Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp2385626rdg; Mon, 16 Oct 2023 02:51:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFn5ZKwvMHQV7qgdlTX3sVWAdpRPqGIXaauxYkznH+njgPhNNOJzfF1UgCHkXciOyoQT97f X-Received: by 2002:a05:6a00:1691:b0:693:3cbc:3d8e with SMTP id k17-20020a056a00169100b006933cbc3d8emr39261740pfc.0.1697449866097; Mon, 16 Oct 2023 02:51:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697449866; cv=none; d=google.com; s=arc-20160816; b=un63rZZkt2BrE3Z1c4TwFmZGY2JCvPz7vqtsiwmSn4FgJKSCqi8KOrRrgOLYJV7SFv U1qIraa96fNWO0NHPF85DSMitQJV6wCG8C1zuAvvBJ/kzdbZQzfkJwOhP2wBnBLP6vZK kNbwL+mjsS3JUZK9+rdHwZ1hNipCCLqHnkTSWi3C/CW+PytySddUjfViZyDE/Gac1YtP RjvdpmaF2/lWkV4OWNit0DU+C9SqL33haGdEcXQfWniqleZ2Ad3WLa54r4D93B+27lJe q1o5G9SO8g4zEyuPxz/4M40LPohMfJrOf4Kri+XKPpS8zx9PWOc97o6eeY1Q7e7jNLZ6 hApg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=P2H2mB9FVq2cWm9nvIZGck9TKKOTogpOx+W0XnWoFpw=; fh=LjR9WYWkQOIMibgBqtNkTxvVbqc2CMVXsZUispptNrY=; b=XLkhZ+dQBYKkz9O3C0BFCgdsX2yDLVPR/OJ6UVVy17WjHt9ZoZ/OrvxzfRGQh1BguH b+mpQs/ndvGiLGzTEIy2hnJd5/wwWFffUhuXcfkV4MX+WmrjwhL6ASnuhDPPVxGd370W EYcwJsn4jVG5Imz8cVVexbZdFheK/LbqG1O6eEwXG6Ho/2Wyzq15WmY1sC9b6LRnLYnt IJ+WGTDzRv42CcVmB/Qs7S18MVEcF3reDIJa+SjBOrP+HhrAJ9AKrdJti9kC5Y3wlfVl j80vvCXiarL9OgvzYAPaaz8OHMJJwrvg4ALOoRRHtbP61WIavp5A+TwxKMQdD8FG5377 S/kA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NRflpb9i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id z16-20020a656650000000b0059ff7c499c8si9946411pgv.746.2023.10.16.02.51.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Oct 2023 02:51:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NRflpb9i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 5D6CD8079AE1; Mon, 16 Oct 2023 02:50:45 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231126AbjJPJu1 (ORCPT + 99 others); Mon, 16 Oct 2023 05:50:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230418AbjJPJuY (ORCPT ); Mon, 16 Oct 2023 05:50:24 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DE26AD for ; Mon, 16 Oct 2023 02:50:20 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C1929C433C9; Mon, 16 Oct 2023 09:50:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1697449819; bh=3qu5yONyWa09qHBA5krufIoFjAXIFT/JnmHaxFdNKbI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=NRflpb9iTrQMM1roVvBLDaaRC/btPdgwE+P5YkY0ui/HfGIgWe422OSHysA8DAeAY XbLUi+vCbF1lVsHHtr+bUFY11iQXK9sJiTjNuHX9jL5P8Lm54roOwSkHCB1HUqQAyY A7DZ3lGgY8HTvtlHq8hhPkhD+X9px3M4k3HcLZPxehfS4z+bQqWj4+iinJPl+QZixF 2NoNSGs1CDFItkr8+X9xqwu5CQ/OhYvEM1Fnh7u1Z9BhZUOvJR1ChRSQgLHupg0Y03 sNMQp9mpUfuPSGvpWcjn/CbhPDY2Q1UemvacMhWvS6kggtPqwuTXSqfYG5/F/XYK49 sG3yOKByvNj+Q== Date: Mon, 16 Oct 2023 11:50:15 +0200 From: Simon Horman To: Juntong Deng Cc: borisp@nvidia.com, john.fastabend@gmail.com, kuba@kernel.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+29c22ea2d6b2c5fd2eae@syzkaller.appspotmail.com Subject: Re: [PATCH] net/tls: Fix slab-use-after-free in tls_encrypt_done Message-ID: <20231016095015.GJ1501712@kernel.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Mon, 16 Oct 2023 02:50:45 -0700 (PDT) On Thu, Oct 12, 2023 at 07:02:51PM +0800, Juntong Deng wrote: > In the current implementation, ctx->async_wait.completion is completed > after spin_lock_bh, which causes tls_sw_release_resources_tx to > continue executing and return to tls_sk_proto_cleanup, then return Hi Juntong Deng, I'm slightly confused by "causes tls_sw_release_resources_tx to continue executing". What I see in tls_sw_release_resources_tx() is: /* Wait for any pending async encryptions to complete */ spin_lock_bh(&ctx->encrypt_compl_lock); ctx->async_notify = true; pending = atomic_read(&ctx->encrypt_pending); spin_unlock_bh(&ctx->encrypt_compl_lock); Am I wrong in thinking the above will block because (the same) ctx->encrypt_compl_lock is held in tls_encrypt_done? > to tls_sk_proto_close, and after that enter tls_sw_free_ctx_tx to kfree > the entire struct tls_context (including ctx->encrypt_compl_lock). > > Since ctx->encrypt_compl_lock has been freed, subsequent spin_unlock_bh > will result in slab-use-after-free error. Due to SMP, even using > spin_lock_bh does not prevent tls_sw_release_resources_tx from continuing > on other CPUs. After tls_sw_release_resources_tx is woken up, there is no > attempt to hold ctx->encrypt_compl_lock again, therefore everything > described above is possible. > > The fix is to put complete(&ctx->async_wait.completion) after > spin_unlock_bh, making the release after the unlock. Since complete is > only executed if pending is 0, which means this is the last record, there > is no need to worry about race condition causing duplicate completes. > > Reported-by: syzbot+29c22ea2d6b2c5fd2eae@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=29c22ea2d6b2c5fd2eae > Signed-off-by: Juntong Deng > --- > net/tls/tls_sw.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c > index 270712b8d391..7abe5a6aa989 100644 > --- a/net/tls/tls_sw.c > +++ b/net/tls/tls_sw.c > @@ -441,6 +441,7 @@ static void tls_encrypt_done(void *data, int err) > struct sk_msg *msg_en; > bool ready = false; > struct sock *sk; > + int async_notify; > int pending; > > msg_en = &rec->msg_encrypted; > @@ -482,10 +483,11 @@ static void tls_encrypt_done(void *data, int err) > > spin_lock_bh(&ctx->encrypt_compl_lock); > pending = atomic_dec_return(&ctx->encrypt_pending); > + async_notify = ctx->async_notify; > + spin_unlock_bh(&ctx->encrypt_compl_lock); > > - if (!pending && ctx->async_notify) > + if (!pending && async_notify) > complete(&ctx->async_wait.completion); > - spin_unlock_bh(&ctx->encrypt_compl_lock); > > if (!ready) > return; > -- > 2.39.2 > >