On 05/24/2019 05:01 PM, John Fastabend wrote: > Backlog work for psock (sk_psock_backlog) might sleep while waiting > for memory to free up when sending packets. However, while sleeping > the socket may be closed and removed from the map by the user space > side. > > This breaks an assumption in sk_stream_wait_memory, which expects the > wait queue to be still there when it wakes up resulting in a > use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT > to avoid the sleep altogether. We already set the flag for the > sendpage case but we missed the case were sendmsg is used. > Sockmap is currently the only user of skb_send_sock_locked() so only > the sockmap paths should be impacted. > > ================================================================== > BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70 > Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110 > > CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 > Workqueue: events sk_psock_backlog > Call Trace: > print_address_description+0x6e/0x2b0 > ? remove_wait_queue+0x31/0x70 > kasan_report+0xfd/0x177 > ? remove_wait_queue+0x31/0x70 > ? remove_wait_queue+0x31/0x70 > remove_wait_queue+0x31/0x70 > sk_stream_wait_memory+0x4dd/0x5f0 > ? sk_stream_wait_close+0x1b0/0x1b0 > ? wait_woken+0xc0/0xc0 > ? tcp_current_mss+0xc5/0x110 > tcp_sendmsg_locked+0x634/0x15d0 > ? tcp_set_state+0x2e0/0x2e0 > ? __kasan_slab_free+0x1d1/0x230 > ? kmem_cache_free+0x70/0x140 > ? sk_psock_backlog+0x40c/0x4b0 > ? process_one_work+0x40b/0x660 > ? worker_thread+0x82/0x680 > ? kthread+0x1b9/0x1e0 > ? ret_from_fork+0x1f/0x30 > ? check_preempt_curr+0xaf/0x130 > ? iov_iter_kvec+0x5f/0x70 [...] Applied, thanks!
