vmalloc memory
> Register r10 information: non-paged memory
> Register r11 information: non-paged memory
> Register r12 information: slab filp start e463a3c0 pointer offset 0
> Process falkon (pid: 1999, stack limit = 0x9ec48895)
> Stack: (0xe45aff70 to 0xe45b0000)
> ff60: e45ae000 c5f26a00 00000000 00000125
> ff80: c0100264 c07f7fa3 beb54f04 fffffff7 00000001 e6f3fc0e b5e5e9ec beb54ec4
> ffa0: b5da0ccc c010024b b5e5e9ec beb54ec4 0000000f 00000000 00000000 beb54ebc
> ffc0: b5e5e9ec beb54ec4 b5da0ccc 00000125 beb54f58 00785238 beb5529c beb54f04
> ffe0: b5da1e24 beb54eac b301385c b62b6ee8 600f0030 0000000f 00000000 00000000
> [<c08f3311>] (unix_shutdown) from [<c07f7fa3>] (__sys_shutdown+0x2f/0x50)
> [<c07f7fa3>] (__sys_shutdown) from [<c010024b>]
> (__sys_trace_return+0x1/0x16)
> Exception stack(0xe45affa8 to 0xe45afff0)
>
> Signed-off-by: Jiang Wang <[email protected]>
> Reported-by: Dmitry Osipenko <[email protected]>
> Tested-by: Dmitry Osipenko <[email protected]>
Fixes: 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
And the commit is not in net-next yet, so is this patch for bpf-next?
> ---
> net/unix/af_unix.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index 443c49081636..6965bc578a80 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -2847,7 +2847,8 @@ static int unix_shutdown(struct socket *sock, int mode)
> int peer_mode = 0;
> const struct proto *prot = READ_ONCE(other->sk_prot);
>
> - prot->unhash(other);
> + if (sk->sk_type == SOCK_STREAM)
if (prot->unhash)
is more straight?
> + prot->unhash(other);
> if (mode&RCV_SHUTDOWN)
> peer_mode |= SEND_SHUTDOWN;
> if (mode&SEND_SHUTDOWN)
> --
> 2.20.1