From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB53518C34D for ; Mon, 7 Oct 2024 21:35:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336938; cv=none; b=DCX9hwogOdZI4q4GNtJEIcNXtYYub9+/vwZ1qw8aUaUvpUG+WUB1itd7dYEdUoxAyKU1Mk7WPkmf1eXRrWdzqbl6t/KZCvKa04eanY/11al3t9+X01fyQ9T1E4pcQ4QgnW6c4XoaOxPSPSEU1aKJnZlt2IOPAnoBO6xb8Iu2V7o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336938; c=relaxed/simple; bh=tF3+7/64K2pNMC2yMmqB0bNnDpkF/qc4QvYqWOU0LHs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=PtoX51Og6tWWCqtwBFMuLL9y1vST/TPHBOFr92QZarhRFXb5T1f3RovlSdpoa/zcGPhotFy8SP5KECFrAT2Xj6CUMcaWGC+LoV9KpJf7JurO8AkDi9Zk1BrsQbMTp5NmodWel2u4aaZdAe6QCJk1x4COYb9PkC+MgsCKQspkoWQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=gBg2Fv9f; arc=none smtp.client-ip=209.85.221.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="gBg2Fv9f" Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-37ce9644daaso3264099f8f.3 for ; Mon, 07 Oct 2024 14:35:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336935; x=1728941735; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OvyWYlYW9NKrX6tjwjorxSh4AbupOomnLhmwVzPjUzY=; b=gBg2Fv9fYDeUYC50Ah1y/IuP8inxo5A5v/KcTviaSFNvLolTTCWlM5HJB68gye0c1x 4jOFPRQZt8d2nO62/XgR9SnncQZlI0BeB3i21p956gRiGjtH1WqzdQAUxQbELVB4hEFe R2DLs5mTUzHu5AqurfR9YPBACBECX8QQxLijrB01TMDPfd+NTqAarSO2HgvZKYuhXad8 9ynkNC6RyuAfZ/f6kwdqo6Nt3356JDixtuCwoDEbhGVBFygrSqjwwF0mWBT/5GeTf+yj gm7CNQi7glWXVXe/xyJxp7luIyE4c796sbgJbL66eqqeYdfp2/aKFKucbbBPb8r/rE8S 686w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336935; x=1728941735; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OvyWYlYW9NKrX6tjwjorxSh4AbupOomnLhmwVzPjUzY=; b=aCEexIy0xHZ0l1by9g+210HokdyLPHQO8BfhkBvK67HVYdmz5UtBhHvT+lQILO9VAP DL4TI04jJjI1TxlxfpwfvXVR8Ff+JIwY8hFSV2n5KMrrb+LLrEaF7Vebl+UM3UFMkrtV zDuVZVARNaYVcwj9wTibsSbUotjEO3y+ZGaswq2TnvIZwwH+YxaRhLTSt73dMuygiWSg J1ZezNrHybnHKQq0fnExwmFi0MccTGrfmkzYU/d0AFGd4wUF9KvqP5NDN8XueyJcE8bX JrNbPCGzZ7fNmRacizdrXa4ehuUMmwSxfY2vfHA7DzMESjcDw9/5TROAcj4gaJXqUSrQ DU0w== X-Forwarded-Encrypted: i=1; AJvYcCWuMEVvp+fKYsqhJI9ZunuvB+yLfCLLCcgk4pR4fnyqY2WlvIsCgb1uDP55hkzA3DGFCpqk5DMvtWo9x8M=@vger.kernel.org X-Gm-Message-State: AOJu0YztByG7FXsVuav69fbRO9cKK57LAGUZtg7uZaLUuLHkqCgqG94T e/FG94qpeKZgO1MvQZR9kztE8G+h3bjgjubr51f8wcXfUzScckVcivsSCDL3/H0= X-Google-Smtp-Source: AGHT+IHLqNN1LAQf8g76woikHrigZw9N4TvlV2Fn4+zidESGtMa7IAByD8UA/IadWMwT9LMt7nSTnA== X-Received: by 2002:adf:f8d0:0:b0:374:c454:dbb3 with SMTP id ffacd0b85a97d-37d0eae49f1mr6186667f8f.55.1728336934922; Mon, 07 Oct 2024 14:35:34 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.32 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:34 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin , stable@vger.kernel.org Subject: [PATCH v2 1/8] net: explicitly clear the sk pointer, when pf->create fails Date: Mon, 7 Oct 2024 22:34:55 +0100 Message-Id: <20241007213502.28183-2-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" We have recently noticed the exact same KASAN splat as in commit 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails"). The problem is that commit did not fully address the problem, as some pf->create implementations do not use sk_common_release in their error paths. For example, we can use the same reproducer as in the above commit, but changing ping to arping. arping uses AF_PACKET socket and if packet_create fails, it will just sk_free the allocated sk object. While we could chase all the pf->create implementations and make sure they NULL the freed sk object on error from the socket, we can't guarantee future protocols will not make the same mistake. So it is easier to just explicitly NULL the sk pointer upon return from pf->create in __sock_create. We do know that pf->create always releases the allocated sk object on error, so if the pointer is not NULL, it is definitely dangling. Fixes: 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket = creation fails") Signed-off-by: Ignat Korchagin Cc: stable@vger.kernel.org Reviewed-by: Kuniyuki Iwashima --- net/core/sock.c | 3 --- net/socket.c | 7 ++++++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 039be95c40cf..e6e04081949c 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3819,9 +3819,6 @@ void sk_common_release(struct sock *sk) =20 sk->sk_prot->unhash(sk); =20 - if (sk->sk_socket) - sk->sk_socket->sk =3D NULL; - /* * In this point socket cannot receive new packets, but it is possible * that some packets are in flight because some CPU runs receiver and diff --git a/net/socket.c b/net/socket.c index 601ad74930ef..042451f01c65 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1574,8 +1574,13 @@ int __sock_create(struct net *net, int family, int t= ype, int protocol, rcu_read_unlock(); =20 err =3D pf->create(net, sock, protocol, kern); - if (err < 0) + if (err < 0) { + /* ->create should release the allocated sock->sk object on error + * but it may leave the dangling pointer + */ + sock->sk =3D NULL; goto out_module_put; + } =20 /* * Now to bump the refcnt of the [loadable] module that owns this --=20 2.39.5 From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B84A818CBE3 for ; Mon, 7 Oct 2024 21:35:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336942; cv=none; b=qQXBrUyhmWWO6E7G3K8tdIaCBbOaiSAsKJkIuFtBALYuVMiaGkDjwIqsQWhLYNepRDqki9FMxeyz92sXUdDFFUimz2bCvRaXIjBu1udHGi7KH4GGK5r1zbNNiSKFI0DBKxvmxlJpeWhJbQ96KfL1PhavkGxiJAjLugW1QXSj7s8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336942; c=relaxed/simple; bh=RcIs+XM/c9JJbPNWfZbV/Z6TaGGOUNRFsh8gxXUISQs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gvQ+YAYzZ8aQoKABn+TBcZ3v8i6wE8jS/e/iD/Ke7tsr1K1rTk6hTHKl+bE3Y2Kg75x6HRcDU6vH1QsXN6kJjhdGENkazK6x4zXczeoXxaEjOJiGmOj1MmrYxUG18/vmRg2WIJN1cH6X3Sm2QuNYgn8NaSi5myZf0ZPgACzoff0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=gNJI+tRX; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="gNJI+tRX" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-42cb6f3a5bcso66262455e9.2 for ; Mon, 07 Oct 2024 14:35:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336938; x=1728941738; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Z+WOxbNpY99MeFQgjqBrr6wWjmGKbOSspT6QoIunVVM=; b=gNJI+tRXKEOT+JmcWvkPAw+RE/UwTHAIQzQz3mH5eMTdSUyJvr1cM0VXOXIehowi+a ZxKNoAfqF4keeHK7Q3r5LdOrpiFHPw1GAcSf/kO6JdLmV6p6GoUO6lrGeQNDfHVa2oQr kjzOkMLPvNepFcrXbKERtQwyH0D3eSgJKtFDj9TfG9of0783iW9hkSusWZXTyMOqRBIY iXuKjjw+36/id77T9pdpj+mwDpIjs2tOeej6/jokFU2UuvIMEWcyeCam3Yb78KvUnhWF VZL9ahbtiAycL8iJZ/02cBFxtMCyjAzehpoICIGE36gZFrz4t0KvG0UAoFtLqSCTX1TV nBcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336938; x=1728941738; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Z+WOxbNpY99MeFQgjqBrr6wWjmGKbOSspT6QoIunVVM=; b=vuWeXO5zNWtH3XuteKUHn9dm3FwTQyo/6CDVwP2NImdVCbnPfxCL2tzgS13wbdDJg+ Kcm/FtXfxbuqGSHzlIjolZQdJg2YhPucuq2Wd6rE6Eh5QbNdC0A9vl5c2xjX7kPlqLGq 5HZqXJrq0G9r3IohTs+QKu/x1DT3unGmNvpwPX5XOXBM4cJktu3gueOibYjJKu+rUj6P gj1sq+dF5FealceNJcdbsiXCZe1Fnif0YBMUX5c0igI9IU3OUpE8hcvsHoCAV29Y+5dg EQMwlil8uRL6GlTK7gQt2cshxikBdiw8gw84o+aM8eTQt8KiMlHTf27DxWnmyq3QTt9v eGkg== X-Forwarded-Encrypted: i=1; AJvYcCUOI2K9Ew6Ar8t7nHAQSFT4XPdIuTjIzmyT6RHEIFKooZoHNerS0CX1DlFEODGdl4kUScVXAjZ0ryFv2O8=@vger.kernel.org X-Gm-Message-State: AOJu0YzF5xKrwW6Y3Jut/nnXa4DcsGlYUzY4HDaPOtYogBj7imt6TvAH OvJTlv+gq6yc5hvg5pFgTC8Ko+YsWvoVCCDOf3A9Kx6bBRS2uKe0Qd2zQuxFwGM= X-Google-Smtp-Source: AGHT+IEAHU3X4+3NGeDfduAV1o0hQG1DQDEgIfBCr8/wft+nMF9Tib13AWSIHVXOd+aWgaKXq2y7Dw== X-Received: by 2002:adf:a199:0:b0:374:c9f0:7533 with SMTP id ffacd0b85a97d-37d0e8daaf4mr10614171f8f.41.1728336938164; Mon, 07 Oct 2024 14:35:38 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.35 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:37 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 2/8] af_packet: avoid erroring out after sock_init_data() in packet_create() Date: Mon, 7 Oct 2024 22:34:56 +0100 Message-Id: <20241007213502.28183-3-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this pointer and cause use-after-free. Suggested-by: Eric Dumazet Signed-off-by: Ignat Korchagin --- net/packet/af_packet.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index a705ec214254..97774bd4b6cb 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3421,17 +3421,17 @@ static int packet_create(struct net *net, struct so= cket *sock, int protocol, if (sock->type =3D=3D SOCK_PACKET) sock->ops =3D &packet_ops_spkt; =20 + po =3D pkt_sk(sk); + err =3D packet_alloc_pending(po); + if (err) + goto out_sk_free; + sock_init_data(sock, sk); =20 - po =3D pkt_sk(sk); init_completion(&po->skb_completion); sk->sk_family =3D PF_PACKET; po->num =3D proto; =20 - err =3D packet_alloc_pending(po); - if (err) - goto out2; - packet_cached_dev_reset(po); =20 sk->sk_destruct =3D packet_sock_destruct; @@ -3463,7 +3463,7 @@ static int packet_create(struct net *net, struct sock= et *sock, int protocol, sock_prot_inuse_add(net, &packet_proto, 1); =20 return 0; -out2: +out_sk_free: sk_free(sk); out: return err; --=20 2.39.5 From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0821218E342 for ; Mon, 7 Oct 2024 21:35:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336945; cv=none; b=Lb3BGTYp+F8iUEvadqod48b+oEydprtF1vrgQO0aZW2gmBzUj8WD+DaPNTxnESaRIBVaemApMurIij+y9A+EBTh/6NUzIGChtTutJTfeWcolsblKztYZdpOvSpioimM4HYxeCt/wKzdOnZ3kpMbkDLGw1pKYDvykIt8Rgzi0mV8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336945; c=relaxed/simple; bh=Za6d2/ag0cx5W3bmCrv67Ur4+k+VPgr8uvsyupNoJnM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=DSbhbphDl40s6+5fSGvsN49Nm/LPvm51gzDMHKTK7NPSyox82DVTmLcZmKKh6oj7Vjxj20BGCKqdljzoGC3vFwApF6gPmCm+sYqGeBq8Q7CoUtRyQ07lLo7sbGw+c+Fu9wtd50Cd0h4UV8aml1iU+P6zXRI6DMh/V4R318Noyxc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=Iz9zRhD6; arc=none smtp.client-ip=209.85.221.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="Iz9zRhD6" Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-37ccdc0d7f6so3176894f8f.0 for ; Mon, 07 Oct 2024 14:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336942; x=1728941742; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=Iz9zRhD6wRn/Ctlf5ev018am/0nLW5at2MOCHuyXmr9uE/SP8mt91WzpI+bJTy3//g qeaWtbKMspHNaRemf3MWYiJ3S4Ap6lieJC+WscCoyAtzSfXgr4MOnF18UIzs0v2ChBMY QdnhiluDaWedij+0IxHt0FA7VH4rabbN9hVAbTzSyjam3GmzLUtzj6J9yhB+tyuC6AGJ mW/pyl8g+Gi8ATYHoacuOD4Ji1f4axXRvN+O3CfItkX/vobcRdEiuz5+jgshw6vyfTX7 dSrln/uuccSJSaiILA/Hh0Hb+jsWlPNbIn0ayI4d72IqcCeXZfYWnFJtYmAlSJ8MnRq0 6zoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336942; x=1728941742; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=; b=ZD41JOsgc0to8genS4OxNvbZuCaCCsYEnYMPPL4YvTw1RfGT0QCzE/JGT/Zudh5upP 21/iA5T2Tuml5IFDXNhE42aTtzl6ZGELWVI7hWe2+4/fv459SLWI/utcggl8giil9FxE xXgWzzz7iYggKmXIARicaXten1z5SvPHvkKXjw5gGhyYFELhp7ooH+hmRH6/ui3bFIVj tojTFfluJ4uxTLHANX7n+JrmLof32gLFSbpzxws9CEKaQ/ahd/SB/PgMcxczf7+x2wUj bXdLctVRqvNYDtJqdPgshXiMSwQnSiiY9atN+2p6B0U96M1rhNDbXnC/WJrjLrSMQGnL okRg== X-Forwarded-Encrypted: i=1; AJvYcCW+2AS5QEBn2eEuYy5KYhOl8nmawzQA2OXYew4gjIY9dXksIi/sGiiGuXPofPKQ6HSWjiXViZhGAPGWudA=@vger.kernel.org X-Gm-Message-State: AOJu0YzewuRukS+RRb8XZ632u8WQx7Rn8TG0qRmuIMAI178gvDM4Cymb dHwexBM4t3/xPjFBtpLztJvevkiT7/umgt/oNUYSBCZwUoET0Cj0Pb0z0Ll7e6c= X-Google-Smtp-Source: AGHT+IHAyQYt8epuqdqQ1WiemxSSnJdRW7ySGcsdfEr9r4QwNV8qbe0cvU/RBNztpAk9AJdBnDqlqA== X-Received: by 2002:a5d:6052:0:b0:37c:c9ae:23fb with SMTP id ffacd0b85a97d-37d0e7d43fbmr7244020f8f.40.1728336942347; Mon, 07 Oct 2024 14:35:42 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.38 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:40 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 3/8] Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() Date: Mon, 7 Oct 2024 22:34:57 +0100 Message-Id: <20241007213502.28183-4-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. Signed-off-by: Ignat Korchagin --- net/bluetooth/l2cap_sock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c index ba437c6f6ee5..18e89e764f3b 100644 --- a/net/bluetooth/l2cap_sock.c +++ b/net/bluetooth/l2cap_sock.c @@ -1886,6 +1886,7 @@ static struct sock *l2cap_sock_alloc(struct net *net,= struct socket *sock, chan =3D l2cap_chan_create(); if (!chan) { sk_free(sk); + sock->sk =3D NULL; return NULL; } =20 --=20 2.39.5 From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10E88190693 for ; Mon, 7 Oct 2024 21:35:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336947; cv=none; b=Nl1+UfgU5F/KJp1+pgeCnwDAlqhrhBAWt5qHBPCQx/IKHZvksMEHKwU4keiIhCWflb4VRdd/gROZxggqT2jIjNrHQbZV4Z7l2pGktYt+G3eQ/VxmzIcmI1QvnFV6frku2rUiBWafDXTeU0CUbDVwFriI981MGKUfxfu/tkSeJLk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336947; c=relaxed/simple; bh=+sATRWeawQEUv1+UCi+L6joXgd2sN0KH+RYIISQm3Ag=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=WZmA31t2j3tex+U4/TGwwJ52VBeS/MYMBTvqVv30TYlI1cJE4KxHpluaHh/Ce+BIbdpBKkwjBWDPX7b+omwnTp8t18lZlKTUs61OGEFv1jChPiaRkwO4QK6xgu+ezBdBRODyNqYKUl7Mh9etUfVMYptow/YBKZl36sNicvfExik= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=KBDTEout; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="KBDTEout" Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-37ccfada422so2985449f8f.2 for ; Mon, 07 Oct 2024 14:35:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336944; x=1728941744; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=47ahDvpGlziX1HY/1UDQ79MexuwMxPJ3vAc1BGnN1yo=; b=KBDTEoutuH29YwT8WzkPAPKLJDUG/cjK6Om9wg87AHH/iCN0MdpwPqSE1jUWp7c5lV Ogl09k/IknswIFe9HVxXuJM1mwSx8AO7ZFhZL82naqyzQh0hJxR4slCSyLG2QYr50LYE bR6a4cqcN2PVsCc1Oj3vCt3/dggJTpGAkvp5qmtt0trGXDCsbFgIYx/AICFp/ULLkfDh gcJwBOXbwHjGIyrxKd38HoExOtW8O3k9QDl5TCJO0H0WyQ+GabB8JqRA5KYilnjHAPnQ AscpjjwKI2w0gn2UY/awN/vI2fT6fBQtUqs4gO1/glHtJW5gfjJpM7pPgIUZBF3hNNiD 7D4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336944; x=1728941744; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=47ahDvpGlziX1HY/1UDQ79MexuwMxPJ3vAc1BGnN1yo=; b=beziIVLQCY0tic0Oti+iYis9WBgJYVfe4DzJBXLvzudCxqspr1MlQ5SmRGWMK3550U 8Z1pc6mvxHx8BAvbG4WGjquKoIXvNQSjmgvsVXwAkn3kIdCdV3QOBLYy3IX1b9x554oB cCDj5nlvAOBEX9JJ72PXxej0ehSC4gZyBqNAKkOaF3J3ebaKLtKBXNEExA+Kq1gy/smg IBe4PXrDxG21Gn05gHaGQ+x04fNgwt2twjpeonq54WLZnld7NWI/uftEaOGwN4nMZNIW JNu0numnA7bXeqvpZz4kd4EO3aknW4G8MDBZW5pc2gG2a9dPgAHiDyBnhz+3lIGlO2ae InHQ== X-Forwarded-Encrypted: i=1; AJvYcCW4X7pn2NpbHfSphoUS2KAYS/PEP5HdJKFGKiNQnhBylpaRy7hPKv4VZqj1TYDK37sDT2mZbiDyahyvUsQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyUABpk4MsV61QHjwGZ5PrP+VOBxMTOibUEW4lcF/JIzhxNxml9 BUxcJMgAFTtwxXqqgY/KQVtC1sPOCSrLGTzEz8UrADJ3w6d9rd9mRoiSs3RYUVA= X-Google-Smtp-Source: AGHT+IEh2nNtGTy8ZHuRwyExnrSdxDBOaaRu0AmF4uU5YudljkVsFMbPD2jmqiCN6O47wxbJKhk2fQ== X-Received: by 2002:a5d:4d06:0:b0:374:c17a:55b5 with SMTP id ffacd0b85a97d-37d0e6f8eccmr8676059f8f.14.1728336944360; Mon, 07 Oct 2024 14:35:44 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.42 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:43 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 4/8] Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc() Date: Mon, 7 Oct 2024 22:34:58 +0100 Message-Id: <20241007213502.28183-5-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" bt_sock_alloc() attaches allocated sk object to the provided sock object. If rfcomm_dlc_alloc() fails, we release the sk object, but leave the dangling pointer in the sock object, which may cause use-after-free. Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc(). Signed-off-by: Ignat Korchagin --- net/bluetooth/rfcomm/sock.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 37d63d768afb..0d0c4311da57 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -274,13 +274,13 @@ static struct sock *rfcomm_sock_alloc(struct net *net= , struct socket *sock, struct rfcomm_dlc *d; struct sock *sk; =20 - sk =3D bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); - if (!sk) + d =3D rfcomm_dlc_alloc(prio); + if (!d) return NULL; =20 - d =3D rfcomm_dlc_alloc(prio); - if (!d) { - sk_free(sk); + sk =3D bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern); + if (!sk) { + rfcomm_dlc_free(d); return NULL; } =20 --=20 2.39.5 From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E5D218C901 for ; Mon, 7 Oct 2024 21:35:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336950; cv=none; b=m0KjMI2TjXO8px17FABrcqj4Ova955hHQaeh2Xs/Z8R+IqXwbTdXsDTyY6UCEZ5is2RLL5y5853NrmUvqqKAnstJcbsDwmodes7/eH2o1m7eadPQ2LcZ+sivTVQdjG753r63vSOZfPb9VYgseu4qENLiQLHl9muCjV6gDKf4fGk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336950; c=relaxed/simple; bh=q1wcm6mMQ7h4EZDUMr6oUmN6x8BUBq/PxsPoaXApW48=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=O+VY5Ex/3xzJT2pVR42ivM6Yl0QOEP1mlVtpUBiJZL3axIGQjLdoQ7225E5c0pjlv8ArZs2sKnCbm4w63JfnZf+sPXztzMYxWVUdRPCGlYJNAZ3qNLH16MbAs3zISaoU7bkIeCqcaNYLMKJW1fy07rwBxkpz40/vsc95nYQWklE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=V0dg1jn+; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="V0dg1jn+" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-42cb6f3a5bcso66263475e9.2 for ; Mon, 07 Oct 2024 14:35:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336947; x=1728941747; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lghPtxWNb8lEoXQFFkVieItQmyHsjS0TFzxCTFvvuyY=; b=V0dg1jn+hKCA6cx8/K7ivEzNGRNPOTwmbBp4libmwBR4w7QfFZykVVJwiFI0B3Dtwe 9pA4ppJZyurmox+9o8VN8W7IzdR1aoh9HUSAPzLNcG+snCsWpcj00jhS6ryv698rcoOC gZnbN+0t1Gk00/rP4ePsOtZPj2joB/04jCR3LYs8lQ3QPIop/aTB9tPjfZg07Egp+QVz l3U2ccKHLawsRuLPajBOanV5BSAm27X6cxI7T1uTuP0zp2l+01eZEiJOCkiBnjlmk4uO ePOX9e3xqgda9uJXVc4DErdEKDqBNAen9xV8cMjKsx0k4wWdXaW6nMIvIezShB0ilT4V ngXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336947; x=1728941747; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lghPtxWNb8lEoXQFFkVieItQmyHsjS0TFzxCTFvvuyY=; b=Ab0BUit8EHzqnXnAq/6SJ6OieHzrsoWQQ2jEICMsxUt5gnMRJwwVhM3XHD/tA8M0m4 92sWec0SnUAOo178WhdNyztZScALjrbzaCFNxtE3zOH+ZRtrHS/EIXawqZCcONL4q43P 22udBNXsYDyItyH4d4Hundk3nZSdlMHaAXZYrJZCVn3x9JkDUYn3gs6PK8hxAMJ0e4zF Wy+7FsU8ghqogBTHneYwavtzkFv3tJur4PZ9XvTKJcXDtGWsHtFA8FiiRXO5hKBwVNsT u3IvSy4RC5ps67rfMVF6h6tCsQ0q9fmhcLFpCQfA8ToRLRw193yjxlr2eUIcLMe/JP5T rmwg== X-Forwarded-Encrypted: i=1; AJvYcCWf0gnvML8xs3pdjHfHUUHaj9XNOpu5rcw+Gv0ZQ2kA1zCzI4yXWDKrnaBGNVPGmPanosIFpbeJ+oJFpHk=@vger.kernel.org X-Gm-Message-State: AOJu0YwnmvEbQYBikXoUWdr3Kq45wW32Fy0Ok9HvJNO1wMZLi3DFoUl9 P9nXwj6Xtj/sobFEKvt9kjD2Vts1wO5B/9o1hOMJzcAvFqDV86gAZpCKexhNG8c= X-Google-Smtp-Source: AGHT+IGIEgvlVQ63MN8px9sXGIB6rH0PaHc0x2aiS2t9bCm+0YE6s5XpgSiahpjGOCaDNGfNsSEswQ== X-Received: by 2002:a05:600c:5494:b0:42f:8229:a09e with SMTP id 5b1f17b1804b1-42f85aef6e2mr143742535e9.29.1728336946921; Mon, 07 Oct 2024 14:35:46 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.44 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:46 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 5/8] net: af_can: do not leave a dangling sk pointer in can_create() Date: Mon, 7 Oct 2024 22:34:59 +0100 Message-Id: <20241007213502.28183-6-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. Signed-off-by: Ignat Korchagin Reviewed-by: Vincent Mailhol --- net/can/af_can.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/can/af_can.c b/net/can/af_can.c index 707576eeeb58..01f3fbb3b67d 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *s= ock, int protocol, /* release sk on errors */ sock_orphan(sk); sock_put(sk); + sock->sk =3D NULL; } =20 errout: --=20 2.39.5 From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD9CB1991C3 for ; Mon, 7 Oct 2024 21:35:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336953; cv=none; b=gF5n6FHRMAJ+M12zNsHz0efSM5b9h4PC2yrD1jADXM5RVjr/qYCe/0quhBVxf3Est0y0WKDSqilm3vkVH9L4kaQ1q9VpRa/7Om3XGTPrxewrj77qcsHQPBwTzDJw2XNrhuxDK8hVuCacZodcXi2X+WIdmnSDzCASEFLsWaUo+hM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336953; c=relaxed/simple; bh=CZ5nZ72LPsUscQ/XLvrhFET6jRbMhyKZW1WicnfpLPA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Wk11wakCB7HWXZE8/hPenWZwSv7T1M+VqqtK5lRV0gx4S6wbLdat7L9PmE4groj0LDDt/IQOfOZdLL6YTNnZUSQFd1huLLA6NlrIeSF2fIXzq/+wUjjmAQh0WeMtnjOc2zx/5M8OmiJ1KVMIp1Y1Mz66Yq5hys39UMFTuCY7Bsg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=XbgRrvyu; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="XbgRrvyu" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-42ca4e0299eso43861485e9.2 for ; Mon, 07 Oct 2024 14:35:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336949; x=1728941749; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BU52YEIbPPjVkPgQ3Y9wQ3w91aLQy4KsNcSSu3XlZvI=; b=XbgRrvyuC2C4UUGZm1Kyg96OotgJi3Y38sEyztjS4C7nn6SzwMxGBHUv+ISEXyhnCe NwCcE5oQT+9dmYlJgr4gj7chS4UxdDFK/yvxlG6ToSyZk/7mFcz9HRHnfgtjH4n+RDnQ Y9uLI7/25fDkq10IXfmGRUhdKg8ek/QPQiatskwJDBcE5sZp1/cRIfnkfUSvngRmMyFU qGG67meoIL8OdvgiUmEF5XBWJtcQGpV53mCCeAAFh5tfYNLlu9S76mcaFC5SzHUQo9hA O1B6ZCKm6FzwhcasSZe1SCWk4GdzS+65+UWUWatz8tpZklAEPMPbq6Zp78R9NMz7Z6HJ 0coA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336949; x=1728941749; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BU52YEIbPPjVkPgQ3Y9wQ3w91aLQy4KsNcSSu3XlZvI=; b=URcwC5MFfVZg4iAMxmNwR45KlZOJy88IcrgFIZ768vMrGlzTsV3ZX7tdndhzgargOz m8lcqFf7a11FDzAGgpH+Ce5IEdfY9V6nr92Ho370RdI+rY4XNBDQv5p6kt710NMbJH+v b3j0Zv2eYfX35Z8PgJLrhuxwOJxCjHfiCMXC7UZ5M1V0eB22jR5PZgSeKSxwWhj4dnP/ X/Nw/DVTCLN7Hf/+Hh+RRAR7Hz0GYIXNZlYPtnu8hF+/yVHTEUSFb51AJBlWSEiAlWD9 Ax+3F5tjiXTDJtA2CaaqA/jSOi3+R6QubqGcXS6wlv5NTz4EjKSQ/bFjL6uhPzHwHuGm Fp6A== X-Forwarded-Encrypted: i=1; AJvYcCUv5T1EbsigoNFnV1tH1ZwrDnydX1eI9XVavqnQbua02MhRY3qxa9oVqeYAOzLKZwEYLdvhtPR5vMfdz4A=@vger.kernel.org X-Gm-Message-State: AOJu0Yw+OSJAqbG9Ye0LXSKeDrvIO2fvSbasH4RAA48KJiutkDJFpuvX 2DBTNJYW+5GpmI3m2RVRjfPNDr5Qd8ulBst1b1Wy2hIve3SAz3T5OYJ3MWIKjM4= X-Google-Smtp-Source: AGHT+IF3Mr1m0BA+tyZxEbsXfJoH0mYfnXmhY4oQRsrEz2kQrNeN0a7g/aWeWG/UvI2YgEescmo9xg== X-Received: by 2002:a5d:5f88:0:b0:37c:d179:2f77 with SMTP id ffacd0b85a97d-37d0e6bc9f8mr9021915f8f.12.1728336949047; Mon, 07 Oct 2024 14:35:49 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.47 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:48 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 6/8] net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() Date: Mon, 7 Oct 2024 22:35:00 +0100 Message-Id: <20241007213502.28183-7-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sock_init_data() attaches the allocated sk object to the provided sock object. If ieee802154_create() fails later, the allocated sk object is freed, but the dangling pointer remains in the provided sock object, which may allow use-after-free. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin Reviewed-by: Miquel Raynal --- net/ieee802154/socket.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index 990a83455dcf..18d267921bb5 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -1043,19 +1043,21 @@ static int ieee802154_create(struct net *net, struc= t socket *sock, =20 if (sk->sk_prot->hash) { rc =3D sk->sk_prot->hash(sk); - if (rc) { - sk_common_release(sk); - goto out; - } + if (rc) + goto out_sk_release; } =20 if (sk->sk_prot->init) { rc =3D sk->sk_prot->init(sk); if (rc) - sk_common_release(sk); + goto out_sk_release; } out: return rc; +out_sk_release: + sk_common_release(sk); + sock->sk =3D NULL; + goto out; } =20 static const struct net_proto_family ieee802154_family_ops =3D { --=20 2.39.5 From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AD7D28EA for ; Mon, 7 Oct 2024 21:35:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336959; cv=none; b=K3GTGwCKjwbH38BfQvwDD0MQKPQfgPIiyN+wxfpwRZfboXFzb86XiWzODhSUpJdVWQpXy8vYyCMLwwoqFyvFAetIIdHIM2+vPUD4+gJ8zH2Vp2gWlqLX+jcnlj1JpyycL/T5rfACRSgeM1I9tDSzeRDVPedZrqc7AHpw6nhpj9A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336959; c=relaxed/simple; bh=TykJJMM5IzwfbahmKZJTnRFTzpHvJ80eOgoE0YjZMYM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=bRf0GpK28YhbeaFGMJWpTTcuyosa6rtNPGIh9cF3lmHYlr9xIur0Cr3O5P00ATlY2lRj3XnQ6oxC4ODdLOjUQOgvB0vX6fjxj+it5u/i6ZTHZPNKU1HN76BzmxBL0t9IhdwXntn/+NwVcmD+AyUGAtVTXVnukvMlNUF/abWsiXc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=PRLGd+iU; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="PRLGd+iU" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-42e7b7bef42so43844675e9.3 for ; Mon, 07 Oct 2024 14:35:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336957; x=1728941757; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=PRLGd+iUPIHevsvgJp4Zf8P3EL1s0PKkKau806VpvjPye1nvxHRaVO5tyXCWrGdTvX nZsFctYEXDd0aQS6CABe8y6BQlEjvkQTxhg2QO5jS6U3+gWwveI3iKSv7Oixj9GLFKfd +0KzWHdZlA8YTi2eIsqf623ys6QfQozAhkUUrLUhf1PesL1Ad4ZD4e2VnCkv7KtHKvWg m76s1EthGbpEew5MMeTLWvUP2zFwQTRlhn9HccL+A/o6d5e/iJU40fmDznEBJtMqmJnq TVTvPPRL5oPmxYVf5lT7GsxoN3dwvMfPsuD2HJb+4e0cuEPNgYhlaBbCbF0jQlmYjvCP KXDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336957; x=1728941757; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=; b=uU5p9umGUDJwaDSUsjBRRzPg1/tNuTzlBoIEnqI/qnWNGbsYytm1YWHCcAin8wTvYk VlkkE7CUT5BbhGV1SnHfC8ktXsOZAK74tw9rbSXH+rb2bxyLQNbZFiu2os3DvPdNID+t 8bzMlCfQhM0UJRPtrDHQ6eDGnNpY6umRVmvxM/wA3MxdaiBaHzhx7JeP7B4XSRCIhPKg wU0Ocq9UjrOOCYsln1DbACx856yeSz8RVwgOh0GRzVpGbej1f2HQHTqKG1uEfjPdPkvX 8wnewbMYyAEyvbJGU8ZUQ5rnHqIFKlfAH3RT5ZgksgEvVPOoMx3TKwkC76nmfarnJo/J YHsw== X-Forwarded-Encrypted: i=1; AJvYcCXho7z7A28ZvIYkQFBAW4YAHnBAcAIo8o4gNbAaDc719rYOtQLfTQpsMKnCiKbcgndKKtPR5w6j9F/q67w=@vger.kernel.org X-Gm-Message-State: AOJu0Yw7ul1G/agSEyEmZMnWzcN//Bn5yaZmZni+wxGPIe3QNt1l4TS0 PjZCswQOSZgNV+I6AKBXGc9MJcs58TSAy1DSF9ih4aDFgJOXLhXZwHr8P16UXYo= X-Google-Smtp-Source: AGHT+IEANzLF+YRzAcqDXPNSr1m41nJQ4hZi4WyDM2XMIIfrfbIkQHrP+5IaWRoz90/emp42kZFqcQ== X-Received: by 2002:a05:600c:3c94:b0:428:ec2a:8c94 with SMTP id 5b1f17b1804b1-42f85ab8972mr102989265e9.10.1728336951961; Mon, 07 Oct 2024 14:35:51 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.49 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:51 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 7/8] net: inet: do not leave a dangling sk pointer in inet_create() Date: Mon, 7 Oct 2024 22:35:01 +0100 Message-Id: <20241007213502.28183-8-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later. Clear the sk pointer in the sock object on error. Signed-off-by: Ignat Korchagin --- net/ipv4/af_inet.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index b24d74616637..8095e82de808 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -376,32 +376,30 @@ static int inet_create(struct net *net, struct socket= *sock, int protocol, inet->inet_sport =3D htons(inet->inet_num); /* Add to protocol hash chains. */ err =3D sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } =20 if (sk->sk_prot->init) { err =3D sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } =20 if (!kern) { err =3D BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk =3D NULL; + goto out; } =20 =20 --=20 2.39.5 From nobody Wed Nov 27 21:30:19 2024 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 03FEF1DED72 for ; Mon, 7 Oct 2024 21:35:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336959; cv=none; b=TjOQquiNo61kRqSXg9X+KEJy1cBts14c9SC/JtrYxLJXf6X/v2oxrEvvnuX/FNZi0Vo/Sm4Vbwlv5JYOoZpkt4dth0kgRHtZ+tu9MclOW+EqSJf5WmC2OnnXML7tktgXGQ3uZQ1IVYHAWAKFPKP2jpzoKK8CntZpxYNeARfhGxE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728336959; c=relaxed/simple; bh=B2jIOs9L3gzL5PsTv6zAjfQ7uhJ1V7bXBI/aVWUwbYc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Fdk8Mz2c+Ha/N/cm2nZ4DgsOdO9Q5KTRp1HulujQKMjDOWEbAGKLBoYbzduN8QByYxOh1tx6HdbkrNJY/rvX99Gwjs7evd6yAPiQF9rUgfTPyhsbK0WMLN2Xf9hpIDjDEQFRWEoV0yomew5DVHv8lbH1YkbLcXU/ORNkj5542sY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=fwi1TuZE; arc=none smtp.client-ip=209.85.221.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="fwi1TuZE" Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-37ccdc0d7f6so3176986f8f.0 for ; Mon, 07 Oct 2024 14:35:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1728336955; x=1728941755; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=fwi1TuZE6U+cV626UHx2sfHQOtvBK4ewje5Ti3AQ+2l1Aez2OmKyZ6zr5pIdE2z6v9 /XZjYBsm/b/6WmY3v8aFONI+5YPww37GCXD6u8W/NN9oEJgEB7Jz5EiqXw6Gw9oBuiU0 AlqwxE5oYzKjXOiKQFya+KrrOIfXcOKO9fMt8GBWw+fhgNMnwXn5RwDuvSlM0HDZGxGz HRE40KxC7KmVwbRUIoWtoh0kKW5s/pmSozzLAknn/9x0x12Jq4HX9oHB/ts2R2OGPdL2 e7sGq8iO92k3xIxqiXHEmcqjMZfAraBxkD982nldy2zJxZyrprysYOuMpnQ4zuAUuLoE 6BLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728336955; x=1728941755; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=; b=iusaC8WGDfy01D6ARjWMITydmEJfWtEUyQXtWgeWjlQwOoYtVpN5kYLaiI8iRdWAT3 wTWVhOx4FSJQqT6vI7YtSDd+jIKogzOStFNnVRQ9mhD4anb9+42attyAcmafG7BI2Zac npZq6MKDCS0WlRwgHWeWmMBYYIZxgkMqIeOl7DWq+XB4+pWL5LOl9V0GrZMLNHplEt9r +KYG+917bjffQDxpdpPEO0lVrlHBQGQUtl0PFSMMFQ48QTQLlcONFlLYSIT3Ku0lhdkE mdV1Q+25KyoFT0mUoadU+yrd4FEO5qXB5RpF8d8hlnuNezzktmMd2U0abzdy79X/7HWX 8VSw== X-Forwarded-Encrypted: i=1; AJvYcCVGczmO98i3Ldnmlo7wdHkY2OZzTmX5zf512Mhb5JEWVJN8Mzc7iCgpN/3q+pERzvfqgiVJGP60cfI4Arg=@vger.kernel.org X-Gm-Message-State: AOJu0YyVfWkquTQbWrfUlU1DX62hGUDy8TeU/vNz632hPsxXVAC+piCW mRYawrWBYWyKxSWr0mnfDgXP8pr/rtqRThTerGvqFfw5aYd5vePpoGEqn+TriXs= X-Google-Smtp-Source: AGHT+IFlr52AJGKwlZWzuyM1U26fNN+5lWsZfsZ3/C7NwJE8QNsJ8h0z9W2aZlJldJJxtKVirxozSQ== X-Received: by 2002:adf:ec03:0:b0:374:c11c:c5c3 with SMTP id ffacd0b85a97d-37d0e7d3e2amr7529022f8f.41.1728336955301; Mon, 07 Oct 2024 14:35:55 -0700 (PDT) Received: from localhost.localdomain ([104.28.192.66]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Mon, 07 Oct 2024 14:35:53 -0700 (PDT) From: Ignat Korchagin To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , Oliver Hartkopp , Marc Kleine-Budde , Alexander Aring , Stefan Schmidt , Miquel Raynal , David Ahern , Willem de Bruijn , linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org, linux-wpan@vger.kernel.org Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com, Ignat Korchagin Subject: [PATCH v2 8/8] inet6: do not leave a dangling sk pointer in inet6_create() Date: Mon, 7 Oct 2024 22:35:02 +0100 Message-Id: <20241007213502.28183-9-ignat@cloudflare.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com> References: <20241007213502.28183-1-ignat@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sock_init_data() attaches the allocated sk pointer to the provided sock object. If inet6_create() fails later, the sk object is released, but the sock object retains the dangling sk pointer, which may cause use-after-free later. Clear the sock sk pointer on error. Signed-off-by: Ignat Korchagin --- net/ipv6/af_inet6.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ba69b86f1c7d..f60ec8b0f8ea 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -252,31 +252,29 @@ static int inet6_create(struct net *net, struct socke= t *sock, int protocol, */ inet->inet_sport =3D htons(inet->inet_num); err =3D sk->sk_prot->hash(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } if (sk->sk_prot->init) { err =3D sk->sk_prot->init(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } =20 if (!kern) { err =3D BPF_CGROUP_RUN_PROG_INET_SOCK(sk); - if (err) { - sk_common_release(sk); - goto out; - } + if (err) + goto out_sk_release; } out: return err; out_rcu_unlock: rcu_read_unlock(); goto out; +out_sk_release: + sk_common_release(sk); + sock->sk =3D NULL; + goto out; } =20 static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_= len, --=20 2.39.5