Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp4451076imw;
        Tue, 19 Jul 2022 06:54:41 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vrquqxQW5Nn1TRAscpq8UB/24b6dQfuluRExuFo3a6FxS+mYKKhO6hBp9bCb4n3oSbH593
X-Received: by 2002:aa7:cdc2:0:b0:43a:7255:5274 with SMTP id h2-20020aa7cdc2000000b0043a72555274mr20930334edw.159.1658238881472;
        Tue, 19 Jul 2022 06:54:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658238881; cv=none;
        d=google.com; s=arc-20160816;
        b=dGqaZOpcyzVRs4LQt46a3Sv+fHsqZCa/FK+8k6PXDy8jao6z71K7Uh9gqcpMA5UWDV
         pDhc2ET3R47Fxo6A1IKaERbdL4YQSr4ttINAqhpuZZwBm4T/bcBLKp3b/zqyZ6UU8kQj
         kwgnh0AQ4GM/MEM8PRXFibrtUxzZPzMyXUnHw4Ywo9QMiSxKLu2nHCitvt1UE0Ekc0Gr
         kyYPtA6Eggt3ZfUbo/asBWV+xUEnt21oIfPqxuSjb2W4rwOpP3kGeSFoCdH7q2HIPBYV
         ZqTZAZXK9SjuDBEwAmMEctYPHWYdjFoEBrDDEYsYkTwGNUxAGt+rCcjISHjDdmEJnC3N
         ylpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=lS6ZNGkS/P4QDb6VHyyXgQIuXujrRLtHLx0kR0k26Sc=;
        b=ImgWVHDSIoxP92YHRD9jDWORZwany+jnHw8yjmFwNkADyb/lulzGG9anNy8L7cE8lx
         7z3Qa8fOtqWBDpPQKmm88jTW/nQ9WEdIz0Ex6sHPAnyS86+tGsHesifufP+qSnc17D5u
         gYUd1/s0OU6ZaNVsg172Y0iaSnCrKa1izCBA6Su8Fn+oIyLNzuFwYy6sL+/kD6+OYv2K
         i4e6r4yiQQQbmbhyqBLIQni4BGfFvAV5z/++TZCWzXrak72WRPpJ2rHfqxN5CKk9UPVQ
         TjJmk9ctSQS9mDPxcLB49Pqa+Pbc3eN/jmwPrHG2JzHVJkeh2+qJu0nOCBkJLZnhHa68
         FOmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DZBm0kqa;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id mp37-20020a1709071b2500b0072b4ad153dasi23250310ejc.635.2022.07.19.06.54.16;
        Tue, 19 Jul 2022 06:54:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DZBm0kqa;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241845AbiGSMue (ORCPT <rfc822;alexzyp@gmail.com> + 99 others);
        Tue, 19 Jul 2022 08:50:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37972 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241784AbiGSMs6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Jul 2022 08:48:58 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AB1A18D5F1;
        Tue, 19 Jul 2022 05:19:20 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id BABE5B81B2B;
        Tue, 19 Jul 2022 12:19:06 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19251C341C6;
        Tue, 19 Jul 2022 12:19:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1658233145;
        bh=kPJAsjLpGBb2Q5ipTE7OnPID7nGe121aKEl9He9CuPQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=DZBm0kqa4WrlaFDxbiXbCkbwBrs1/58h1p+uKM34pZc2tUD2DdZLi67vvJXGys30A
         iSwWKkXAugmlNyUMGyx4TKLv2VXJiroIO3EQaByrxwgtEik/6UwB4WJQyxFpUZBjhn
         E0gNL+oYNPP0pNfeTNPXjetlQVbAa2R8/qBBPlbU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        "Steven Rostedt (Google)" <rostedt@goodmis.org>,
        Kuniyuki Iwashima <kuniyu@amazon.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.18 021/231] net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer
Date:   Tue, 19 Jul 2022 13:51:46 +0200
Message-Id: <20220719114715.780724059@linuxfoundation.org>
X-Mailer: git-send-email 2.37.1
In-Reply-To: <20220719114714.247441733@linuxfoundation.org>
References: <20220719114714.247441733@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Steven Rostedt (Google) <rostedt@goodmis.org>

commit 820b8963adaea34a87abbecb906d1f54c0aabfb7 upstream.

The trace event sock_exceed_buf_limit saves the prot->sysctl_mem pointer
and then dereferences it in the TP_printk() portion. This is unsafe as the
TP_printk() portion is executed at the time the buffer is read. That is,
it can be seconds, minutes, days, months, even years later. If the proto
is freed, then this dereference will can also lead to a kernel crash.

Instead, save the sysctl_mem array into the ring buffer and have the
TP_printk() reference that instead. This is the proper and safe way to
read pointers in trace events.

Link: https://lore.kernel.org/all/20220706052130.16368-12-kuniyu@amazon.com/

Cc: stable@vger.kernel.org
Fixes: 3847ce32aea9f ("core: add tracepoints for queueing skb to rcvbuf")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Acked-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/trace/events/sock.h |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/include/trace/events/sock.h
+++ b/include/trace/events/sock.h
@@ -98,7 +98,7 @@ TRACE_EVENT(sock_exceed_buf_limit,
 
 	TP_STRUCT__entry(
 		__array(char, name, 32)
-		__field(long *, sysctl_mem)
+		__array(long, sysctl_mem, 3)
 		__field(long, allocated)
 		__field(int, sysctl_rmem)
 		__field(int, rmem_alloc)
@@ -110,7 +110,9 @@ TRACE_EVENT(sock_exceed_buf_limit,
 
 	TP_fast_assign(
 		strncpy(__entry->name, prot->name, 32);
-		__entry->sysctl_mem = prot->sysctl_mem;
+		__entry->sysctl_mem[0] = READ_ONCE(prot->sysctl_mem[0]);
+		__entry->sysctl_mem[1] = READ_ONCE(prot->sysctl_mem[1]);
+		__entry->sysctl_mem[2] = READ_ONCE(prot->sysctl_mem[2]);
 		__entry->allocated = allocated;
 		__entry->sysctl_rmem = sk_get_rmem0(sk, prot);
 		__entry->rmem_alloc = atomic_read(&sk->sk_rmem_alloc);