lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Jul 2023 05:31:28 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Marc Kleine-Budde <mkl@...gutronix.de>
Cc: Ziyang Xuan <william.xuanziyang@...wei.com>, socketcan@...tkopp.net, 
	davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, 
	linux-can@...r.kernel.org, netdev@...r.kernel.org, 
	penguin-kernel@...ove.sakura.ne.jp
Subject: Re: [PATCH net v3] can: raw: fix receiver memory leak

On Mon, Jul 17, 2023 at 9:27 AM Marc Kleine-Budde <mkl@...gutronix.de> wrote:
>
> On 11.07.2023 09:17:37, Ziyang Xuan wrote:
> > Got kmemleak errors with the following ltp can_filter testcase:
> >
> > for ((i=1; i<=100; i++))
> > do
> >         ./can_filter &
> >         sleep 0.1
> > done
> >
> > ==============================================================
> > [<00000000db4a4943>] can_rx_register+0x147/0x360 [can]
> > [<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw]
> > [<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0
> > [<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70
> > [<00000000fd468496>] do_syscall_64+0x33/0x40
> > [<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
> >
> > It's a bug in the concurrent scenario of unregister_netdevice_many()
> > and raw_release() as following:
> >
> >              cpu0                                        cpu1
> > unregister_netdevice_many(can_dev)
> >   unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this
> >   net_set_todo(can_dev)
> >                                               raw_release(can_socket)
> >                                                 dev = dev_get_by_index(, ro->ifindex); // dev == NULL
> >                                                 if (dev) { // receivers in dev_rcv_lists not free because dev is NULL
> >                                                   raw_disable_allfilters(, dev, );
> >                                                   dev_put(dev);
> >                                                 }
> >                                                 ...
> >                                                 ro->bound = 0;
> >                                                 ...
> >
> > call_netdevice_notifiers(NETDEV_UNREGISTER, )
> >   raw_notify(, NETDEV_UNREGISTER, )
> >     if (ro->bound) // invalid because ro->bound has been set 0
> >       raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed
> >
> > Add a net_device pointer member in struct raw_sock to record bound can_dev,
> > and use rtnl_lock to serialize raw_socket members between raw_bind(), raw_release(),
> > raw_setsockopt() and raw_notify(). Use ro->dev to decide whether to free receivers in
> > dev_rcv_lists.
> >
> > Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier")
> > Signed-off-by: Ziyang Xuan <william.xuanziyang@...wei.com>
> > Reviewed-by: Oliver Hartkopp <socketcan@...tkopp.net>
> > Acked-by: Oliver Hartkopp <socketcan@...tkopp.net>
>
> Added to linux-can/testing.
>

This patch causes three syzbot LOCKDEP reports so far.

I suspect we need something like the following patch.

If nobody objects, I will submit this formally soon.

diff --git a/net/can/raw.c b/net/can/raw.c
index 2302e48829677334f8b2d74a479e5a9cbb5ce03c..ba6b52b1d7767fdd7b57d1b8e5519495340c572c
100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -386,9 +386,9 @@ static int raw_release(struct socket *sock)
        list_del(&ro->notifier);
        spin_unlock(&raw_notifier_lock);

+       rtnl_lock();
        lock_sock(sk);

-       rtnl_lock();
        /* remove current filters & unregister */
        if (ro->bound) {
                if (ro->dev)
@@ -405,12 +405,13 @@ static int raw_release(struct socket *sock)
        ro->dev = NULL;
        ro->count = 0;
        free_percpu(ro->uniq);
-       rtnl_unlock();

        sock_orphan(sk);
        sock->sk = NULL;

        release_sock(sk);
+       rtnl_unlock();
+
        sock_put(sk);

        return 0;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ