Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp18052403rwd; Tue, 27 Jun 2023 10:55:20 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6kjt+xUqZUweoOeKdtrqeYDn6a9jbbJ9PMicD5cyttNEryn5o8xYHEn/fQEcRe57drlSnD X-Received: by 2002:a17:902:f541:b0:1aa:e5cd:647a with SMTP id h1-20020a170902f54100b001aae5cd647amr7899983plf.23.1687888520531; Tue, 27 Jun 2023 10:55:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687888520; cv=none; d=google.com; s=arc-20160816; b=vIN8fI2ZgD2CA1tuMJScZaRd9t90sr8hWzVrweK/BTU2meq01D4LmAABpe7Alw9LnQ W6x1duvPmLaA9q05OK132jLENsDqMaqpJ0BTRyBc4o69tEdFdJ1q0OAjWE28SAm8WSQA zkoZcarkYx/9F9SZauFGgL+mmI5v8JnGds4d6M13h/9aQt252pptvjtWNXkKaGgWwAO7 hVLY2YPWjOjzhHQElgiMkHD0zrRByaQ46LI8zQGP2VfgkTr81tn2r0L9bTmLOJmTjscN khVFCzdxRggsZ67yRE9VWw0L5rNXWjOu6q+FRUu6iLiU9Rln5errCmgIOxuWCfqckzng yE2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=c8mQHeBLT962Vu5wMR7M5W6rbadM12YbQc0pxpK6fk4=; fh=ftoA3jCplG2qgEh4/8TtZCdLr2fa8cGqFfibPc2kg/Q=; b=zzHtb9Jpk326B+tum4TV2lcNQ9+lxHKDdlPFVbc/vSg5iX6J8f1l1vELhlZb9XRXA+ qmEFi5GkZrMYyhDzcNqzgkMwKwKckivc8zWHOHkf3zEfJgJzRzgHkKY1nDut6ujvUGy/ msWLzZwUxdkLNCzSSWTvTjic0aMiEKJdN5RrQ3gtYYzfS/XQ71ruB2eonk9cDUgRYEkG xPsYjMBXaymF6KO8RXtjk6pe3iJZx+eTLAf91WKmWsRGd1TxZgYq5UXpR9Quv+fh2yd5 ulRx2ShDOhybCahcWjAFM1O/GPqRlY3mgNQZKeStMzBcV6TALJEZSOy6VFmif4/i/qQs UDyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=dS+kJI9t; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t18-20020a170902b21200b001adb857fc79si7137677plr.105.2023.06.27.10.55.03; Tue, 27 Jun 2023 10:55:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=dS+kJI9t; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229813AbjF0RoF (ORCPT + 99 others); Tue, 27 Jun 2023 13:44:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231221AbjF0RoF (ORCPT ); Tue, 27 Jun 2023 13:44:05 -0400 Received: from smtp-fw-52002.amazon.com (smtp-fw-52002.amazon.com [52.119.213.150]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F52F2D45; Tue, 27 Jun 2023 10:44:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1687887843; x=1719423843; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=c8mQHeBLT962Vu5wMR7M5W6rbadM12YbQc0pxpK6fk4=; b=dS+kJI9tVg4Q090VwvrzPp23FybmyS+yNIPzol5LGks9OzIIesB6nqnd +m0tMKkXrAWB6XUaD+tRpnjBFgtZfVW2D5Y4pRoOmvPV3PwEDY/o/V4nu Alj838+jQFtZqo1k3ahdn8dCROLAGt4S2QFGaFqgRMi0nj5rcds3tNqpO M=; X-IronPort-AV: E=Sophos;i="6.01,163,1684800000"; d="scan'208";a="568976523" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-pdx-2a-m6i4x-1cca8d67.us-west-2.amazon.com) ([10.43.8.6]) by smtp-border-fw-52002.iad7.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jun 2023 17:43:59 +0000 Received: from EX19MTAUWB001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan2.pdx.amazon.com [10.236.137.194]) by email-inbound-relay-pdx-2a-m6i4x-1cca8d67.us-west-2.amazon.com (Postfix) with ESMTPS id DD5B88ADC8; Tue, 27 Jun 2023 17:43:57 +0000 (UTC) Received: from EX19D004ANA001.ant.amazon.com (10.37.240.138) by EX19MTAUWB001.ant.amazon.com (10.250.64.248) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Tue, 27 Jun 2023 17:43:54 +0000 Received: from 88665a182662.ant.amazon.com.com (10.106.101.41) by EX19D004ANA001.ant.amazon.com (10.37.240.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Tue, 27 Jun 2023 17:43:50 +0000 From: Kuniyuki Iwashima To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni CC: Alexander Mikhalitsyn , Christian Brauner , Luiz Augusto von Dentz , Kuniyuki Iwashima , Kuniyuki Iwashima , , , syzkaller Subject: [PATCH v1 net-next 1/2] af_unix: Skip SCM_PIDFD if scm->pid is NULL. Date: Tue, 27 Jun 2023 10:43:13 -0700 Message-ID: <20230627174314.67688-2-kuniyu@amazon.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230627174314.67688-1-kuniyu@amazon.com> References: <20230627174314.67688-1-kuniyu@amazon.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.106.101.41] X-ClientProxiedBy: EX19D038UWC001.ant.amazon.com (10.13.139.213) To EX19D004ANA001.ant.amazon.com (10.37.240.138) X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE,T_SPF_PERMERROR,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org syzkaller hit a WARN_ON_ONCE(!scm->pid) in scm_pidfd_recv(). In unix_stream_read_generic(), if there is no skb in the queue, we could bail out the do-while loop without calling scm_set_cred(): 1. No skb in the queue 2. sk is non-blocking or shutdown(sk, RCV_SHUTDOWN) is called concurrently or peer calls close() If the socket is configured with SO_PASSPIDFD, scm_pidfd_recv() would populate cmsg with garbage emitting the warning. Let's skip SCM_PIDFD if scm->pid is NULL in scm_pidfd_recv(). Note another way would be skip calling scm_recv() in such cases, but this caused a regression resulting in commit 9d797ee2dce1 ("Revert "af_unix: Call scm_recv() only after scm_set_cred().""). WARNING: CPU: 1 PID: 3245 at include/net/scm.h:138 scm_pidfd_recv include/net/scm.h:138 [inline] WARNING: CPU: 1 PID: 3245 at include/net/scm.h:138 scm_recv.constprop.0+0x754/0x850 include/net/scm.h:177 Modules linked in: CPU: 1 PID: 3245 Comm: syz-executor.1 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:scm_pidfd_recv include/net/scm.h:138 [inline] RIP: 0010:scm_recv.constprop.0+0x754/0x850 include/net/scm.h:177 Code: 67 fd e9 55 fd ff ff e8 4a 70 67 fd e9 7f fd ff ff e8 40 70 67 fd e9 3e fb ff ff e8 36 70 67 fd e9 02 fd ff ff e8 8c 3a 20 fd <0f> 0b e9 fe fb ff ff e8 50 70 67 fd e9 2e f9 ff ff e8 46 70 67 fd RSP: 0018:ffffc90009af7660 EFLAGS: 00010216 RAX: 00000000000000a1 RBX: ffff888041e58a80 RCX: ffffc90003852000 RDX: 0000000000040000 RSI: ffffffff842675b4 RDI: 0000000000000007 RBP: ffffc90009af7810 R08: 0000000000000007 R09: 0000000000000013 R10: 00000000000000f8 R11: 0000000000000001 R12: ffffc90009af7db0 R13: 0000000000000000 R14: ffff888041e58a88 R15: 1ffff9200135eecc FS: 00007f6b7113f640(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6b7111de38 CR3: 0000000012a6e002 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: unix_stream_read_generic+0x5fe/0x1f50 net/unix/af_unix.c:2830 unix_stream_recvmsg+0x194/0x1c0 net/unix/af_unix.c:2880 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x188/0x1d0 net/socket.c:1040 ____sys_recvmsg+0x210/0x610 net/socket.c:2712 ___sys_recvmsg+0xff/0x190 net/socket.c:2754 do_recvmmsg+0x25d/0x6c0 net/socket.c:2848 __sys_recvmmsg net/socket.c:2927 [inline] __do_sys_recvmmsg net/socket.c:2950 [inline] __se_sys_recvmmsg net/socket.c:2943 [inline] __x64_sys_recvmmsg+0x224/0x290 net/socket.c:2943 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f6b71da2e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f6b7113ecc8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007f6b71da2e5d RDX: 0000000000000007 RSI: 0000000020006600 RDI: 000000000000000b RBP: 00000000004bc050 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000120 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f6b71e03530 R15: 0000000000000000 Fixes: 5e2ff6704a27 ("scm: add SO_PASSPIDFD and SCM_PIDFD") Reported-by: syzkaller Signed-off-by: Kuniyuki Iwashima --- include/net/scm.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/net/scm.h b/include/net/scm.h index c67f765a165b..d456fc41b8bf 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -135,7 +135,9 @@ static __inline__ void scm_pidfd_recv(struct msghdr *msg, struct scm_cookie *scm return; } - WARN_ON_ONCE(!scm->pid); + if (!scm->pid) + return; + pidfd = pidfd_prepare(scm->pid, 0, &pidfd_file); if (put_cmsg(msg, SOL_SOCKET, SCM_PIDFD, sizeof(int), &pidfd)) { -- 2.30.2