microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/net/ipv4
История
Kuniyuki Iwashima 4494bccb52 fou: Fix null-ptr-deref in GRO. 
[ Upstream commit 7e4196935069947d8b70b09c1660b67b067e75cb ]

We observed a null-ptr-deref in fou_gro_receive() while shutting down
a host.  [0]

The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol
in struct fou.

When fou_release() is called due to netns dismantle or explicit tunnel
teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data.
Then, the tunnel socket is destroyed after a single RCU grace period.

So, in-flight udp4_gro_receive() could find the socket and execute the
FOU GRO handler, where sk->sk_user_data could be NULL.

Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL
checks in FOU GRO handlers.

[0]:
BUG: kernel NULL pointer dereference, address: 0000000000000008
 PF: supervisor read access in kernel mode
 PF: error_code(0x0000) - not-present page
PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0
SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1
Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017
RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou]
Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42
RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010
RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08
RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002
R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400
R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0
FS:  0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <IRQ>
 ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
 ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
 ? no_context (arch/x86/mm/fault.c:752)
 ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483)
 ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571)
 ? fou_gro_receive (net/ipv4/fou.c:233) [fou]
 udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559)
 udp4_gro_receive (net/ipv4/udp_offload.c:604)
 inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7))
 dev_gro_receive (net/core/dev.c:6035 (discriminator 4))
 napi_gro_receive (net/core/dev.c:6170)
 ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena]
 ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena]
 napi_poll (net/core/dev.c:6847)
 net_rx_action (net/core/dev.c:6917)
 __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299)
 asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809)
</IRQ>
 do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77)
 irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435)
 common_interrupt (arch/x86/kernel/irq.c:239)
 asm_common_interrupt (arch/x86/include/asm/idtentry.h:626)
RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575)
Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246
RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900
RDX: ffff93daee800000 RSI: ffff93daee87dc00 RDI: ffff93daee87dc64
RBP: 0000000000000001 R08: ffffffffb5e7b6c0 R09: 0000000000000044
R10: ffff93daee831b04 R11: 00000000000001cd R12: 0000000000000001
R13: ffffffffb5e7b740 R14: 0000000000000001 R15: 0000000000000000
 ? sched_clock_cpu (kernel/sched/clock.c:371)
 acpi_idle_enter (drivers/acpi/processor_idle.c:712 (discriminator 3))
 cpuidle_enter_state (drivers/cpuidle/cpuidle.c:237)
 cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
 cpuidle_idle_call (kernel/sched/idle.c:158 kernel/sched/idle.c:239)
 do_idle (kernel/sched/idle.c:302)
 cpu_startup_entry (kernel/sched/idle.c:395 (discriminator 1))
 start_kernel (init/main.c:1048)
 secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:310)
Modules linked in: udp_diag tcp_diag inet_diag nft_nat ipip tunnel4 dummy fou ip_tunnel nft_masq nft_chain_nat nf_nat wireguard nft_ct curve25519_x86_64 libcurve25519_generic nf_conntrack libchacha20poly1305 nf_defrag_ipv6 nf_defrag_ipv4 nft_objref chacha_x86_64 nft_counter nf_tables nfnetlink poly1305_x86_64 ip6_udp_tunnel udp_tunnel libchacha crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper mousedev psmouse button ena ptp pps_core crc32c_intel
CR2: 0000000000000008

Fixes: d92283e338 ("fou: change to use UDP socket GRO")
Reported-by: Alphonse Kurian <alkurian@amazon.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20240902173927.62706-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-09-12 11:07:47 +02:00
..
bpfilter
netfilter netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). 2024-08-19 05:45:32 +02:00
Kconfig tcp: configurable source port perturb table size 2022-12-02 17:41:11 +01:00
Makefile
af_inet.c gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers 2024-09-12 11:07:47 +02:00
ah4.c
arp.c arp: Prevent overflow in arp_req_get(). 2024-03-01 13:22:00 +01:00
bpf_tcp_ca.c bpf: Forbid bpf_ktime_get_coarse_ns and bpf_timer_* in tracing progs 2021-11-25 09:49:07 +01:00
cipso_ipv4.c cipso: fix total option length computation 2024-07-05 09:14:29 +02:00
datagram.c udp: Update reuse->has_conns under reuseport_lock. 2022-10-29 10:12:56 +02:00
devinet.c ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid 2024-03-01 13:21:58 +01:00
esp4.c net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP 2024-08-19 05:44:55 +02:00
esp4_offload.c xfrm: Linearize the skb after offloading if needed. 2023-06-28 10:29:46 +02:00
fib_frontend.c ipv4: Fix incorrect table ID in IOCTL path 2023-03-22 13:31:28 +01:00
fib_lookup.h ipv4: fix data races in fib_alias_hw_flags_set 2022-02-23 12:03:10 +01:00
fib_notifier.c
fib_rules.c ipv4: convert fib_num_tclassid_users to atomic_t 2021-12-08 09:04:49 +01:00
fib_semantics.c ipv4/fib: send notify when delete source address routes 2023-10-25 11:59:00 +02:00
fib_trie.c ipv4/fib: send notify when delete source address routes 2023-10-25 11:59:00 +02:00
fou.c fou: Fix null-ptr-deref in GRO. 2024-09-12 11:07:47 +02:00
gre_demux.c
gre_offload.c gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers 2024-09-12 11:07:47 +02:00
icmp.c icmp: prevent possible NULL dereferences from icmp_build_probe() 2024-05-02 16:24:44 +02:00
igmp.c bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument 2024-03-26 18:21:23 -04:00
inet_connection_sock.c Fix race for duplicate reqsk on identical SYN 2024-07-05 09:14:41 +02:00
inet_diag.c inet_diag: Initialize pad field in struct inet_diag_req_v2 2024-07-18 13:07:31 +02:00
inet_fragment.c inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
inet_hashtables.c net: remove duplicate reuseport_lookup functions 2024-06-16 13:39:21 +02:00
inet_timewait_sock.c tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() 2024-05-02 16:24:49 +02:00
inetpeer.c inetpeer: Fix data-races around sysctl. 2022-07-21 21:24:21 +02:00
ip_forward.c ip: Fix data-races around sysctl_ip_fwd_update_priority. 2022-07-29 17:25:13 +02:00
ip_fragment.c inet: frags: annotate races around fqdir->dead and fqdir->high_thresh 2022-01-27 11:05:35 +01:00
ip_gre.c erspan: make sure erspan_base_hdr is present in skb->head 2024-04-10 16:19:38 +02:00
ip_input.c ipv4: ignore dst hint for multipath routes 2023-09-19 12:22:58 +02:00
ip_options.c
ip_output.c net: ipv4: fix a memleak in ip_setup_cork 2024-02-23 08:54:54 +01:00
ip_sockglue.c bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument 2024-03-26 18:21:23 -04:00
ip_tunnel.c net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() 2024-03-26 18:21:22 -04:00
ip_tunnel_core.c tunnels: fix out of bounds access when building IPv6 PMTU error 2024-02-23 08:54:57 +01:00
ip_vti.c ip_vti: fix potential slab-use-after-free in decode_session6 2023-08-26 14:23:32 +02:00
ipcomp.c
ipconfig.c
ipip.c
ipmr.c ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function 2024-03-26 18:21:23 -04:00
ipmr_base.c
metrics.c ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() 2023-02-01 08:27:27 +01:00
netfilter.c
netlink.c
nexthop.c net: nexthop: Initialize all fields in dumped nexthops 2024-08-19 05:45:24 +02:00
ping.c ping: fix address binding wrt vrf 2022-05-18 10:26:57 +02:00
proc.c ip: Fix data-races around sysctl_ip_default_ttl. 2022-07-29 17:25:09 +02:00
protocol.c
raw.c net: drop nopreempt requirement on sock_prot_inuse_add() 2024-07-05 09:14:08 +02:00
raw_diag.c
route.c ipv4: Fix incorrect source address in Record Route option 2024-08-19 05:45:24 +02:00
syncookies.c tcp: fix cookie_init_timestamp() overflows 2023-11-20 11:08:16 +01:00
sysctl_net_ipv4.c tcp: restrict net.ipv4.tcp_app_win 2023-04-20 12:13:53 +02:00
tcp.c tcp: add tcp_done_with_error() helper 2024-08-19 05:44:55 +02:00
tcp_bbr.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_bic.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_bpf.c tcp_bpf: fix return value of tcp_bpf_sendmsg() 2024-09-12 11:07:47 +02:00
tcp_cdg.c tcp: cdg: allow tcp_cdg_release() to be called multiple times 2022-11-26 09:24:50 +01:00
tcp_cong.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_cubic.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_dctcp.c tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). 2024-06-16 13:39:47 +02:00
tcp_dctcp.h
tcp_diag.c
tcp_fastopen.c tcp: annotate data-races around fastopenq.max_qlen 2023-07-27 08:47:04 +02:00
tcp_highspeed.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_htcp.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_hybla.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_illinois.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_input.c tcp: add tcp_done_with_error() helper 2024-08-19 05:44:55 +02:00
tcp_ipv4.c tcp: fix races in tcp_v[46]_err() 2024-08-19 05:44:56 +02:00
tcp_lp.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_metrics.c tcp_metrics: validate source addr length 2024-07-18 13:07:30 +02:00
tcp_minisocks.c tcp: Use BPF timeout setting for SYN ACK RTO 2024-07-05 09:14:41 +02:00
tcp_nv.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_offload.c
tcp_output.c tcp: annotate lockless access to sk->sk_err 2024-08-19 05:44:55 +02:00
tcp_rate.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_recovery.c tcp: fix excessive TLP and RACK timeouts from HZ rounding 2023-10-25 11:58:57 +02:00
tcp_scalable.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_timer.c tcp: fix race in tcp_write_err() 2024-08-19 05:44:56 +02:00
tcp_ulp.c net/ulp: use consistent error code when blocking ULP 2023-01-24 07:22:48 +01:00
tcp_vegas.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_vegas.h
tcp_veno.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_westwood.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tcp_yeah.c tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:36:11 +02:00
tunnel4.c
udp.c udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). 2024-07-18 13:07:38 +02:00
udp_bpf.c bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser() 2023-03-17 08:48:54 +01:00
udp_diag.c
udp_impl.h
udp_offload.c gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers 2024-09-12 11:07:47 +02:00
udp_tunnel_core.c net/tunnel: wait until all sk_user_data reader finish before releasing the sock 2022-12-31 13:14:19 +01:00
udp_tunnel_nic.c udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister() 2022-03-02 11:47:59 +01:00
udp_tunnel_stub.c
udplite.c udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). 2023-05-30 13:55:31 +01:00
xfrm4_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:50:57 +02:00
xfrm4_output.c
xfrm4_policy.c
xfrm4_protocol.c net: xfrm: unexport __init-annotated xfrm4_protocol_init() 2022-06-14 18:36:18 +02:00
xfrm4_state.c
xfrm4_tunnel.c