From nobody Mon Feb 9 11:36:25 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38605C77B73 for ; Fri, 26 May 2023 15:08:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237458AbjEZPIf (ORCPT ); Fri, 26 May 2023 11:08:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229882AbjEZPId (ORCPT ); Fri, 26 May 2023 11:08:33 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5882BC9; Fri, 26 May 2023 08:08:31 -0700 (PDT) Received: from vefanov-Precision-3650-Tower.intra.ispras.ru (unknown [10.10.2.69]) by mail.ispras.ru (Postfix) with ESMTPSA id A106944C100C; Fri, 26 May 2023 15:08:26 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru A106944C100C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1685113706; bh=lruLf7JyYDal5YUMdb+D5ooH2q2i9NFZzrOqSCbpPhQ=; h=From:To:Cc:Subject:Date:From; b=QoJ6NTd6hlp3mA8fOmDTP1gws6bKt45A3NJ/dvyVl5UL1lmsnpldEErgiGmntwRy/ V6icoEMuIQ44so9LI0bdkSu14wKGZPP4ZEgbY/be9Ic2COLkUds1xhLIY/XtOQMgQm 2x0vEd4tOPctG5wvZmUQdqVpm1vjeSAcH2jSU2dU= From: Vladislav Efanov To: Willem de Bruijn Cc: Vladislav Efanov , "David S. Miller" , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect Date: Fri, 26 May 2023 18:08:06 +0300 Message-Id: <20230526150806.1457828-1-VEfanov@ispras.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Syzkaller got the following report: BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018 Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255 The function sk_setup_caps (called by ip6_sk_dst_store_flow-> ip6_dst_store) referenced already freed memory as this memory was freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow-> sk_dst_check. task1 (connect) task2 (udp6_sendmsg) sk_setup_caps->sk_dst_set | | sk_dst_check-> | sk_dst_set | dst_release sk_setup_caps references | to already freed dst_entry| The reason for this race condition is: udp6_sendmsg() calls ip6_sk_dst_lookup() without lock for sock structure and tries to allocate/add dst_entry structure to sock structure in parallel with "connect" task. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Vladislav Efanov --- net/ipv6/udp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index e5a337e6b970..a5ecd5d93b0a 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -1563,12 +1563,15 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *m= sg, size_t len) =20 fl6->flowlabel =3D ip6_make_flowinfo(ipc6.tclass, fl6->flowlabel); =20 + lock_sock(sk); dst =3D ip6_sk_dst_lookup_flow(sk, fl6, final_p, connected); if (IS_ERR(dst)) { err =3D PTR_ERR(dst); dst =3D NULL; + release_sock(sk); goto out; } + release_sock(sk); =20 if (ipc6.hlimit < 0) ipc6.hlimit =3D ip6_sk_dst_hoplimit(np, fl6, dst); --=20 2.34.1