Patch "tcp: Don't access uninit tcp_rsk(req)->ao_keyid in tcp_create_openreq_child()." has been added to the 6.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    tcp: Don't access uninit tcp_rsk(req)->ao_keyid in tcp_create_openreq_child().

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tcp-don-t-access-uninit-tcp_rsk-req-ao_keyid-in-tcp_.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1b73d118219c33b343c7e03647a51c9bc34b3f96
Author: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Date:   Sun Jul 14 09:17:19 2024 -0700

    tcp: Don't access uninit tcp_rsk(req)->ao_keyid in tcp_create_openreq_child().
    
    [ Upstream commit 3f45181358e4df50a40ea1bb51b00a1f295f915e ]
    
    syzkaller reported KMSAN splat in tcp_create_openreq_child(). [0]
    
    The uninit variable is tcp_rsk(req)->ao_keyid.
    
    tcp_rsk(req)->ao_keyid is initialised only when tcp_conn_request() finds
    a valid TCP AO option in SYN.  Then, tcp_rsk(req)->used_tcp_ao is set
    accordingly.
    
    Let's not read tcp_rsk(req)->ao_keyid when tcp_rsk(req)->used_tcp_ao is
    false.
    
    [0]:
    BUG: KMSAN: uninit-value in tcp_create_openreq_child+0x198b/0x1ff0 net/ipv4/tcp_minisocks.c:610
     tcp_create_openreq_child+0x198b/0x1ff0 net/ipv4/tcp_minisocks.c:610
     tcp_v4_syn_recv_sock+0x18e/0x2170 net/ipv4/tcp_ipv4.c:1754
     tcp_check_req+0x1a3e/0x20c0 net/ipv4/tcp_minisocks.c:852
     tcp_v4_rcv+0x26a4/0x53a0 net/ipv4/tcp_ipv4.c:2265
     ip_protocol_deliver_rcu+0x884/0x1270 net/ipv4/ip_input.c:205
     ip_local_deliver_finish+0x30f/0x530 net/ipv4/ip_input.c:233
     NF_HOOK include/linux/netfilter.h:314 [inline]
     ip_local_deliver+0x230/0x4c0 net/ipv4/ip_input.c:254
     dst_input include/net/dst.h:460 [inline]
     ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
     ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
     ip_sublist_rcv+0x10f7/0x13e0 net/ipv4/ip_input.c:639
     ip_list_rcv+0x952/0x9c0 net/ipv4/ip_input.c:674
     __netif_receive_skb_list_ptype net/core/dev.c:5703 [inline]
     __netif_receive_skb_list_core+0xd92/0x11d0 net/core/dev.c:5751
     __netif_receive_skb_list net/core/dev.c:5803 [inline]
     netif_receive_skb_list_internal+0xd8f/0x1350 net/core/dev.c:5895
     gro_normal_list include/net/gro.h:515 [inline]
     napi_complete_done+0x3f2/0x990 net/core/dev.c:6246
     e1000_clean+0x1fa4/0x5e50 drivers/net/ethernet/intel/e1000/e1000_main.c:3808
     __napi_poll+0xd9/0x990 net/core/dev.c:6771
     napi_poll net/core/dev.c:6840 [inline]
     net_rx_action+0x90f/0x17e0 net/core/dev.c:6962
     handle_softirqs+0x152/0x6b0 kernel/softirq.c:554
     __do_softirq kernel/softirq.c:588 [inline]
     invoke_softirq kernel/softirq.c:428 [inline]
     __irq_exit_rcu kernel/softirq.c:637 [inline]
     irq_exit_rcu+0x5d/0x120 kernel/softirq.c:649
     common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:278
     asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
     __msan_instrument_asm_store+0xd6/0xe0
     arch_atomic_inc arch/x86/include/asm/atomic.h:53 [inline]
     raw_atomic_inc include/linux/atomic/atomic-arch-fallback.h:992 [inline]
     atomic_inc include/linux/atomic/atomic-instrumented.h:436 [inline]
     page_ref_inc include/linux/page_ref.h:153 [inline]
     folio_ref_inc include/linux/page_ref.h:160 [inline]
     filemap_map_order0_folio mm/filemap.c:3596 [inline]
     filemap_map_pages+0x11c7/0x2270 mm/filemap.c:3644
     do_fault_around mm/memory.c:4879 [inline]
     do_read_fault mm/memory.c:4912 [inline]
     do_fault mm/memory.c:5051 [inline]
     do_pte_missing mm/memory.c:3897 [inline]
     handle_pte_fault mm/memory.c:5381 [inline]
     __handle_mm_fault mm/memory.c:5524 [inline]
     handle_mm_fault+0x3677/0x6f00 mm/memory.c:5689
     do_user_addr_fault+0x1373/0x2b20 arch/x86/mm/fault.c:1338
     handle_page_fault arch/x86/mm/fault.c:1481 [inline]
     exc_page_fault+0x54/0xc0 arch/x86/mm/fault.c:1539
     asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
    
    Uninit was stored to memory at:
     tcp_create_openreq_child+0x1984/0x1ff0 net/ipv4/tcp_minisocks.c:611
     tcp_v4_syn_recv_sock+0x18e/0x2170 net/ipv4/tcp_ipv4.c:1754
     tcp_check_req+0x1a3e/0x20c0 net/ipv4/tcp_minisocks.c:852
     tcp_v4_rcv+0x26a4/0x53a0 net/ipv4/tcp_ipv4.c:2265
     ip_protocol_deliver_rcu+0x884/0x1270 net/ipv4/ip_input.c:205
     ip_local_deliver_finish+0x30f/0x530 net/ipv4/ip_input.c:233
     NF_HOOK include/linux/netfilter.h:314 [inline]
     ip_local_deliver+0x230/0x4c0 net/ipv4/ip_input.c:254
     dst_input include/net/dst.h:460 [inline]
     ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
     ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
     ip_sublist_rcv+0x10f7/0x13e0 net/ipv4/ip_input.c:639
     ip_list_rcv+0x952/0x9c0 net/ipv4/ip_input.c:674
     __netif_receive_skb_list_ptype net/core/dev.c:5703 [inline]
     __netif_receive_skb_list_core+0xd92/0x11d0 net/core/dev.c:5751
     __netif_receive_skb_list net/core/dev.c:5803 [inline]
     netif_receive_skb_list_internal+0xd8f/0x1350 net/core/dev.c:5895
     gro_normal_list include/net/gro.h:515 [inline]
     napi_complete_done+0x3f2/0x990 net/core/dev.c:6246
     e1000_clean+0x1fa4/0x5e50 drivers/net/ethernet/intel/e1000/e1000_main.c:3808
     __napi_poll+0xd9/0x990 net/core/dev.c:6771
     napi_poll net/core/dev.c:6840 [inline]
     net_rx_action+0x90f/0x17e0 net/core/dev.c:6962
     handle_softirqs+0x152/0x6b0 kernel/softirq.c:554
     __do_softirq kernel/softirq.c:588 [inline]
     invoke_softirq kernel/softirq.c:428 [inline]
     __irq_exit_rcu kernel/softirq.c:637 [inline]
     irq_exit_rcu+0x5d/0x120 kernel/softirq.c:649
     common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:278
     asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
    
    Uninit was created at:
     __alloc_pages_noprof+0x82d/0xcb0 mm/page_alloc.c:4706
     __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
     alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
     alloc_slab_page mm/slub.c:2265 [inline]
     allocate_slab mm/slub.c:2428 [inline]
     new_slab+0x2af/0x14e0 mm/slub.c:2481
     ___slab_alloc+0xf73/0x3150 mm/slub.c:3667
     __slab_alloc mm/slub.c:3757 [inline]
     __slab_alloc_node mm/slub.c:3810 [inline]
     slab_alloc_node mm/slub.c:3990 [inline]
     kmem_cache_alloc_noprof+0x53a/0x9f0 mm/slub.c:4009
     reqsk_alloc_noprof net/ipv4/inet_connection_sock.c:920 [inline]
     inet_reqsk_alloc+0x63/0x700 net/ipv4/inet_connection_sock.c:951
     tcp_conn_request+0x339/0x4860 net/ipv4/tcp_input.c:7177
     tcp_v4_conn_request+0x13b/0x190 net/ipv4/tcp_ipv4.c:1719
     tcp_rcv_state_process+0x2dd/0x4a10 net/ipv4/tcp_input.c:6711
     tcp_v4_do_rcv+0xbee/0x10d0 net/ipv4/tcp_ipv4.c:1932
     tcp_v4_rcv+0x3fad/0x53a0 net/ipv4/tcp_ipv4.c:2334
     ip_protocol_deliver_rcu+0x884/0x1270 net/ipv4/ip_input.c:205
     ip_local_deliver_finish+0x30f/0x530 net/ipv4/ip_input.c:233
     NF_HOOK include/linux/netfilter.h:314 [inline]
     ip_local_deliver+0x230/0x4c0 net/ipv4/ip_input.c:254
     dst_input include/net/dst.h:460 [inline]
     ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
     ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
     ip_sublist_rcv+0x10f7/0x13e0 net/ipv4/ip_input.c:639
     ip_list_rcv+0x952/0x9c0 net/ipv4/ip_input.c:674
     __netif_receive_skb_list_ptype net/core/dev.c:5703 [inline]
     __netif_receive_skb_list_core+0xd92/0x11d0 net/core/dev.c:5751
     __netif_receive_skb_list net/core/dev.c:5803 [inline]
     netif_receive_skb_list_internal+0xd8f/0x1350 net/core/dev.c:5895
     gro_normal_list include/net/gro.h:515 [inline]
     napi_complete_done+0x3f2/0x990 net/core/dev.c:6246
     e1000_clean+0x1fa4/0x5e50 drivers/net/ethernet/intel/e1000/e1000_main.c:3808
     __napi_poll+0xd9/0x990 net/core/dev.c:6771
     napi_poll net/core/dev.c:6840 [inline]
     net_rx_action+0x90f/0x17e0 net/core/dev.c:6962
     handle_softirqs+0x152/0x6b0 kernel/softirq.c:554
     __do_softirq kernel/softirq.c:588 [inline]
     invoke_softirq kernel/softirq.c:428 [inline]
     __irq_exit_rcu kernel/softirq.c:637 [inline]
     irq_exit_rcu+0x5d/0x120 kernel/softirq.c:649
     common_interrupt+0x83/0x90 arch/x86/kernel/irq.c:278
     asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
    
    CPU: 0 PID: 239 Comm: modprobe Tainted: G    B              6.10.0-rc7-01816-g852e42cc2dd4 #3 1107521f0c7b55c9309062382d0bda9f604dbb6d
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
    
    Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
    Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
    Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Acked-by: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
    Link: https://patch.msgid.link/20240714161719.6528-1-kuniyu@xxxxxxxxxx
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 538c06f95918d..0fbebf6266e91 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -515,9 +515,6 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
 	const struct tcp_sock *oldtp;
 	struct tcp_sock *newtp;
 	u32 seq;
-#ifdef CONFIG_TCP_AO
-	struct tcp_ao_key *ao_key;
-#endif
 
 	if (!newsk)
 		return NULL;
@@ -608,10 +605,14 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
 #endif
 #ifdef CONFIG_TCP_AO
 	newtp->ao_info = NULL;
-	ao_key = treq->af_specific->ao_lookup(sk, req,
-				tcp_rsk(req)->ao_keyid, -1);
-	if (ao_key)
-		newtp->tcp_header_len += tcp_ao_len_aligned(ao_key);
+
+	if (tcp_rsk_used_ao(req)) {
+		struct tcp_ao_key *ao_key;
+
+		ao_key = treq->af_specific->ao_lookup(sk, req, tcp_rsk(req)->ao_keyid, -1);
+		if (ao_key)
+			newtp->tcp_header_len += tcp_ao_len_aligned(ao_key);
+	}
  #endif
 	if (skb->len >= TCP_MSS_DEFAULT + newtp->tcp_header_len)
 		newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux