superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net
History
D. Wythe d9cef55ed4 net/smc: fix UAF on smcsk after smc_listen_out() 
BPF CI testing report a UAF issue:

  [   16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003  0
  [   16.447134] #PF: supervisor read access in kernel mod  e
  [   16.447516] #PF: error_code(0x0000) - not-present pag  e
  [   16.447878] PGD 0 P4D   0
  [   16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT  I
  [   16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G           OE      6.13.0-rc3-g89e8a75fda73-dirty #4  2
  [   16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL  E
  [   16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201  4
  [   16.450201] Workqueue: smc_hs_wq smc_listen_wor  k
  [   16.450531] RIP: 0010:smc_listen_work+0xc02/0x159  0
  [   16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024  6
  [   16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030  0
  [   16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000  0
  [   16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000  5
  [   16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640  0
  [   16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092  0
  [   16.454996] FS:  0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000  0
  [   16.455557] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003  3
  [   16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef  0
  [   16.456459] PKRU: 5555555  4
  [   16.456654] Call Trace  :
  [   16.456832]  <TASK  >
  [   16.456989]  ? __die+0x23/0x7  0
  [   16.457215]  ? page_fault_oops+0x180/0x4c  0
  [   16.457508]  ? __lock_acquire+0x3e6/0x249  0
  [   16.457801]  ? exc_page_fault+0x68/0x20  0
  [   16.458080]  ? asm_exc_page_fault+0x26/0x3  0
  [   16.458389]  ? smc_listen_work+0xc02/0x159  0
  [   16.458689]  ? smc_listen_work+0xc02/0x159  0
  [   16.458987]  ? lock_is_held_type+0x8f/0x10  0
  [   16.459284]  process_one_work+0x1ea/0x6d  0
  [   16.459570]  worker_thread+0x1c3/0x38  0
  [   16.459839]  ? __pfx_worker_thread+0x10/0x1  0
  [   16.460144]  kthread+0xe0/0x11  0
  [   16.460372]  ? __pfx_kthread+0x10/0x1  0
  [   16.460640]  ret_from_fork+0x31/0x5  0
  [   16.460896]  ? __pfx_kthread+0x10/0x1  0
  [   16.461166]  ret_from_fork_asm+0x1a/0x3  0
  [   16.461453]  </TASK  >
  [   16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE)  ]
  [   16.462134] CR2: 000000000000003  0
  [   16.462380] ---[ end trace 0000000000000000 ]---
  [   16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590

The direct cause of this issue is that after smc_listen_out_connected(),
newclcsock->sk may be NULL since it will releases the smcsk. Therefore,
if the application closes the socket immediately after accept,
newclcsock->sk can be NULL. A possible execution order could be as
follows:

smc_listen_work                                 | userspace
-----------------------------------------------------------------
lock_sock(sk)                                   |
smc_listen_out_connected()                      |
| \- smc_listen_out                             |
|    | \- release_sock                          |
     | |- sk->sk_data_ready()                   |
                                                | fd = accept();
                                                | close(fd);
                                                |  \- socket->sk = NULL;
/* newclcsock->sk is NULL now */
SMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk))

Since smc_listen_out_connected() will not fail, simply swapping the order
of the code can easily fix this issue.

Fixes: 3b2dec2603 ("net/smc: restructure client and server code in af_smc")
Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
Reviewed-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Link: https://patch.msgid.link/20250818054618.41615-1-alibuda@linux.alibaba.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-08-19 18:27:16 -07:00
..
6lowpan net: replace ND_PRINTK with dynamic debug 2025-07-10 15:27:32 -07:00
9p netfs: Fix the request's work item to not require a ref 2025-05-21 14:35:20 +02:00
802 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
8021q net: s/dev_close_many/netif_close_many/ 2025-07-18 17:27:47 -07:00
appletalk Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-24 11:10:46 -07:00
atm atm: clip: Fix NULL pointer dereference in vcc_sendmsg() 2025-07-09 19:09:36 -07:00
ax25 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
batman-adv This cleanup patchset includes the following patches: 2025-07-11 17:50:27 -07:00
bluetooth Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() 2025-08-15 10:13:09 -04:00
bpf bpf: Add attach_type field to bpf_link 2025-07-11 10:51:55 -07:00
bridge net: bridge: fix soft lockup in br_multicast_query_expired() 2025-08-14 17:49:33 -07:00
caif caif: reduce stack size, again 2025-06-23 16:58:43 -07:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-06-12 10:09:10 -07:00
ceph libceph: Rename hmac_sha256() to ceph_hmac_sha256() 2025-07-04 10:18:52 -07:00
core net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM 2025-08-18 17:20:06 -07:00
dcb
devlink devlink: let driver opt out of automatic phys_port_name generation 2025-08-12 13:23:39 -07:00
dns_resolver
dsa net: s/dev_close_many/netif_close_many/ 2025-07-18 17:27:47 -07:00
ethernet
ethtool ethtool: rss: support removing contexts via Netlink 2025-07-21 18:21:19 -07:00
handshake net/handshake: Add new parameter 'HANDSHAKE_A_ACCEPT_KEYRING' 2025-07-08 15:31:44 +02:00
hsr treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ieee802154 treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ife
ipv4 ipsec-2025-08-11 2025-08-12 15:01:09 +02:00
ipv6 ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add 2025-08-18 17:35:50 -07:00
iucv s390/drivers: Explicitly include <linux/export.h> 2025-06-17 18:18:02 +02:00
kcm net: kcm: Fix race condition in kcm_unattach() 2025-08-13 18:18:33 -07:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-24 11:10:46 -07:00
l2tp net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
l3mdev net: fib_rules: Fix iif / oif matching on L3 master device 2025-04-15 17:54:56 -07:00
lapb treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
llc net: make sk->sk_rcvtimeo lockless 2025-06-23 17:05:12 -07:00
mac80211 wifi: mac80211: fix WARN_ON for monitor mode on some devices 2025-07-23 12:29:07 +02:00
mac802154
mctp net: mctp: Fix bad kfree_skb in bind lookup test 2025-08-13 17:07:34 -07:00
mpls net: s/dev_get_flags/netif_get_flags/ 2025-07-18 17:27:47 -07:00
mptcp mptcp: disable add_addr retransmission when timeout is 0 2025-08-18 17:39:58 -07:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-06-12 18:21:59 -07:00
netfilter netfilter: nf_tables: reject duplicate device on updates 2025-08-13 08:34:55 +02:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-05 08:03:38 -07:00
netlink netlink: avoid infinite retry looping in netlink_unicast() 2025-07-30 19:16:49 -07:00
netrom treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-06-19 13:00:24 -07:00
nsh
openvswitch net: openvswitch: allow providing upcall pid for the 'execute' command 2025-07-07 14:30:39 -07:00
packet net/packet: fix a race in packet_set_ring() and packet_notifier() 2025-08-04 17:21:27 -07:00
phonet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-17 11:00:33 -07:00
psample
qrtr
rds don't open-code kernel_accept() in rds_tcp_accept_one() 2025-07-15 16:19:54 -07:00
rfkill
rose net: track pfmemalloc drops via SKB_DROP_REASON_PFMEMALLOC 2025-07-18 16:59:05 -07:00
rxrpc rxrpc: Fix to use conn aborts for conn-wide failures 2025-07-17 07:50:48 -07:00
sched net/sched: sch_dualpi2: Run prob update timer in softirq to avoid deadlock 2025-08-19 17:49:01 -07:00
sctp sctp: linearize cloned gso packets in sctp_rcv 2025-08-08 13:08:06 -07:00
shaper
smc net/smc: fix UAF on smcsk after smc_listen_out() 2025-08-19 18:27:16 -07:00
strparser net: make sk->sk_rcvtimeo lockless 2025-06-23 17:05:12 -07:00
sunrpc nfsd-6.17 fixes: 2025-08-11 07:38:55 -07:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-10 10:10:49 -07:00
tls tls: handle data disappearing from under the TLS ULP 2025-08-12 18:59:05 -07:00
unix Networking changes for 6.17. 2025-07-30 08:58:55 -07:00
vmw_vsock vsock: Do not allow binding to VMADDR_PORT_ANY 2025-08-08 12:55:00 -07:00
wireless Another wireless update: 2025-07-24 17:25:42 -07:00
x25 net/x25: Remove unused x25_terminate_link() 2025-07-14 17:19:13 -07:00
xdp net: xsk: introduce XDP_MAX_TX_SKB_BUDGET setsockopt 2025-07-10 14:48:29 +02:00
xfrm xfrm: bring back device check in validate_xmit_xfrm 2025-08-07 08:07:01 +02:00
Kconfig net: Kconfig: add endif/endmenu comments 2025-07-22 18:17:23 -07:00
Kconfig.debug
Makefile
compat.c
devres.c
socket.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
sysctl_net.c