Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp2304054imc; Tue, 12 Mar 2019 11:00:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqx9sLo8P0LIO/tIggruQE2PszHWpPa6v3fJJXwH1/e+wltJu6a5DUYPwp4wf1rL8kPmx8zn X-Received: by 2002:a17:902:ea06:: with SMTP id cu6mr25683264plb.187.1552413622844; Tue, 12 Mar 2019 11:00:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552413622; cv=none; d=google.com; s=arc-20160816; b=WhgSk4OxdyMdM9frdB97b1l1OGZFBc4iA3ckLOv1wXLmwQ+8WB2RTQc2NaqJuAYSo4 yDGkbgHL+rYMYShpwishIWdcVoCaMs30wAKEcFgbzT57D8USznrOKZp5EkyKe8hd/V3s 50RbbFPfBhwjEpc+mL1wQvQR6X3dgIhjqIoYH0HfB6te4wMyDhih4wWFNyWXqvA8Ogwc APpz/AgRfr43euvJxWkVYcl8uvgQpcyhBoc/ohusnahZS56VUIc/nJ841+TwyjCNRDsU 11rV/zSwi2AKgDVdbR6xvvmTCM5K0wbT5VkKj1HEaMsefw1u4VPg5sEbwrchTB2/GCv2 vQoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4OkuTnnQ36cIn9pZFCRsDAb8lw53zyCDfANkPZh8d7w=; b=npySVnV8EOFzm/vyDjy1kYp5Mi4Fz8TkYAVCuaNF9kg9s7eUECdqb46grfPTY7w+nJ I2EycJDjjRaWJS4QC6UQg/ZyZwYyyLg3sPHUv5W+Jl/ALEdbX7KxCuSBoFaQBP1e+QzG w64kskOfbX0cQx5J2FSARlgQ4KHJa+RNMdF1/G8O0ukSEcxMLTvadpZduAEV47a4h8Lv x93ttSytS5IJbepZcKykgUOhWXdjWBDNpq+v5Duw5nfaNGDDKngI0Jf+JbJZTpb4IwNh RS0eS/DynCY68CcGtcLHxgdWpP2OEFBGjrcHfxE6F12xEIMgvlsYC8jpH/d3a+Y6XUkH XgeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OAun8yGK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7si7920935pgp.513.2019.03.12.11.00.06; Tue, 12 Mar 2019 11:00:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=OAun8yGK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728781AbfCLR72 (ORCPT + 99 others); Tue, 12 Mar 2019 13:59:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:50668 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727961AbfCLRNd (ORCPT ); Tue, 12 Mar 2019 13:13:33 -0400 Received: from localhost (unknown [104.133.8.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6192B2087C; Tue, 12 Mar 2019 17:13:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552410811; bh=ro9cEYAGLr0Sa9QLR8AYpVlHxpZq8aRB5g06Hc6whwg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OAun8yGKmwGCXewJyqyD7dnTGEc3xNhRK8v7QQe3Q6TssuL4D6TqfVABo6LabtEL2 12LjSoxTSRD+u7myZalHJWPPbEKgHPyy7T0HHYUohmmhtBrM5X8T2/0G5b1K1vWwgd GMLJbdzeI43sN/wKkj0wP9IRylXg2/kT8BF8L938= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Marek Majkowski , Jakub Sitnicki , Song Liu , Daniel Borkmann Subject: [PATCH 4.20 163/171] sk_msg: Always cancel strp work before freeing the psock Date: Tue, 12 Mar 2019 10:09:03 -0700 Message-Id: <20190312170401.422407341@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190312170347.868927101@linuxfoundation.org> References: <20190312170347.868927101@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jakub Sitnicki commit 1d79895aef18fa05789995d86d523c9b2ee58a02 upstream. Despite having stopped the parser, we still need to deinitialize it by calling strp_done so that it cancels its work. Otherwise the worker thread can run after we have freed the parser, and attempt to access its workqueue resulting in a use-after-free: ================================================================== BUG: KASAN: use-after-free in pwq_activate_delayed_work+0x1b/0x1d0 Read of size 8 at addr ffff888069975240 by task kworker/u2:2/93 CPU: 0 PID: 93 Comm: kworker/u2:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 Workqueue: (null) (kstrp) Call Trace: print_address_description+0x6e/0x2b0 ? pwq_activate_delayed_work+0x1b/0x1d0 kasan_report+0xfd/0x177 ? pwq_activate_delayed_work+0x1b/0x1d0 ? pwq_activate_delayed_work+0x1b/0x1d0 pwq_activate_delayed_work+0x1b/0x1d0 ? process_one_work+0x4aa/0x660 pwq_dec_nr_in_flight+0x9b/0x100 worker_thread+0x82/0x680 ? process_one_work+0x660/0x660 kthread+0x1b9/0x1e0 ? __kthread_create_on_node+0x250/0x250 ret_from_fork+0x1f/0x30 Allocated by task 111: sk_psock_init+0x3c/0x1b0 sock_map_link.isra.2+0x103/0x4b0 sock_map_update_common+0x94/0x270 sock_map_update_elem+0x145/0x160 __se_sys_bpf+0x152e/0x1e10 do_syscall_64+0xb2/0x3e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 112: kfree+0x7f/0x140 process_one_work+0x40b/0x660 worker_thread+0x82/0x680 kthread+0x1b9/0x1e0 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff888069975180 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 192 bytes inside of 512-byte region [ffff888069975180, ffff888069975380) The buggy address belongs to the page: page:ffffea0001a65d00 count:1 mapcount:0 mapping:ffff88806d401280 index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab|head) raw: 4000000000010200 dead000000000100 dead000000000200 ffff88806d401280 raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888069975100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888069975180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888069975200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888069975280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888069975300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Reported-by: Marek Majkowski Signed-off-by: Jakub Sitnicki Link: https://lore.kernel.org/netdev/CAJPywTLwgXNEZ2dZVoa=udiZmtrWJ0q5SuBW64aYs0Y1khXX3A@mail.gmail.com Acked-by: Song Liu Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- net/core/skmsg.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/net/core/skmsg.c +++ b/net/core/skmsg.c @@ -545,8 +545,7 @@ static void sk_psock_destroy_deferred(st struct sk_psock *psock = container_of(gc, struct sk_psock, gc); /* No sk_callback_lock since already detached. */ - if (psock->parser.enabled) - strp_done(&psock->parser.strp); + strp_done(&psock->parser.strp); cancel_work_sync(&psock->work);