Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3850713pxb; Tue, 17 Nov 2020 05:22:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJxhqNw6TLW7HiRziEA7sWJkvB+bGNKOnAH6y/HQKlH5LzxYx2uJ8vHfQs53jCHuyJ+0QVa2 X-Received: by 2002:a17:906:6a4e:: with SMTP id n14mr2303914ejs.194.1605619353185; Tue, 17 Nov 2020 05:22:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605619353; cv=none; d=google.com; s=arc-20160816; b=lDYqU1H4LK6x/cGaCUepy5P+8rxpwuJ6EsWmIC6CaqJEyjYgoFSxJl0qmIrmLXwRYC UK6pEXRevupkkaLGnHSxo/g49P91Lbjll5JAm4nEtrmteSntfHmBOsp8g452RUtO1xqC KOyDtKS6MVhHnIxturOw51UCd9lf5XSV9L6RU1jkrO5vyOCEmA82IddK5Es7eom8z0je flEAx9Jqn3JrMr315jBQovCw2+/M13ZYk54ONI5b2dZI9syeBKgojkKRNNkAtSGXm00O 081ubWMn00kdGGk0Zlh5slsnet7a6FYeuvf7Tmoey6nOCl4InPlEK8xL7qiTnoRnbyCu Ndqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7GG/aBqn7jDcl1KExN/NbYZgiO685lbb7ZwJ5a9jh2M=; b=Ot4Pcd2suwDRzYBlpjSK5MgpNrqG0dixo2te5K1QPP+l++cdlvFShmmRPG8cCWLGHo ThKcfO+MQ0Risdv8gsdra3V0x4vfY2rsWTOp2jJPefkGw/95iUFXBmi5cYoq2cMRcgeH ghW9XaOwt/4ZYMG2yz34RTZLyalDCL1rf6yn7JaoDnIrejhcX9DpNpZtStevvK6fBv71 AWBgZZ2SBEtp7UDbiNwMvxlwj1OYy7f1HzbP4+4ABmrRxWRC1Cr/Yyv2A9HqD9LSvzip KiBgK9NMle+eZ2qfF1wKBqKai9bJxV+hRqxTQ4ycvENpv9TafohJ2S63caYrsiRcXiU7 wyVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yyFtZ9rL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p14si13405156edm.185.2020.11.17.05.22.09; Tue, 17 Nov 2020 05:22:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yyFtZ9rL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730615AbgKQNRw (ORCPT + 99 others); Tue, 17 Nov 2020 08:17:52 -0500 Received: from mail.kernel.org ([198.145.29.99]:50270 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730600AbgKQNRu (ORCPT ); Tue, 17 Nov 2020 08:17:50 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 11DAA241A6; Tue, 17 Nov 2020 13:17:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605619069; bh=yU/BCde+VQPfwl4DfTOEL7nAzesvlkrIGSOGDzKVqPo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yyFtZ9rLnwMLZRfiuAly8Tq624tALYJx6DWD6pBgA3Y3R4x39D1FtJt2TqlgAbMEA Cxk1r2yHCRy9VmeTWTMJdVWpj5/q2C6n6AtqXhNwbcn5BXgnfJrSmrIZxp7zfxJoGg kCEM7Fg+tOLFm1xqO5AjqaRm3bApHMLF3dAv0Sis= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oleksij Rempel , Oliver Hartkopp , Marc Kleine-Budde , Sasha Levin Subject: [PATCH 4.19 018/101] can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() Date: Tue, 17 Nov 2020 14:04:45 +0100 Message-Id: <20201117122113.977504749@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201117122113.128215851@linuxfoundation.org> References: <20201117122113.128215851@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oleksij Rempel [ Upstream commit 286228d382ba6320f04fa2e7c6fc8d4d92e428f4 ] All user space generated SKBs are owned by a socket (unless injected into the key via AF_PACKET). If a socket is closed, all associated skbs will be cleaned up. This leads to a problem when a CAN driver calls can_put_echo_skb() on a unshared SKB. If the socket is closed prior to the TX complete handler, can_get_echo_skb() and the subsequent delivering of the echo SKB to all registered callbacks, a SKB with a refcount of 0 is delivered. To avoid the problem, in can_get_echo_skb() the original SKB is now always cloned, regardless of shared SKB or not. If the process exists it can now safely discard its SKBs, without disturbing the delivery of the echo SKB. The problem shows up in the j1939 stack, when it clones the incoming skb, which detects the already 0 refcount. We can easily reproduce this with following example: testj1939 -B -r can0: & cansend can0 1823ff40#0123 WARNING: CPU: 0 PID: 293 at lib/refcount.c:25 refcount_warn_saturate+0x108/0x174 refcount_t: addition on 0; use-after-free. Modules linked in: coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan CPU: 0 PID: 293 Comm: cansend Not tainted 5.5.0-rc6-00376-g9e20dcb7040d #1 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) Backtrace: [] (dump_backtrace) from [] (show_stack+0x20/0x24) [] (show_stack) from [] (dump_stack+0x8c/0xa0) [] (dump_stack) from [] (__warn+0xe0/0x108) [] (__warn) from [] (warn_slowpath_fmt+0xa8/0xcc) [] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x108/0x174) [] (refcount_warn_saturate) from [] (j1939_can_recv+0x20c/0x210) [] (j1939_can_recv) from [] (can_rcv_filter+0xb4/0x268) [] (can_rcv_filter) from [] (can_receive+0xb0/0xe4) [] (can_receive) from [] (can_rcv+0x48/0x98) [] (can_rcv) from [] (__netif_receive_skb_one_core+0x64/0x88) [] (__netif_receive_skb_one_core) from [] (__netif_receive_skb+0x38/0x94) [] (__netif_receive_skb) from [] (netif_receive_skb_internal+0x64/0xf8) [] (netif_receive_skb_internal) from [] (netif_receive_skb+0x34/0x19c) [] (netif_receive_skb) from [] (can_rx_offload_napi_poll+0x58/0xb4) Fixes: 0ae89beb283a ("can: add destructor for self generated skbs") Signed-off-by: Oleksij Rempel Link: http://lore.kernel.org/r/20200124132656.22156-1-o.rempel@pengutronix.de Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin --- include/linux/can/skb.h | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h index b3379a97245c1..a34694e675c9a 100644 --- a/include/linux/can/skb.h +++ b/include/linux/can/skb.h @@ -61,21 +61,17 @@ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk) */ static inline struct sk_buff *can_create_echo_skb(struct sk_buff *skb) { - if (skb_shared(skb)) { - struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); + struct sk_buff *nskb; - if (likely(nskb)) { - can_skb_set_owner(nskb, skb->sk); - consume_skb(skb); - return nskb; - } else { - kfree_skb(skb); - return NULL; - } + nskb = skb_clone(skb, GFP_ATOMIC); + if (unlikely(!nskb)) { + kfree_skb(skb); + return NULL; } - /* we can assume to have an unshared skb with proper owner */ - return skb; + can_skb_set_owner(nskb, skb->sk); + consume_skb(skb); + return nskb; } #endif /* !_CAN_SKB_H */ -- 2.27.0