lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iK9oc20Jdi_41jb9URdF210r7d1Y-+uypbMSbOfY6jqrg@mail.gmail.com>
Date:   Tue, 7 Feb 2023 20:25:19 +0100
From:   Eric Dumazet <edumazet@...gle.com>
To:     Kuniyuki Iwashima <kuniyu@...zon.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Matthieu Baerts <matthieu.baerts@...sares.net>,
        Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org,
        syzbot <syzkaller@...glegroups.com>,
        Christoph Paasch <christophpaasch@...oud.com>
Subject: Re: [PATCH v1 net] net: Remove WARN_ON_ONCE(sk->sk_forward_alloc)
 from sk_stream_kill_queues().

On Tue, Feb 7, 2023 at 7:37 PM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> In commit b5fc29233d28 ("inet6: Remove inet6_destroy_sock() in
> sk->sk_prot->destroy()."), we delay freeing some IPv6 resources
> from sk->destroy() to sk->sk_destruct().
>
> Christoph Paasch reported the commit started triggering
> WARN_ON_ONCE(sk->sk_forward_alloc) in sk_stream_kill_queues()
> (See [0 - 2]).
>
> For example, if inet6_sk(sk)->rxopt is not zero by setting
> IPV6_RECVPKTINFO or its friends, tcp_v6_do_rcv() clones a skb
> and calls skb_set_owner_r(), which charges it to sk.

skb_set_owner_r() in this place seems wrong.
This could lead to a negative sk->sk_forward_alloc
(because we have not sk_rmem_schedule() it ?)

Do you have a repro ?

 The skb
> has not been uncharged in inet_csk_destroy_sock(), thus, calling
> sk_stream_kill_queues() there triggers the WARN_ON_ONCE().
>
> The same check has been in inet_sock_destruct() from at least
> v2.6.  Since only CAIF is not calling inet_sock_destruct() among
> the users of sk_stream_kill_queues(), we remove the WARN_ON_ONCE()
> from sk_stream_kill_queues() and add it to caif_sock_destructor().
>
> [0]: https://lore.kernel.org/netdev/39725AB4-88F1-41B3-B07F-949C5CAEFF4F@icloud.com/
> [1]: https://github.com/multipath-tcp/mptcp_net-next/issues/341
> [2]:
> WARNING: CPU: 0 PID: 3232 at net/core/stream.c:212 sk_stream_kill_queues+0x2f9/0x3e0
> Modules linked in:
> CPU: 0 PID: 3232 Comm: syz-executor.0 Not tainted 6.2.0-rc5ab24eb4698afbe147b424149c529e2a43ec24eb5 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> RIP: 0010:sk_stream_kill_queues+0x2f9/0x3e0
> Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ec 00 00 00 8b ab 08 01 00 00 e9 60 ff ff ff e8 d0 5f b6 fe 0f 0b eb 97 e8 c7 5f b6 fe <0f> 0b eb a0 e8 be 5f b6 fe 0f 0b e9 6a fe ff ff e8 02 07 e3 fe e9
> RSP: 0018:ffff88810570fc68 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: ffff888101f38f40 RSI: ffffffff8285e529 RDI: 0000000000000005
> RBP: 0000000000000ce0 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000ce0 R11: 0000000000000001 R12: ffff8881009e9488
> R13: ffffffff84af2cc0 R14: 0000000000000000 R15: ffff8881009e9458
> FS:  00007f7fdfbd5800(0000) GS:ffff88811b600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b32923000 CR3: 00000001062fc006 CR4: 0000000000170ef0
> Call Trace:
>  <TASK>
>  inet_csk_destroy_sock+0x1a1/0x320
>  __tcp_close+0xab6/0xe90
>  tcp_close+0x30/0xc0
>  inet_release+0xe9/0x1f0
>  inet6_release+0x4c/0x70
>  __sock_release+0xd2/0x280
>  sock_close+0x15/0x20
>  __fput+0x252/0xa20
>  task_work_run+0x169/0x250
>  exit_to_user_mode_prepare+0x113/0x120
>  syscall_exit_to_user_mode+0x1d/0x40
>  do_syscall_64+0x48/0x90
>  entry_SYSCALL_64_after_hwframe+0x72/0xdc
> RIP: 0033:0x7f7fdf7ae28d
> Code: c1 20 00 00 75 10 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fb ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 37 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
> RSP: 002b:00000000007dfbb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
> RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f7fdf7ae28d
> RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
> RBP: 0000000000000000 R08: 000000007f338e0f R09: 0000000000000e0f
> R10: 000000007f338e13 R11: 0000000000000293 R12: 00007f7fdefff000
> R13: 00007f7fdefffcd8 R14: 00007f7fdefffce0 R15: 00007f7fdefffcd8
>  </TASK>
>
> Fixes: b5fc29233d28 ("inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Reported-by: Christoph Paasch <christophpaasch@...oud.com>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> ---
>  net/caif/caif_socket.c | 1 +
>  net/core/stream.c      | 1 -
>  2 files changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
> index 748be7253248..78c9729a6057 100644
> --- a/net/caif/caif_socket.c
> +++ b/net/caif/caif_socket.c
> @@ -1015,6 +1015,7 @@ static void caif_sock_destructor(struct sock *sk)
>                 return;
>         }
>         sk_stream_kill_queues(&cf_sk->sk);
> +       WARN_ON_ONCE(sk->sk_forward_alloc);
>         caif_free_client(&cf_sk->layer);
>  }
>
> diff --git a/net/core/stream.c b/net/core/stream.c
> index cd06750dd329..434446ab14c5 100644
> --- a/net/core/stream.c
> +++ b/net/core/stream.c
> @@ -209,7 +209,6 @@ void sk_stream_kill_queues(struct sock *sk)
>         sk_mem_reclaim_final(sk);
>
>         WARN_ON_ONCE(sk->sk_wmem_queued);
> -       WARN_ON_ONCE(sk->sk_forward_alloc);
>
>         /* It is _impossible_ for the backlog to contain anything
>          * when we get here.  All user references to this socket
> --
> 2.30.2
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ