From patchwork Mon Oct 7 21:34:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825298 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C98B718C03A for ; Mon, 7 Oct 2024 21:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336938; cv=none; b=sUqE+MrySQJ5QXacqZ29sThigvTA6cooHRSP+KgrO06g1ej2Y7N1RXQsLYI1YgP0yGBUacqdxHAK/iFPpVrw4UxCrgUMC22Ngj1gxUmKLgqqFim37EFON1ko6Hs7uUPYHYSN+IJ1hzW5bUcyB8+Ho/fxsxAjQZYWXYWYMXmH65Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336938; c=relaxed/simple; bh=tF3+7/64K2pNMC2yMmqB0bNnDpkF/qc4QvYqWOU0LHs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=PtoX51Og6tWWCqtwBFMuLL9y1vST/TPHBOFr92QZarhRFXb5T1f3RovlSdpoa/zcGPhotFy8SP5KECFrAT2Xj6CUMcaWGC+LoV9KpJf7JurO8AkDi9Zk1BrsQbMTp5NmodWel2u4aaZdAe6QCJk1x4COYb9PkC+MgsCKQspkoWQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=gBg2Fv9f; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="gBg2Fv9f" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-37cdbcb139cso3827681f8f.1 for ; Mon, 07 Oct 2024 14:35:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336935; x=1728941735; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OvyWYlYW9NKrX6tjwjorxSh4AbupOomnLhmwVzPjUzY=; b=gBg2Fv9fYDeUYC50Ah1y/IuP8inxo5A5v/KcTviaSFNvLolTTCWlM5HJB68gye0c1x 4jOFPRQZt8d2nO62/XgR9SnncQZlI0BeB3i21p956gRiGjtH1WqzdQAUxQbELVB4hEFe R2DLs5mTUzHu5AqurfR9YPBACBECX8QQxLijrB01TMDPfd+NTqAarSO2HgvZKYuhXad8 9ynkNC6RyuAfZ/f6kwdqo6Nt3356JDixtuCwoDEbhGVBFygrSqjwwF0mWBT/5GeTf+yj gm7CNQi7glWXVXe/xyJxp7luIyE4c796sbgJbL66eqqeYdfp2/aKFKucbbBPb8r/rE8S 686w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336935; x=1728941735; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OvyWYlYW9NKrX6tjwjorxSh4AbupOomnLhmwVzPjUzY=; b=JhQ47F9uFlk10AZyWvYqPKNKc1CL8jdX3vRTzf5uYTFew54yw/Ptiq/M7c35NvpauV NItHaZfUXDdapNimjKibM4cMz8PRAjne2lQcKfBAs+JlC0Dw1dBvoU3dZST1TGzr40vO bUt+lHn6cBL/v+MsO2JAaBrymINOA9gwJ0wPNMvjIwFBxmZrfgQD4IGmAZj9pd6RGKc1 4YTEsMxDh/iXewKPDhRS3jqtHQCQD2V5QfdR4dNFFZrS8yy2U3ToBZPVeu0AME2XGCrb QEAGkcjb+GSgliS0iDw8bG/AhU6om7/QMSWXQsDEXv8ad2qIi5XC16yUZEbJqUKTgfZt 6LcA== X-Forwarded-Encrypted: i=1; AJvYcCWt//w83ZFFV88c3X5Lwq9ogYaPSeGA1QqbUHw0gRx0gJELNjSfFMy1lEL/ieiTFpRqtjkDy2PIkgL0@vger.kernel.org X-Gm-Message-State: AOJu0YzgdPX3uLGi93n4/DzYdiiAgDq90+wZ+xul8A7qpAX5rIw8anXN ISnIOZt+qoOBQBNCurSEJ/hg1VwImye7DhMov+AlHWRKOQWsr+hk4MloFpGb99w= X-Google-Smtp-Source: AGHT+IHLqNN1LAQf8g76woikHrigZw9N4TvlV2Fn4+zidESGtMa7IAByD8UA/IadWMwT9LMt7nSTnA== X-Received: by 2002:adf:f8d0:0:b0:374:c454:dbb3 with SMTP id ffacd0b85a97d-37d0eae49f1mr6186667f8f.55.1728336934922; Mon, 07 Oct 2024 14:35:34 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.32 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:34 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin , stable@vger.kernel.org Subject: [PATCH v2 1/8] net: explicitly clear the sk pointer, when pf->create fails Date: Mon, 7 Oct 2024 22:34:55 +0100 Message-Id: <20241007213502.28183-2-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 We have recently noticed the exact same KASAN splat as in commit 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails"). The problem is that commit did not fully address the problem, as some pf->create implementations do not use sk_common_release in their error paths. For example, we can use the same reproducer as in the above commit, but changing ping to arping. arping uses AF_PACKET socket and if packet_create fails, it will just sk_free the allocated sk object. While we could chase all the pf->create implementations and make sure they NULL the freed sk object on error from the socket, we can't guarantee future protocols will not make the same mistake. So it is easier to just explicitly NULL the sk pointer upon return from pf->create in __sock_create. We do know that pf->create always releases the allocated sk object on error, so if the pointer is not NULL, it is definitely dangling. Fixes: 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails") Signed-off-by: Ignat Korchagin Cc: stable@vger.kernel.org Reviewed-by: Kuniyuki Iwashima --- net/core/sock.c | 3 --- net/socket.c | 7 ++++++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 039be95c40cf..e6e04081949c 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3819,9 +3819,6 @@ void sk_common_release(struct sock *sk) sk->sk_prot->unhash(sk); - if (sk->sk_socket) - sk->sk_socket->sk = NULL; - /* * In this point socket cannot receive new packets, but it is possible * that some packets are in flight because some CPU runs receiver and diff --git a/net/socket.c b/net/socket.c index 601ad74930ef..042451f01c65 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1574,8 +1574,13 @@ int __sock_create(struct net *net, int family, int type, int protocol, rcu_read_unlock(); err = pf->create(net, sock, protocol, kern); - if (err < 0) + if (err < 0) { + /* ->create should release the allocated sock->sk object on error + * but it may leave the dangling pointer + */ + sock->sk = NULL; goto out_module_put; + } /* * Now to bump the refcnt of the [loadable] module that owns this From patchwork Mon Oct 7 21:34:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825299 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7DB618C910 for ; Mon, 7 Oct 2024 21:35:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336941; cv=none; b=K3uzHkaDBs4/8lTqbNERvwpdQNK1o2SyL+MsMeCmCAhlu4cPq3U20DFBapPdObSUeVZHDIH8oOaP9/ccg4/KQ/D8KLWwWx7tyHTuNFBy9rYAq2RqWpIt4v/ymtPTLcd3owyj5hP04u/HNPhZvW1fNKReIWR2iAUvVr3hJuq34DI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336941; c=relaxed/simple; bh=RcIs+XM/c9JJbPNWfZbV/Z6TaGGOUNRFsh8gxXUISQs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QYD2e4OEV9P7o2lNNHSGvT4T08WwM+tPXnRpG/GR3s8j+xlwm5JlhlsneFT8/CWsappToTbIBoaxs8cbtzzpWBKF+U6StxhkG//wt0jSngmXTSr1j5kqWbEZCS1hbnF4N4Q/8QV8vgO8PRrYMuGvGx/el352hZIb4wrrLBfJbiA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=gNJI+tRX; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="gNJI+tRX" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-42cbface8d6so66242495e9.3 for ; Mon, 07 Oct 2024 14:35:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336938; x=1728941738; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Z+WOxbNpY99MeFQgjqBrr6wWjmGKbOSspT6QoIunVVM=; b=gNJI+tRXKEOT+JmcWvkPAw+RE/UwTHAIQzQz3mH5eMTdSUyJvr1cM0VXOXIehowi+a ZxKNoAfqF4keeHK7Q3r5LdOrpiFHPw1GAcSf/kO6JdLmV6p6GoUO6lrGeQNDfHVa2oQr kjzOkMLPvNepFcrXbKERtQwyH0D3eSgJKtFDj9TfG9of0783iW9hkSusWZXTyMOqRBIY iXuKjjw+36/id77T9pdpj+mwDpIjs2tOeej6/jokFU2UuvIMEWcyeCam3Yb78KvUnhWF VZL9ahbtiAycL8iJZ/02cBFxtMCyjAzehpoICIGE36gZFrz4t0KvG0UAoFtLqSCTX1TV nBcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336938; x=1728941738; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Z+WOxbNpY99MeFQgjqBrr6wWjmGKbOSspT6QoIunVVM=; b=wztBfm37/OVf3uBn7Dr90rN4kNDV/3XAaPb94mqxcSgODbu26Vbhk3qav9KnRtIF2U 7piRPqglETSHz/pUweC7uVH0ho/hL696rtd8StR1GdGFMcR944yzFXFLgecPXC93gDGY bU7/WxKCPGVfbfuV/opvZLzoLZB6smuBC03og2UZmLAZ067tVzFdAYayrzGySfFGfPym q8kIEOSB3NgryDmVYD/AWTwCzIUxkv6Ql2M0Z8/nhtCHJ1Xqvmx/pSKAhR/9zxgJzXYF IxP1DKiDqEoj3swl3E5GphppMWVNCYn3oNe1XTC1ZF2U2etLW+NJDzn937wYkBMFgUgS JhHw== X-Forwarded-Encrypted: i=1; AJvYcCXvMUGq8CJrLRGl7N6Ve4rckVkBMSY2NNNwyuJa620ppPJoZNWQW4ljIBlASYj0qGeAMWe/kpIS9rpy@vger.kernel.org X-Gm-Message-State: AOJu0YxsoV9Ds6afhBXbOH6HnrE8I1eZcx+Q5NkKPrp4PXWxrwHnmGNJ 59YM8b9YGnQtxCpmmDWC58VmDgie1d/V14nIbAIz00tDL1NBiOmSP0iN8kzEnLI= X-Google-Smtp-Source: AGHT+IEAHU3X4+3NGeDfduAV1o0hQG1DQDEgIfBCr8/wft+nMF9Tib13AWSIHVXOd+aWgaKXq2y7Dw== X-Received: by 2002:adf:a199:0:b0:374:c9f0:7533 with SMTP id ffacd0b85a97d-37d0e8daaf4mr10614171f8f.41.1728336938164; Mon, 07 Oct 2024 14:35:38 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.35 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:37 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 2/8] af_packet: avoid erroring out after sock_init_data() in packet_create() Date: Mon, 7 Oct 2024 22:34:56 +0100 Message-Id: <20241007213502.28183-3-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this pointer and cause use-after-free. Suggested-by: Eric Dumazet Signed-off-by: Ignat Korchagin --- net/packet/af_packet.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index a705ec214254..97774bd4b6cb 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3421,17 +3421,17 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, if (sock->type == SOCK_PACKET) sock->ops = &packet_ops_spkt; + po = pkt_sk(sk); + err = packet_alloc_pending(po); + if (err) + goto out_sk_free; + sock_init_data(sock, sk); - po = pkt_sk(sk); init_completion(&po->skb_completion); sk->sk_family = PF_PACKET; po->num = proto; - err = packet_alloc_pending(po); - if (err) - goto out2; - packet_cached_dev_reset(po); sk->sk_destruct = packet_sock_destruct; @@ -3463,7 +3463,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, sock_prot_inuse_add(net, &packet_proto, 1); return 0; -out2: +out_sk_free: sk_free(sk); out: return err; From patchwork Mon Oct 7 21:34:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825300 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 077F718E04E for ; Mon, 7 Oct 2024 21:35:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336945; cv=none; b=Cc4OFOsXbLWkv2eNr68lKCrcBlroY3KCE4CnvNvzRZe7Xe4pfywfRnHSxtNhAeYx8XUyzYLTQXcWsj3vphywmJxGDf36gqRzG8CREqfLnxumQYGZzRJ8J4YswH9a121ctt4loYpWlkz41p9jiDwe59307V+Vr/QvkNa4GDTkNVo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336945; c=relaxed/simple; bh=Za6d2/ag0cx5W3bmCrv67Ur4+k+VPgr8uvsyupNoJnM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=DSbhbphDl40s6+5fSGvsN49Nm/LPvm51gzDMHKTK7NPSyox82DVTmLcZmKKh6oj7Vjxj20BGCKqdljzoGC3vFwApF6gPmCm+sYqGeBq8Q7CoUtRyQ07lLo7sbGw+c+Fu9wtd50Cd0h4UV8aml1iU+P6zXRI6DMh/V4R318Noyxc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=Iz9zRhD6; arc=none smtp.client-ip=209.85.221.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="Iz9zRhD6" Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-37ccdc0d7f6so3176893f8f.0 for ; Mon, 07 Oct 2024 14:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336942; x=1728941742; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=Iz9zRhD6wRn/Ctlf5ev018am/0nLW5at2MOCHuyXmr9uE/SP8mt91WzpI+bJTy3//g qeaWtbKMspHNaRemf3MWYiJ3S4Ap6lieJC+WscCoyAtzSfXgr4MOnF18UIzs0v2ChBMY QdnhiluDaWedij+0IxHt0FA7VH4rabbN9hVAbTzSyjam3GmzLUtzj6J9yhB+tyuC6AGJ mW/pyl8g+Gi8ATYHoacuOD4Ji1f4axXRvN+O3CfItkX/vobcRdEiuz5+jgshw6vyfTX7 dSrln/uuccSJSaiILA/Hh0Hb+jsWlPNbIn0ayI4d72IqcCeXZfYWnFJtYmAlSJ8MnRq0 6zoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336942; x=1728941742; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=nLOq2tg1FauBJVElTP1z9U0cUwQpghv9WzzMAxX/7vQ6eI4UTZLIiXcQ1gArOK8EBe bxEzSmtbwLA5wqjMyQsSfd09ECkQLN/U1FHPPaZMnWymCzjx7KLptKBhvX2yOlMp2HM0 1+6C6XJPcQZEVb5saYDg7Ipc8QdRiObFGetHNBqZEsHGl8Txqgh3dVu/s64arM4MyUci Y3k64wUeKdxhn+bRq0Wie80SCSdt+odPiCjDSU3RNWhkHpjV7KiJfyuR8Lj2+mP2PT5d SdJA3w1nvoFyT2OUpn7Sz4i5hFH33B37ThaV9tr2sAZkw36iwoTljrcHdQ3L/qdGC0NT k+/A== X-Forwarded-Encrypted: i=1; AJvYcCWEPv8XdNRnf6V+PR0oPRF+Ek0Y+aMzNavPCloHYrEdO04wADsnDMjPBFCBPfMBQ6f54RSEfG3kVcyL@vger.kernel.org X-Gm-Message-State: AOJu0YxVczUM1Z23IsjWoDwVI299gbBLWDz6kF37kaI3WRI2slIMFm5j 7QdTW8Qih08NQRsG2vYIHwV0ArFSM86ZBRdteSn/sV3PzMMgKm7mxXqbWtdCROw= X-Google-Smtp-Source: AGHT+IHAyQYt8epuqdqQ1WiemxSSnJdRW7ySGcsdfEr9r4QwNV8qbe0cvU/RBNztpAk9AJdBnDqlqA== X-Received: by 2002:a5d:6052:0:b0:37c:c9ae:23fb with SMTP id ffacd0b85a97d-37d0e7d43fbmr7244020f8f.40.1728336942347; Mon, 07 Oct 2024 14:35:42 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.38 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:40 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 3/8] Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() Date: Mon, 7 Oct 2024 22:34:57 +0100 Message-Id: <20241007213502.28183-4-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. Signed-off-by: Ignat Korchagin --- net/bluetooth/l2cap_sock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index ba437c6f6ee5..18e89e764f3b 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1886,6 +1886,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, chan = l2cap_chan_create(); if (!chan) { sk_free(sk); + sock->sk = NULL; return NULL; } From patchwork Mon Oct 7 21:34:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825301 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10ED619069B for ; Mon, 7 Oct 2024 21:35:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336947; cv=none; b=rQ6C0egU8ntSsC9igeJBRrlUufp90d4r5NrtdqBfIaZWsm1NNdIYxf2JylI+ANyzmVvjrjfnNL7en92cyRvjHNiI/w7/8fS5qepqXr1X7rzNTFyb5f9mCN7AyRF7lcWHPMEIdi+7WQabPBDBz2Xl7eE92+xWGgh7yv34jJpl7vY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336947; c=relaxed/simple; bh=+sATRWeawQEUv1+UCi+L6joXgd2sN0KH+RYIISQm3Ag=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=WZmA31t2j3tex+U4/TGwwJ52VBeS/MYMBTvqVv30TYlI1cJE4KxHpluaHh/Ce+BIbdpBKkwjBWDPX7b+omwnTp8t18lZlKTUs61OGEFv1jChPiaRkwO4QK6xgu+ezBdBRODyNqYKUl7Mh9etUfVMYptow/YBKZl36sNicvfExik= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=KBDTEout; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="KBDTEout" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-42cba6cdf32so49931255e9.1 for ; Mon, 07 Oct 2024 14:35:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336944; x=1728941744; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=47ahDvpGlziX1HY/1UDQ79MexuwMxPJ3vAc1BGnN1yo=; b=KBDTEoutuH29YwT8WzkPAPKLJDUG/cjK6Om9wg87AHH/iCN0MdpwPqSE1jUWp7c5lV Ogl09k/IknswIFe9HVxXuJM1mwSx8AO7ZFhZL82naqyzQh0hJxR4slCSyLG2QYr50LYE bR6a4cqcN2PVsCc1Oj3vCt3/dggJTpGAkvp5qmtt0trGXDCsbFgIYx/AICFp/ULLkfDh gcJwBOXbwHjGIyrxKd38HoExOtW8O3k9QDl5TCJO0H0WyQ+GabB8JqRA5KYilnjHAPnQ AscpjjwKI2w0gn2UY/awN/vI2fT6fBQtUqs4gO1/glHtJW5gfjJpM7pPgIUZBF3hNNiD 7D4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336944; x=1728941744; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=47ahDvpGlziX1HY/1UDQ79MexuwMxPJ3vAc1BGnN1yo=; b=wleqT6oECQqdCHoNXry7lfcJ076UdoJYVK8SHsO8pPfJHrbQroxxfus3mauG2Wb8N/ mpWTEL1ogsjzET+6Y13QzHvoB0a3WR3NcLsJ9UjAYGyrcCmpLPlWPOGLXPNQAT+zgg3t DebI/3ybVES8O+VyQOcpKwTmyzfL8iTAjlN69GaTQpF7gluEikVh1/vhFZDDsIFpLIxB 5mZsqItK3xaCMlfhn/zVXZgsj3XCn6vppGFCy7eUvZun8GhXUBdy198xcpqMCbv14d3R oNTm4HxOQcsGIIdL4KPROrWjv/hWK6luzEnu6cUhaIZsL2NgmqGQ7QYcAaIbi4K6dUMt fqPw== X-Forwarded-Encrypted: i=1; AJvYcCU0I62gxKjcM40brFQXP2SiRyqf0AAfRohqNvzP+b6W5hHE5GVf8NxoNa39B5O8P3OueFVPVYBXiYib@vger.kernel.org X-Gm-Message-State: AOJu0Yx/7IjUjOr+rO9u708l33GSKx1aeTNmyBv8+rqdgmIxHjELFylU c3UGlI1r0aWc8WrskNaCk17XDOfmoDMh/JL07VR6JfQSbK8j2U9Hcxs4rBGsKng= X-Google-Smtp-Source: AGHT+IEh2nNtGTy8ZHuRwyExnrSdxDBOaaRu0AmF4uU5YudljkVsFMbPD2jmqiCN6O47wxbJKhk2fQ== X-Received: by 2002:a5d:4d06:0:b0:374:c17a:55b5 with SMTP id ffacd0b85a97d-37d0e6f8eccmr8676059f8f.14.1728336944360; Mon, 07 Oct 2024 14:35:44 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.42 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:43 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 4/8] Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() Date: Mon, 7 Oct 2024 22:34:58 +0100 Message-Id: <20241007213502.28183-5-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). Signed-off-by: Ignat Korchagin --- net/bluetooth/rfcomm/sock.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 37d63d768afb..0d0c4311da57 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -274,13 +274,13 @@ static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, struct rfcomm_dlc *d; struct sock *sk; - sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); - if (!sk) + d = rfcomm_dlc_alloc(prio); + if (!d) return NULL; - d = rfcomm_dlc_alloc(prio); - if (!d) { - sk_free(sk); + sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); + if (!sk) { + rfcomm_dlc_free(d); return NULL; } From patchwork Mon Oct 7 21:34:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825303 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 263961D90CB for ; Mon, 7 Oct 2024 21:35:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336954; cv=none; b=eJGxz8tuo+TM0Z1t1wYe06hTfRyJgn4n/wfB2l28wKqCloiHYl03jxnirrBtSevrtEPAFxqsL4oslpg1vR4MHBzrHnbQIAZspcGDVT7XaGEEdUv3keLFF7m5g8S5UJFinzOWh4Kmfj4rp0gYMDQXU91bT2SyPiQq0s6pOoJBUIY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336954; c=relaxed/simple; bh=q1wcm6mMQ7h4EZDUMr6oUmN6x8BUBq/PxsPoaXApW48=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=UhaY+TvFUjeFRbv8vfY+BqkJXSLNs8KUiaPGBKDEY+Ys1A1KJDk/1NHopSa6N+7phqh5nEUpxKSlynJ4acCvv8kTMC/Oe3dLKkQnnPvooM4jnTQuaKjwYbjTTMX1vQsoPlsfMzxgB/mci7ACX0Gz9brqFSdfGKbq/bL+wR1XIqA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=KgpWQq30; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="KgpWQq30" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-42cb57f8b41so66474915e9.0 for ; Mon, 07 Oct 2024 14:35:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336951; x=1728941751; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lghPtxWNb8lEoXQFFkVieItQmyHsjS0TFzxCTFvvuyY=; b=KgpWQq30JOD9fxLC7vqR041Wy3CSUYpN7zQg24n0ZSFjoUHbvxUN+glNIQ+K5Jo4m8 /Ss9hfWqpVMLYU1kKqdO5OAtK8JKQq/+onktN2NSxjPgd9YlC/zCh0OECLcrYXKJe9RA MB5xKQwR1Ckq1q64Z53Rw0lwDFd+k9ZZ+qBylI4/xOvLa+Ue7e6FF/l7tKllzAwlOKf8 kODRrFpTDQ+cv4hcMNpU358AZ+lz6sPCRdJLLYiXgMSrzawzuy7BA7eg+VA1FYFFOywo Q03FNGLvTSvgMVz1JiZES0mevh+2WrBw+vssAtyU6WUUxPa2H739oDE6Onh0l8Po/tSM bhAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336951; x=1728941751; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lghPtxWNb8lEoXQFFkVieItQmyHsjS0TFzxCTFvvuyY=; b=cnFNBdymNW0mZP18QpKywjK+rv8qug+t8pl8HuMdMnXc51LpmYW/MOxFjui53FN0zS DgSyizO85UsDZYM7RN7x+nvlbf8+KsYJJ/x9nC/3BpdGInOuHxbLk2dcclPJuMMPN1TK C9fwhnyjofKj7kHoq5Wtj7omFJJXyCqHQadOvXLHxqwZi1kGlj7Nb/j7ypSeGwH5NXFp 7zZHZi9fL/omy9wY9SH3HtysVtoHQkMlZaveW8OrHAFTykcuFzD1LISHVpOyu46kdNH/ KRCgKm13lz2RO5I7hfOcKE8mrbLgsqLTC3kOVCqbS3Qs9BnthkD7zOOZeyufat51/fnH rBdA== X-Forwarded-Encrypted: i=1; AJvYcCWRGMOEVq9ajMCYb0iKRRr5eeEOj8wLtD5oKCVsaAQMcYqW9OXinMgbeLen/Dz7iNk7oM/2nuAsCp7n@vger.kernel.org X-Gm-Message-State: AOJu0YzaqUGolx4bW9Q2SKqA2uw1klfhwdrSbo0IHi1Rx/c6X525TDnB DSOrIEXPxjMIjN+w9RhhnWvti1kjbiZim0FTAM4W/5W7cnrAdo01X6++z1GSg48= X-Google-Smtp-Source: AGHT+IGIEgvlVQ63MN8px9sXGIB6rH0PaHc0x2aiS2t9bCm+0YE6s5XpgSiahpjGOCaDNGfNsSEswQ== X-Received: by 2002:a05:600c:5494:b0:42f:8229:a09e with SMTP id 5b1f17b1804b1-42f85aef6e2mr143742535e9.29.1728336946921; Mon, 07 Oct 2024 14:35:46 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.44 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:46 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 5/8] net: af_can: do not leave a dangling sk pointer in can_create() Date: Mon, 7 Oct 2024 22:34:59 +0100 Message-Id: <20241007213502.28183-6-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. Signed-off-by: Ignat Korchagin Reviewed-by: Vincent Mailhol --- net/can/af_can.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/can/af_can.c b/net/can/af_can.c index 707576eeeb58..01f3fbb3b67d 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol, /* release sk on errors */ sock_orphan(sk); sock_put(sk); + sock->sk = NULL; } errout: From patchwork Mon Oct 7 21:35:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825302 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CE0018C906 for ; Mon, 7 Oct 2024 21:35:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336952; cv=none; b=OgRpzGpoGAC42GCAnBC0eH4DxI1VEQDfNRXesxsWfgxsXpYFVrfAG4QduflZ+XBljhr5GUO1H7xqACCNu4vo9NS/gkBZlrERdOETJEH+P5ni5DbbCQl/bVRwdZjS6WYwp2koKA+TaKAEl9A0sU4H6N6R4ouKMQ/Ojz/aDdDDC8s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336952; c=relaxed/simple; bh=CZ5nZ72LPsUscQ/XLvrhFET6jRbMhyKZW1WicnfpLPA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Aza5iQor/4QrPfvB+dQf6wtU6fvt9M0K7gRbvbxkoGOJz6Bgo2YP1htR9iPPSpEUq0n0tyyR9smeHECgXeuggjCF0t7Io0ZmjEtRndbdQycSDWC72xxtXH7fivm5UrrrD1iyfn+zDP7T9k7QlIUxrF4WE0vyGTVPPgdLbPOKr3c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=XbgRrvyu; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="XbgRrvyu" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-42cb2191107so43926055e9.1 for ; Mon, 07 Oct 2024 14:35:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336949; x=1728941749; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BU52YEIbPPjVkPgQ3Y9wQ3w91aLQy4KsNcSSu3XlZvI=; b=XbgRrvyuC2C4UUGZm1Kyg96OotgJi3Y38sEyztjS4C7nn6SzwMxGBHUv+ISEXyhnCe NwCcE5oQT+9dmYlJgr4gj7chS4UxdDFK/yvxlG6ToSyZk/7mFcz9HRHnfgtjH4n+RDnQ Y9uLI7/25fDkq10IXfmGRUhdKg8ek/QPQiatskwJDBcE5sZp1/cRIfnkfUSvngRmMyFU qGG67meoIL8OdvgiUmEF5XBWJtcQGpV53mCCeAAFh5tfYNLlu9S76mcaFC5SzHUQo9hA O1B6ZCKm6FzwhcasSZe1SCWk4GdzS+65+UWUWatz8tpZklAEPMPbq6Zp78R9NMz7Z6HJ 0coA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336949; x=1728941749; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BU52YEIbPPjVkPgQ3Y9wQ3w91aLQy4KsNcSSu3XlZvI=; b=qyNoN4TLt4kgHe07tFD1SpFEKlgP9+c3U8lAWFU/AlryTEcFPk4YhW+rAh0GpainYh 0wQ3gjjazmin/SBlVypQ64xS5UrIWQNTp8S8aFoHsirV7uK7vbaNUBM7vfjB2m1LoSab oUfObuLGF2SB//CQBwPh41xy55jEAQ3Hny24fSUt6VTKkv/vNwB4w9/GzvV37DdyLpJV fD08iBkMS/OerZ0AjFbNu1nJgtn+WN2Gyq8oU7wGFqWcdqiqLcb8DSK1BRWCqAb852Hw a3YMJ4X43u+KUfYtWQqf/gMF+26gLsSKXMAWRqRmbmMPRfJPti1DKp+/5C+/h8A58NPf PF6A== X-Forwarded-Encrypted: i=1; AJvYcCWQPB4SYGRTlBWUj/SUfcEnhkQdmscjSUTo7xIzVuDXDMVcdTxTu2oKr/BlohhOdhRiKplAdg03fEhk@vger.kernel.org X-Gm-Message-State: AOJu0Yzxf6cgjC5N5vB5PuuI5wASpdh1iAz/RWysQ/uvhLidCHXOaqMa T/OUKbBigkpLUNogd7DmM8v5i9PNIiim8p3E7nYaCxB48/E3vg/QN3reBxVR+p8= X-Google-Smtp-Source: AGHT+IF3Mr1m0BA+tyZxEbsXfJoH0mYfnXmhY4oQRsrEz2kQrNeN0a7g/aWeWG/UvI2YgEescmo9xg== X-Received: by 2002:a5d:5f88:0:b0:37c:d179:2f77 with SMTP id ffacd0b85a97d-37d0e6bc9f8mr9021915f8f.12.1728336949047; Mon, 07 Oct 2024 14:35:49 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.47 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:48 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 6/8] net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() Date: Mon, 7 Oct 2024 22:35:00 +0100 Message-Id: <20241007213502.28183-7-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow use-after-free. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin Reviewed-by: Miquel Raynal --- net/ieee802154/socket.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index 990a83455dcf..18d267921bb5 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -1043,19 +1043,21 @@ static int ieee802154_create(struct net *net, struct socket *sock, if (sk->sk_prot->hash) { rc = sk->sk_prot->hash(sk); - if (rc) { - sk_common_release(sk); - goto out; - } + if (rc) + goto out_sk_release; } if (sk->sk_prot->init) { rc = sk->sk_prot->init(sk); if (rc) - sk_common_release(sk); + goto out_sk_release; } out: return rc; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } static const struct net_proto_family ieee802154_family_ops = { From patchwork Mon Oct 7 21:35:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825304 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96E641DE8B6 for ; Mon, 7 Oct 2024 21:35:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336955; cv=none; b=eaMRCD5XsViV8UdneMBgwXlPRi0DXdm/WQQ9FFuxZYBA97Mf2zdkzso3k3bxEcUkjjwAWaiKGEKrIAIC8AgDwEGPpETioJVvdxfyAhV1ikNgYBSEi+7LBFIBKOdiZBYeMR364oSu+VzlEh8XiZt6FKmRZDuE5qi6fy0F+qwHLD8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336955; c=relaxed/simple; bh=TykJJMM5IzwfbahmKZJTnRFTzpHvJ80eOgoE0YjZMYM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=luFtD9UyzV5XWmC1iJ2ah4puKOzlMvQajnqb/7pYlkONlIJiwTnKNXes1vy7D1SD5dFPc0Ade9BgB4SBXNFC01BzEXCbMH2G6nkMYhv75MfjhaWlCn6SFZDfr1QXVZ7oYfaN/0wgSqV38S4iOf4deKgbdjTnY29seU9vHxJEZNg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=IadjJ5WE; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="IadjJ5WE" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-42e7b7bef42so43844205e9.3 for ; Mon, 07 Oct 2024 14:35:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336952; x=1728941752; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=IadjJ5WEYC2qjD9w97BQkm7IndEvOut78OQ5wJZuFBpbNNc/limp5VYD4IP4DhcOWs 3Tuw20KC0iaDMS3EcevV8IYAWcFCuLryo71ZofZ4uoMrsj3nk2t5uUfoEUvboGQYNt70 XSM7M6Z4Brd/od18tMRWCblm5xsG8Y+1MI5vbxjD2Zxl7VwU5wlOa4dZLhIQOJL48Stz Mj2pTa4l46fGKnkOpLVt4yoZdys0Nlu3sbstkmTl28dUrsvrt+uVrl/suE6FteSR0rV7 RMlQz9sOqnvJWxkCCYkztNpM0ve2jdh3TiwJrJkeoJzJf878Wur0G26cWBa3hlKULuoU nEtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336952; x=1728941752; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=dfZjZLrYYEfg6gro/fWFV/KbMQwAL6mnF5ht3dWh/OXUQuPvUzbuU+rc4Zgx4UUtUX 3x67+AAkeuTEXZnwUm6IOHKE0Y70eNSigfXT3T8saTQA0l5DvmoYIxxhT6orLTT0q2kc XfPcqLB8o9WI+M2V0eMVS4AYAuUrj0+H7LAqinfE9Y7iayEPQCkHS+EzlCVllL0dd59r aWgOXBxZ1nl6bppsBWvXuL2j3akwBZYPxM6ZnRGBP/Ebq/vyOXIu4/cB12/vv2ohhjYo tA+e5M0GPoupdZbvjPv/Ko7+ZvqAOdjhIYGxjOnPmRpkGomy9eB56t07CAT5aQF4Uikt eZGQ== X-Forwarded-Encrypted: i=1; AJvYcCWQsouevy2p2Zu4H0RpWryZG4WZtoYzSE6mC8rd44V0sLEHa0WxImlnBo0FI/zVVx8NLpW7e1oO77Li@vger.kernel.org X-Gm-Message-State: AOJu0YxZ9uutDCeyd6rSfrO2JgOVFQ+D8Wcjoi2kqo8ITBresaERmuBu zucHkumiZvDCk67pTqt+1LXUw8z/SFeOJPsrwtPY0oiKr5eEbtcxLd7cvkUR0Cs= X-Google-Smtp-Source: AGHT+IEANzLF+YRzAcqDXPNSr1m41nJQ4hZi4WyDM2XMIIfrfbIkQHrP+5IaWRoz90/emp42kZFqcQ== X-Received: by 2002:a05:600c:3c94:b0:428:ec2a:8c94 with SMTP id 5b1f17b1804b1-42f85ab8972mr102989265e9.10.1728336951961; Mon, 07 Oct 2024 14:35:51 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.49 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:51 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 7/8] net: inet: do not leave a dangling sk pointer in inet_create() Date: Mon, 7 Oct 2024 22:35:01 +0100 Message-Id: <20241007213502.28183-8-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin --- net/ipv4/af_inet.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index b24d74616637..8095e82de808 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -376,32 +376,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, inet->inet_sport = htons(inet->inet_num); /* Add to protocol hash chains. */ err = sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err = sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (!kern) { err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } From patchwork Mon Oct 7 21:35:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ignat Korchagin X-Patchwork-Id: 13825305 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 03E7A18C920 for ; Mon, 7 Oct 2024 21:35:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336959; cv=none; b=LPO6xW4a57FVLmKnfTL/ItepWlOI90ww9a7tHQuB5i9DN1138qrOiGYyAmYBzeZlRVrosKAxRNs6+WzB4ZGJUMZwSVcj8CBXJL+hqllSoJWI1Wj0eBtnyNyr5qIRo618QMcZ65Jzrui8QXRErZL/fD6y+mGL9/beXBf0jCUx4/E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336959; c=relaxed/simple; bh=B2jIOs9L3gzL5PsTv6zAjfQ7uhJ1V7bXBI/aVWUwbYc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Fdk8Mz2c+Ha/N/cm2nZ4DgsOdO9Q5KTRp1HulujQKMjDOWEbAGKLBoYbzduN8QByYxOh1tx6HdbkrNJY/rvX99Gwjs7evd6yAPiQF9rUgfTPyhsbK0WMLN2Xf9hpIDjDEQFRWEoV0yomew5DVHv8lbH1YkbLcXU/ORNkj5542sY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=fwi1TuZE; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="fwi1TuZE" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-42cacabd2e0so45396605e9.3 for ; Mon, 07 Oct 2024 14:35:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336955; x=1728941755; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=fwi1TuZE6U+cV626UHx2sfHQOtvBK4ewje5Ti3AQ+2l1Aez2OmKyZ6zr5pIdE2z6v9 /XZjYBsm/b/6WmY3v8aFONI+5YPww37GCXD6u8W/NN9oEJgEB7Jz5EiqXw6Gw9oBuiU0 AlqwxE5oYzKjXOiKQFya+KrrOIfXcOKO9fMt8GBWw+fhgNMnwXn5RwDuvSlM0HDZGxGz HRE40KxC7KmVwbRUIoWtoh0kKW5s/pmSozzLAknn/9x0x12Jq4HX9oHB/ts2R2OGPdL2 e7sGq8iO92k3xIxqiXHEmcqjMZfAraBxkD982nldy2zJxZyrprysYOuMpnQ4zuAUuLoE 6BLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336955; x=1728941755; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=YykSm44pYjlYkC67lpKQotQnL7Wfk1QBlKnTxRt0zXUAVQ2Rn27iN9LdTOgse8jRmd OObBTcreFYGLPiuiO9OOz4xwT4c23NvfvA9C/LHRTYketFTUUUtTmCL3cHIUXvnRMBNl 6QERwGXfJGXryAOeFQg+DUx4ehR6suW2zaD2kqJhajkImLJqzKBYy5OqhNailXUzyeK9 8Px6RlTNOoiCQ7175aN2au4elNtc/IpbTcJJjbWUjco37swXs2AC7/SwN1bek1t5+3FS 7JgmsW6Nj+bA5Z7z93cXewQyyvSFhg1BByvSBmbfznchpk1wFhMDgdulrTEWL2UMRwV6 PPJA== X-Forwarded-Encrypted: i=1; AJvYcCXELIJxU4WHDa4WeAFxAF8tv08N/VaA/EYFqubguIeqTED04+U8ljrScoYUvUJBv7UYtdsJXv9mHoac@vger.kernel.org X-Gm-Message-State: AOJu0YwjUdg6G6aBIspIuaVmYX/G8CK95naaKYH5YZuw7nl58I9YxaMB sezmLam2kMulJMm8U9CKosRaODD4ydIhrl3sKmUH/XNZypxRMNzcCSa9qdc0dNQ= X-Google-Smtp-Source: AGHT+IFlr52AJGKwlZWzuyM1U26fNN+5lWsZfsZ3/C7NwJE8QNsJ8h0z9W2aZlJldJJxtKVirxozSQ== X-Received: by 2002:adf:ec03:0:b0:374:c11c:c5c3 with SMTP id ffacd0b85a97d-37d0e7d3e2amr7529022f8f.41.1728336955301; Mon, 07 Oct 2024 14:35:55 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:53 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 8/8] inet6: do not leave a dangling sk pointer in inet6_create() Date: Mon, 7 Oct 2024 22:35:02 +0100 Message-Id: <20241007213502.28183-9-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-wpan@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 sock_init_data() attaches the allocated sk pointer to the provided sock object. If inet6_create() fails later, the sk object is released, but the sock object retains the dangling sk pointer, which may cause use-after-free later. Clear the sock sk pointer on error. Signed-off-by: Ignat Korchagin --- net/ipv6/af_inet6.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ba69b86f1c7d..f60ec8b0f8ea 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -252,31 +252,29 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, */ inet->inet_sport = htons(inet->inet_num); err = sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err = sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (!kern) { err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk = NULL; + goto out; } static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,