From patchwork Fri Aug 10 18:14:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wei Wang X-Patchwork-Id: 956441 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="bdOvLCv5"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41nCw23PNLz9ryt for ; Sat, 11 Aug 2018 04:15:14 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729689AbeHJUqI (ORCPT ); Fri, 10 Aug 2018 16:46:08 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:36101 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727545AbeHJUqI (ORCPT ); Fri, 10 Aug 2018 16:46:08 -0400 Received: by mail-pf1-f195.google.com with SMTP id b11-v6so4894762pfo.3 for ; Fri, 10 Aug 2018 11:15:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=m7hJiXriMJsGokvlzG3N6HxR80Xl9kGOlwf4ZqXDmOY=; b=bdOvLCv5ydyNanGSOtuH7MJl9317N5gZb9/JB1Q/nEapmh7rNIl+8goNm1hGXofN66 QEbKNuvPzSGwg6qETTi598xmh4ENS2Thb/6UN7fCZ7pWmZD29/eLNYiWTe1W31jTk+xR GcSv2rtx8HfwqOIA8YUEvR78LpUdiVIjIgj47JD5FYGVDW+/O6CX7zTo8Exg9nMTvmKx uFcj+gQYKQM8YoeheXlIGs/D5jo9BTmjd/9r09T63tjLk2Ud/7WFa1yI9kTS56GyuD/U 77GYTcIRIDPHZgZO/dEp/AtSIrwQevKVEkxc4rYOeckrw0R0XzmibkUCiflA/cD2Dgmc TjOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=m7hJiXriMJsGokvlzG3N6HxR80Xl9kGOlwf4ZqXDmOY=; b=uf2dEOHfPZn7AI71LhZw+k6AWOj4XFDeQTAdFRkCzjNpribNqqIFCmMka49P1yV3e0 JBQqlN5HlWAaf/Dyu5z5ZqZ7EBT4BwwpjI9IA+m62aRl195/SzWY3Ct0PkNUf8F5VY6A /uJy4aJTX/m1Iw4OFkmrbXp7cHXoF/3pwspB2vw3sFsQECbpVeHtVsm1zTAu+OSKador tghPcZ+8j6/P5MpzprfkTnq7P067IK+r2hPo8tXuNzQvoCOSJkQ+XPwv1gMHV4lkgBty FqjVczOLwifxEPP7+vSr55h5Yhd20RIYQxL5u78W01aBM9IEvAEsBNX9VaRNdhhYxqqD IS/A== X-Gm-Message-State: AOUpUlGu5xHPoo8CG4WyEM0lrPwb5cIXBU2SNfIbE4ukcMpfjVUKcEXw 9DfVIL/d0wiTROKKtLLHQzNplA== X-Google-Smtp-Source: AA+uWPzMPAn0dv05jQT54mBWqG4ouguBDveAMpn5xTjZ34zrxhpbgul4P8Wvs6EdBGezN7cWWvwZ/Q== X-Received: by 2002:a62:4255:: with SMTP id p82-v6mr8204161pfa.238.1533924910762; Fri, 10 Aug 2018 11:15:10 -0700 (PDT) Received: from localhost ([2620:15c:2c4:201:9310:64cb:677b:dcba]) by smtp.gmail.com with ESMTPSA id q78-v6sm17642797pfi.185.2018.08.10.11.15.10 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 10 Aug 2018 11:15:10 -0700 (PDT) From: Wei Wang X-Google-Original-From: Wei Wang To: David Miller , netdev@vger.kernel.org Cc: Martin KaFai Lau , Wei Wang , Guillaume Nault , David Ahern , Cong Wang Subject: [PATCH net v2] l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Date: Fri, 10 Aug 2018 11:14:56 -0700 Message-Id: <20180810181456.76250-1-tracywwnj@gmail.com> X-Mailer: git-send-email 2.18.0.597.ga71716f1ad-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Wei Wang In l2tp code, if it is a L2TP_UDP_ENCAP tunnel, tunnel->sk points to a UDP socket. User could call sendmsg() on both this tunnel and the UDP socket itself concurrently. As l2tp_xmit_skb() holds socket lock and call __sk_dst_check() to refresh sk->sk_dst_cache, while udpv6_sendmsg() is lockless and call sk_dst_check() to refresh sk->sk_dst_cache, there could be a race and cause the dst cache to be freed multiple times. So we fix l2tp side code to always call sk_dst_check() to garantee xchg() is called when refreshing sk->sk_dst_cache to avoid race conditions. Syzkaller reported stack trace: BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: use-after-free in atomic_fetch_add_unless include/linux/atomic.h:575 [inline] BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:597 [inline] BUG: KASAN: use-after-free in dst_hold_safe include/net/dst.h:308 [inline] BUG: KASAN: use-after-free in ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029 Read of size 4 at addr ffff8801aea9a880 by task syz-executor129/4829 CPU: 0 PID: 4829 Comm: syz-executor129 Not tainted 4.18.0-rc7-next-20180802+ #30 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] atomic_fetch_add_unless include/linux/atomic.h:575 [inline] atomic_add_unless include/linux/atomic.h:597 [inline] dst_hold_safe include/net/dst.h:308 [inline] ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029 rt6_get_pcpu_route net/ipv6/route.c:1249 [inline] ip6_pol_route+0x354/0xd20 net/ipv6/route.c:1922 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2098 fib6_rule_lookup+0x283/0x890 net/ipv6/fib6_rules.c:122 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2126 ip6_dst_lookup_tail+0x1278/0x1da0 net/ipv6/ip6_output.c:978 ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1079 ip6_sk_dst_lookup_flow+0x5ed/0xc50 net/ipv6/ip6_output.c:1117 udpv6_sendmsg+0x2163/0x36b0 net/ipv6/udp.c:1354 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:632 ___sys_sendmsg+0x51d/0x930 net/socket.c:2115 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2210 __do_sys_sendmmsg net/socket.c:2239 [inline] __se_sys_sendmmsg net/socket.c:2236 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x446a29 Code: e8 ac b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4de5532db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 0000000000446a29 RDX: 00000000000000b8 RSI: 0000000020001b00 RDI: 0000000000000003 RBP: 00000000006dcc30 R08: 00007f4de5533700 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c R13: 00007ffe2b830fdf R14: 00007f4de55339c0 R15: 0000000000000001 Fixes: 71b1391a4128 ("l2tp: ensure sk->dst is still valid") Reported-by: syzbot+05f840f3b04f211bad55@syzkaller.appspotmail.com Signed-off-by: Wei Wang Signed-off-by: Martin KaFai Lau Cc: Guillaume Nault Cc: David Ahern Cc: Cong Wang --- v1->v2: Removed dst_clone() as Guillaume Nault suggested net/l2tp/l2tp_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 40261cb68e83..8aaf8157da2b 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -1110,7 +1110,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len /* Get routing info from the tunnel socket */ skb_dst_drop(skb); - skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0))); + skb_dst_set(skb, sk_dst_check(sk, 0)); inet = inet_sk(sk); fl = &inet->cork.fl;