From patchwork Mon Oct  7 21:34:55 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 833387
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id C0BB918C352
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.41
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336938; cv=none;
 b=HF/QXVO4tlCJtceZ0Uv1Oec6eZKeDYlj/qUWDscT68WfgZ4zgGYnv4H2p2KImwEijyqcL3nJgdBvximbKOhHM1VA2f1PxQFig2mrNDQ3C6Izhl4rz+AKhG2ZA0KwpiItIN7fW2RPAf9aVpOi/qKr67dF4jnOuFn02ZvWbwYNCE8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336938; c=relaxed/simple;
 bh=tF3+7/64K2pNMC2yMmqB0bNnDpkF/qc4QvYqWOU0LHs=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=PtoX51Og6tWWCqtwBFMuLL9y1vST/TPHBOFr92QZarhRFXb5T1f3RovlSdpoa/zcGPhotFy8SP5KECFrAT2Xj6CUMcaWGC+LoV9KpJf7JurO8AkDi9Zk1BrsQbMTp5NmodWel2u4aaZdAe6QCJk1x4COYb9PkC+MgsCKQspkoWQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=gBg2Fv9f; arc=none smtp.client-ip=209.85.128.41
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="gBg2Fv9f"
Received: by mail-wm1-f41.google.com with SMTP id
 5b1f17b1804b1-42cb60aff1eso50782445e9.0
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336935; x=1728941735;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=OvyWYlYW9NKrX6tjwjorxSh4AbupOomnLhmwVzPjUzY=;
 b=gBg2Fv9fYDeUYC50Ah1y/IuP8inxo5A5v/KcTviaSFNvLolTTCWlM5HJB68gye0c1x
 4jOFPRQZt8d2nO62/XgR9SnncQZlI0BeB3i21p956gRiGjtH1WqzdQAUxQbELVB4hEFe
 R2DLs5mTUzHu5AqurfR9YPBACBECX8QQxLijrB01TMDPfd+NTqAarSO2HgvZKYuhXad8
 9ynkNC6RyuAfZ/f6kwdqo6Nt3356JDixtuCwoDEbhGVBFygrSqjwwF0mWBT/5GeTf+yj
 gm7CNQi7glWXVXe/xyJxp7luIyE4c796sbgJbL66eqqeYdfp2/aKFKucbbBPb8r/rE8S
 686w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336935; x=1728941735;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=OvyWYlYW9NKrX6tjwjorxSh4AbupOomnLhmwVzPjUzY=;
 b=WWIZVsch4drQAvHeoZjXd0SJMEZGcKXN/rpnIaNe7YVKWMy7KcafcuikuZ2tmiW3oh
 cPe41UnKiXB323/AUPWxA+/6wAjEiRXMvygKtOVGjD0HRL/s4vcKqINXcOzy2IEJxE7S
 pzj1oLhjh9tWIT0Zed5RgI8rDoC5rxpy1GVnrCaTUC/MgeG4UlL1PC49hFilRRwupKFN
 ZEBk3ZWBCac3hagDQ9oU05f/917jjli2s1FS3KGshkVtLogMdnZ0/zWwEIrl9qEAMe1+
 r1bV9EsZLBQFhcnAuQdNhao+8t0fOLOoroHW452giinUbNcoxodLH0jfPcNJVRx0hiO9
 Nohw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVaokd30u5hhP9wOA4eu2lIe76ErKQ6+EHYxtUU3vTqFj96g8Ax+bIbjig+rNv980x+RMLJ0yH/PByjN5zm/+U=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw1IbCWfCnn1NcM+5AaMtwyljwWmawQBo/Sn3R1Tm6LWWkkEr0q
 zCs53DJXjZpdzqHOb/gc5pSgZCvAVvyvq9oGy78bDmJVROFtGV5kfTYhK51JPks=
X-Google-Smtp-Source: AGHT+IHLqNN1LAQf8g76woikHrigZw9N4TvlV2Fn4+zidESGtMa7IAByD8UA/IadWMwT9LMt7nSTnA==
X-Received: by 2002:adf:f8d0:0:b0:374:c454:dbb3 with SMTP id
 ffacd0b85a97d-37d0eae49f1mr6186667f8f.55.1728336934922;
 Mon, 07 Oct 2024 14:35:34 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.32
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:34 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>, stable@vger.kernel.org
Subject: [PATCH v2 1/8] net: explicitly clear the sk pointer,
 when pf->create fails
Date: Mon,  7 Oct 2024 22:34:55 +0100
Message-Id: <20241007213502.28183-2-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

We have recently noticed the exact same KASAN splat as in commit
6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket
creation fails"). The problem is that commit did not fully address the
problem, as some pf->create implementations do not use sk_common_release
in their error paths.

For example, we can use the same reproducer as in the above commit, but
changing ping to arping. arping uses AF_PACKET socket and if packet_create
fails, it will just sk_free the allocated sk object.

While we could chase all the pf->create implementations and make sure they
NULL the freed sk object on error from the socket, we can't guarantee
future protocols will not make the same mistake.

So it is easier to just explicitly NULL the sk pointer upon return from
pf->create in __sock_create. We do know that pf->create always releases the
allocated sk object on error, so if the pointer is not NULL, it is
definitely dangling.

Fixes: 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails")
Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
Cc: stable@vger.kernel.org
---
 net/core/sock.c | 3 ---
 net/socket.c    | 7 ++++++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index 039be95c40cf..e6e04081949c 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3819,9 +3819,6 @@ void sk_common_release(struct sock *sk)
 
 	sk->sk_prot->unhash(sk);
 
-	if (sk->sk_socket)
-		sk->sk_socket->sk = NULL;
-
 	/*
 	 * In this point socket cannot receive new packets, but it is possible
 	 * that some packets are in flight because some CPU runs receiver and
diff --git a/net/socket.c b/net/socket.c
index 601ad74930ef..042451f01c65 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1574,8 +1574,13 @@ int __sock_create(struct net *net, int family, int type, int protocol,
 	rcu_read_unlock();
 
 	err = pf->create(net, sock, protocol, kern);
-	if (err < 0)
+	if (err < 0) {
+		/* ->create should release the allocated sock->sk object on error
+		 * but it may leave the dangling pointer
+		 */
+		sock->sk = NULL;
 		goto out_module_put;
+	}
 
 	/*
 	 * Now to bump the refcnt of the [loadable] module that owns this

From patchwork Mon Oct  7 21:34:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 834144
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com
 [209.85.221.50])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD60A18CBFC
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336941; cv=none;
 b=DRpvuqryF7Rm2d1rfJAZHqHdfLnkeNFuGxxOkLqrpCFu1N1+BBqBAX5tHelBiMsECHaZxe8JFAj5BgruOPTN9Q//OhmtSCPzzbhGNanVsoco8fbiyHTeYETddR2pJfGdGmlXUjIQXJBUvWnipmtna6Aba+tc7SMOuNuGoL8qbeQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336941; c=relaxed/simple;
 bh=RcIs+XM/c9JJbPNWfZbV/Z6TaGGOUNRFsh8gxXUISQs=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=QYD2e4OEV9P7o2lNNHSGvT4T08WwM+tPXnRpG/GR3s8j+xlwm5JlhlsneFT8/CWsappToTbIBoaxs8cbtzzpWBKF+U6StxhkG//wt0jSngmXTSr1j5kqWbEZCS1hbnF4N4Q/8QV8vgO8PRrYMuGvGx/el352hZIb4wrrLBfJbiA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=gNJI+tRX; arc=none smtp.client-ip=209.85.221.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="gNJI+tRX"
Received: by mail-wr1-f50.google.com with SMTP id
 ffacd0b85a97d-37ce8458ae3so4537690f8f.1
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336938; x=1728941738;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Z+WOxbNpY99MeFQgjqBrr6wWjmGKbOSspT6QoIunVVM=;
 b=gNJI+tRXKEOT+JmcWvkPAw+RE/UwTHAIQzQz3mH5eMTdSUyJvr1cM0VXOXIehowi+a
 ZxKNoAfqF4keeHK7Q3r5LdOrpiFHPw1GAcSf/kO6JdLmV6p6GoUO6lrGeQNDfHVa2oQr
 kjzOkMLPvNepFcrXbKERtQwyH0D3eSgJKtFDj9TfG9of0783iW9hkSusWZXTyMOqRBIY
 iXuKjjw+36/id77T9pdpj+mwDpIjs2tOeej6/jokFU2UuvIMEWcyeCam3Yb78KvUnhWF
 VZL9ahbtiAycL8iJZ/02cBFxtMCyjAzehpoICIGE36gZFrz4t0KvG0UAoFtLqSCTX1TV
 nBcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336938; x=1728941738;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Z+WOxbNpY99MeFQgjqBrr6wWjmGKbOSspT6QoIunVVM=;
 b=oORQMfkPwDcnwQ2U76nbRQqV885QJKNgdCtwlS5CWq9eUyh4zrrCgHETs1mLBQBxrP
 CF+EpQJvfFz6z1/LGR1rcE1iebzQbbqsexrHtsLaBnzVD8678aKqzdl5ykBBgfcoaUox
 +VJNxoiiNT0ADEVEuAzIc3xyKmnwQlnwIH//rZL41VnUpcf4xuE3qLmmH+i9XNFWbg2O
 yaOZ2WslDFgiVDORv2yafFTqqcyi9YQNZ1V8minToj6qLi0vZEktrR6fl1yPsv0BZqyv
 GFoJXcuSBJaWaLWtpAjX4EWWnOKlP6KbIeBoYtpfcI8lMHRkjbEjHTMviqltnHDXVKCx
 2otg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXSIg5qzSuAPxwfJILvvJSVIctPIpYw3C0Ie4CjG2k8X/Ua9yZ4nnByyNkTpeJRC+JZ166yj81V+ZA2TFHplC8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw7BqL3Q904mKrlKw8CQd3TRMpXVypsSTls9denD4xti1mDAQOa
 hyeGILvzWozDEy62VPXV4D25anLOcRNcyeZ/V3Kw42o9rEIvLQZvENuzjQpgiHc=
X-Google-Smtp-Source: AGHT+IEAHU3X4+3NGeDfduAV1o0hQG1DQDEgIfBCr8/wft+nMF9Tib13AWSIHVXOd+aWgaKXq2y7Dw==
X-Received: by 2002:adf:a199:0:b0:374:c9f0:7533 with SMTP id
 ffacd0b85a97d-37d0e8daaf4mr10614171f8f.41.1728336938164;
 Mon, 07 Oct 2024 14:35:38 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.35
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:37 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>
Subject: [PATCH v2 2/8] af_packet: avoid erroring out after sock_init_data()
 in packet_create()
Date: Mon,  7 Oct 2024 22:34:56 +0100
Message-Id: <20241007213502.28183-3-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

After sock_init_data() the allocated sk object is attached to the provided
sock object. On error, packet_create() frees the sk object leaving the
dangling pointer in the sock object on return. Some other code may try
to use this pointer and cause use-after-free.

Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/packet/af_packet.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index a705ec214254..97774bd4b6cb 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3421,17 +3421,17 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
 	if (sock->type == SOCK_PACKET)
 		sock->ops = &packet_ops_spkt;
 
+	po = pkt_sk(sk);
+	err = packet_alloc_pending(po);
+	if (err)
+		goto out_sk_free;
+
 	sock_init_data(sock, sk);
 
-	po = pkt_sk(sk);
 	init_completion(&po->skb_completion);
 	sk->sk_family = PF_PACKET;
 	po->num = proto;
 
-	err = packet_alloc_pending(po);
-	if (err)
-		goto out2;
-
 	packet_cached_dev_reset(po);
 
 	sk->sk_destruct = packet_sock_destruct;
@@ -3463,7 +3463,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
 	sock_prot_inuse_add(net, &packet_proto, 1);
 
 	return 0;
-out2:
+out_sk_free:
 	sk_free(sk);
 out:
 	return err;

From patchwork Mon Oct  7 21:34:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 833386
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com
 [209.85.221.48])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id F258B18E044
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336945; cv=none;
 b=HbKfnQxCPJFAdVcuts0XDxDyia8sfYhW8O60E03dW4p6QxR9SzUPPpe2vwo0AoYJCprMv7wOA3pihY6aVeC3XO9d+1yN/8P4R922mM/W66/rivb5k8zAF94HAdoyf0JwMJMFZWwvuRfd9BOZz6w8ymLK8NA5jMENVde7teDoBsk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336945; c=relaxed/simple;
 bh=Za6d2/ag0cx5W3bmCrv67Ur4+k+VPgr8uvsyupNoJnM=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=DSbhbphDl40s6+5fSGvsN49Nm/LPvm51gzDMHKTK7NPSyox82DVTmLcZmKKh6oj7Vjxj20BGCKqdljzoGC3vFwApF6gPmCm+sYqGeBq8Q7CoUtRyQ07lLo7sbGw+c+Fu9wtd50Cd0h4UV8aml1iU+P6zXRI6DMh/V4R318Noyxc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=Iz9zRhD6; arc=none smtp.client-ip=209.85.221.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="Iz9zRhD6"
Received: by mail-wr1-f48.google.com with SMTP id
 ffacd0b85a97d-37d1eda8c7cso1089135f8f.3
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336942; x=1728941742;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=;
 b=Iz9zRhD6wRn/Ctlf5ev018am/0nLW5at2MOCHuyXmr9uE/SP8mt91WzpI+bJTy3//g
 qeaWtbKMspHNaRemf3MWYiJ3S4Ap6lieJC+WscCoyAtzSfXgr4MOnF18UIzs0v2ChBMY
 QdnhiluDaWedij+0IxHt0FA7VH4rabbN9hVAbTzSyjam3GmzLUtzj6J9yhB+tyuC6AGJ
 mW/pyl8g+Gi8ATYHoacuOD4Ji1f4axXRvN+O3CfItkX/vobcRdEiuz5+jgshw6vyfTX7
 dSrln/uuccSJSaiILA/Hh0Hb+jsWlPNbIn0ayI4d72IqcCeXZfYWnFJtYmAlSJ8MnRq0
 6zoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336942; x=1728941742;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=TINcLHJMJcRO8N8gtca7WYNoZRWtOQnWeYtX29logTQ=;
 b=GR5MpLBUBnWXimmHwbWx51Mk/bjGh5VkI0jmyWQq+kLutAKf2XE6IRFQ8iYxcemATa
 wUs2DUFrB/0j8wWMxtFPRLTvWiLImDJTWCY+zNuuHOYKEcI9Jpf1gvDbpHL8+EvgVC8C
 MCDmVJuP+cv7hlwMsjb+aa4WTCcoyDNaz1EzxpRa/vqzMfjsngIEZcIyDY9vTquT3bFh
 fVHgcGpHAyCnFUYRcrsgpQ7rpU4jqo0sHtgPpppEx8v5R2qPCgVux+V5V2mYohm6zZsb
 KzxHCE6NmfbCgmmBIIDXGgEJt/1V627IpPJlVTg2Q2ynzra+1DgRC7NS5snnJxWDNlMG
 5JKA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWBRQ+7nt79Pl2hti7x8Qs6taQjC2TQsYWzgluN+Is/piduyI/CYHgvDpFO3SpZHBOjshVtMKSF1IK7t9N5yYY=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywj7qmJHqEgCcS/eni0CB70R8HGewSBj9tEtAOPFep64VvDGB80
 MJuCDGRhrpHZVFEVRKHO9fKvZhOXy5S7TnTQynMVG5to9iRSetkDfhFrLNco+xY=
X-Google-Smtp-Source: AGHT+IHAyQYt8epuqdqQ1WiemxSSnJdRW7ySGcsdfEr9r4QwNV8qbe0cvU/RBNztpAk9AJdBnDqlqA==
X-Received: by 2002:a5d:6052:0:b0:37c:c9ae:23fb with SMTP id
 ffacd0b85a97d-37d0e7d43fbmr7244020f8f.40.1728336942347;
 Mon, 07 Oct 2024 14:35:42 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.38
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:40 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>
Subject: [PATCH v2 3/8] Bluetooth: L2CAP: do not leave dangling sk pointer on
 error in l2cap_sock_create()
Date: Mon,  7 Oct 2024 22:34:57 +0100
Message-Id: <20241007213502.28183-4-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

bt_sock_alloc() allocates the sk object and attaches it to the provided
sock object. On error l2cap_sock_alloc() frees the sk object, but the
dangling pointer is still attached to the sock object, which may create
use-after-free in other code.

Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/bluetooth/l2cap_sock.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index ba437c6f6ee5..18e89e764f3b 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1886,6 +1886,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
 	chan = l2cap_chan_create();
 	if (!chan) {
 		sk_free(sk);
+		sock->sk = NULL;
 		return NULL;
 	}
 

From patchwork Mon Oct  7 21:34:58 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 833385
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com
 [209.85.221.42])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48C98197521
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336951; cv=none;
 b=s6t50QA84gMX53ZyT985GlIn6e0ZiPxkFuIfmeVRbEq/f2yP6Z7iWwRAH50oPS1AbceDY2wnIgaLUtwr6IfYWxPUu2TRt1qe7j2J7/t02tiYYqmCsbA9tL8J9ohxHgB0oEXNFhpExm8Ucu7jafHIS4Dd2EUzJ/d7JrEh8f+GI5c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336951; c=relaxed/simple;
 bh=+sATRWeawQEUv1+UCi+L6joXgd2sN0KH+RYIISQm3Ag=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=OIhmsNFwsGactMMMGyS0qGJDJR1icHSOrGiT7RWO9s7z1WS3ZSy6m+63z5lqDEbem+xWrfV5L2pBNOg91ygs8IS6PwoUyehSBeVARtH1yyXbYuylsdHKqPVjjTZSdFMw3T3OglpdZrKQi3s4nb3ILi5ZHF3ZFefn0X8aWNGZ9Ac=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=IHTWAhgP; arc=none smtp.client-ip=209.85.221.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="IHTWAhgP"
Received: by mail-wr1-f42.google.com with SMTP id
 ffacd0b85a97d-37ccc597b96so3101334f8f.3
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336949; x=1728941749;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=47ahDvpGlziX1HY/1UDQ79MexuwMxPJ3vAc1BGnN1yo=;
 b=IHTWAhgPb3HdgloVHYocEY2AnKcpdxZogqrXgleub6TgSbKyJAAgB+4ugho6ciTijd
 Bg2GTLD5tKp5WM8IJJ6yiq8H7Vbd0N06vfB0HdAqKkXy663vopMy2Wg+IqznijbqehYf
 G2Ihpk7LibE1LGk7QwwbJdw5bRMf0Ue+CpIESxwyhynPDtd8oXt3qOYfZP2NhNujfPhi
 ogBmcRZwtUR29UGJJZIC11k5v4LQasYyv87wX6X3D0sjXBRhkNZ4nFsJBHajGlx3ZzWz
 rH6EngHBNUbt5+3PMbn2nZrybxoBU4Nk84s6rSlHZxPOf4WO5oJiJO2DTyxVqw4ooGiR
 xCXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336949; x=1728941749;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=47ahDvpGlziX1HY/1UDQ79MexuwMxPJ3vAc1BGnN1yo=;
 b=jJ04Ru1/OVDuZtJkj2HCOX+dFoVeMO9BjId/ZUNi8RIjyC4xoV0reLrHoKS0w9CpyD
 iEcz4UvmMbZMTM8bGA8P/eT9793mHyiJpBHUAC1RouZQaSEq06J5DcxyNudyPspMAxHN
 6aoEHSFqaxuArEXyBJiIXHuJ+1/LU64ht1CbYej6HU/A/yIz+T+nXHkfHQcJVEbUC7Ru
 7a9SkxmJxqJU91gQ8XSe0Nz9aDP99zpicZjkwboREC+C9UVN5d7IYltzzrXJLcQP7RPF
 8wQ+cdSF/Xv6eCDlmyHM0+LECt5nMHsMPp8r5bsSyxVBppyu+90MnRY94RE1gNdogtLT
 DDLw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVQd+Cu6DV20leLxiRVA9SD/y2PBeNMLV8OlUeBF8j+bwTwiZNI5au3vNF2yAmDOFrh6tWc/sNUVGeIgZvnqpY=@vger.kernel.org
X-Gm-Message-State: AOJu0YxF2l7J4BLp8fnNxJNq/o+fqRiisI9yxvuf/f2oyw3x9AgQngw5
 i01k7ggTmwhhke1zPaVgnkDG3kZ3gBcEbmiOwSM2rZbykESyE9Up3Ql39Cl7YhE=
X-Google-Smtp-Source: AGHT+IEh2nNtGTy8ZHuRwyExnrSdxDBOaaRu0AmF4uU5YudljkVsFMbPD2jmqiCN6O47wxbJKhk2fQ==
X-Received: by 2002:a5d:4d06:0:b0:374:c17a:55b5 with SMTP id
 ffacd0b85a97d-37d0e6f8eccmr8676059f8f.14.1728336944360;
 Mon, 07 Oct 2024 14:35:44 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.42
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:43 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>
Subject: [PATCH v2 4/8] Bluetooth: RFCOMM: avoid leaving dangling sk pointer
 in rfcomm_sock_alloc()
Date: Mon,  7 Oct 2024 22:34:58 +0100
Message-Id: <20241007213502.28183-5-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

bt_sock_alloc() attaches allocated sk object to the provided sock object.
If rfcomm_dlc_alloc() fails, we release the sk object, but leave the
dangling pointer in the sock object, which may cause use-after-free.

Fix this by swapping calls to bt_sock_alloc() and rfcomm_dlc_alloc().

Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/bluetooth/rfcomm/sock.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 37d63d768afb..0d0c4311da57 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -274,13 +274,13 @@ static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
 	struct rfcomm_dlc *d;
 	struct sock *sk;
 
-	sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
-	if (!sk)
+	d = rfcomm_dlc_alloc(prio);
+	if (!d)
 		return NULL;
 
-	d = rfcomm_dlc_alloc(prio);
-	if (!d) {
-		sk_free(sk);
+	sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
+	if (!sk) {
+		rfcomm_dlc_free(d);
 		return NULL;
 	}
 

From patchwork Mon Oct  7 21:34:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 834143
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id A02F9191F6E
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.41
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336951; cv=none;
 b=YNBVS7PAWdsTLeYnFJ8zjRT945okIfKRcE40uoDafy4S6ByB4vUlr8fY1kPFQ+0bdudWvVt3I5HEcNtmwu6tNZlpvA1DAE1lEyCnhWsGXkL6hlFx0nHqMoPKcam/1S+Llp5xCkGDWtkYRA6CfAXYT1qNwFHRT55t4UChLDJZMPs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336951; c=relaxed/simple;
 bh=q1wcm6mMQ7h4EZDUMr6oUmN6x8BUBq/PxsPoaXApW48=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=ZuDwgxx5paNxh88ILd94nlXm/8IH31r8CRHNiyWq6hj+ZN1+44jBcu1ftFMbmqqqDqpcHVY4Jr2NwBayi+6V0gh/QcypTu2vNL/0B/BBlkqULlHMGpVBARHBn/NmWH/BS54ugNFLBi4DnV2ksE/ttlndFh+syyNb9W2efb0LHcw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=EsUKZHR6; arc=none smtp.client-ip=209.85.128.41
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="EsUKZHR6"
Received: by mail-wm1-f41.google.com with SMTP id
 5b1f17b1804b1-42cbface8d6so66243565e9.3
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336948; x=1728941748;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=lghPtxWNb8lEoXQFFkVieItQmyHsjS0TFzxCTFvvuyY=;
 b=EsUKZHR6KE8gHPsNB4I4rgBYgBHzsrQfAorSi7uc6BABzFKfAGp5rUwhby7kGPAMYD
 sMugXNGItRxJIUEPNcNzO/EKpXXC0G731pc06JVHjXhGKAY0GUGmeiCEKwRNI5KJG0vC
 NCoJMgIHRlgieYZQ4ahtFl8toYnjWdc4/gBMjLIDWTpNIfGdXeHgcnSU5EHe+utJrJzW
 82vShMelVBEy/T9pHgZtn39qBcfHsvQLqeGyU0pAkWjpClVTR2d98c2GOEr2liCBgkUd
 DmR2F7Il7fqKwmX5YXnmKYWMjSgIg0JQCLZg+A2AguR8jWfhO/KwXjy2dSZcrkKWVt/C
 ARRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336948; x=1728941748;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=lghPtxWNb8lEoXQFFkVieItQmyHsjS0TFzxCTFvvuyY=;
 b=IiomBUv564rDK87S9gqjg8s6pMGbNspqCtsSBJ4OnUTehWjqsBn3TJf8NsaGoeEjjl
 4G7nb+uB3FvfWGMFR2P20pLp6R0jOQMyo7IkTj6FC0BlOfzSh5JGsiXr0zIIiE6dg4fo
 +6R6SmkCs3laAhePPEAbGaTj03u4ewRx77KUFdmuF06UI16ypgTBoHuCxTaDebPZ2uSH
 ttr6Ai1fiMKXk0Wb0k5RUMJtu8UocGO3O+zJpASpWRn0vKYgpXCI8i2lxkg+j2/srqn1
 AM9efBK3NKOCGrF2EeL5c9VZcB0RpHpx8xeseFg7aWgtBOoppBRzDBIyuC3GnUn782Ni
 67JA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVESIvQCrEu23hicTQ3Tm0wmdLl1JE8sT41c9bXJeRRp9vKtQjASflhFeR3e03alTw0p7cUceUUqkOEuVsI/d0=@vger.kernel.org
X-Gm-Message-State: AOJu0YzRY1wLOGH5cXCVPYN2t6PPSjkFpraW2yN5rNqmtKYkYVUAEULj
 YX/iyMOw5QGBofv9rKiY/TRrlCnQx0syXjUiL1xTJVvUja/QzDtjVhzdOUKQCYM=
X-Google-Smtp-Source: AGHT+IGIEgvlVQ63MN8px9sXGIB6rH0PaHc0x2aiS2t9bCm+0YE6s5XpgSiahpjGOCaDNGfNsSEswQ==
X-Received: by 2002:a05:600c:5494:b0:42f:8229:a09e with SMTP id
 5b1f17b1804b1-42f85aef6e2mr143742535e9.29.1728336946921;
 Mon, 07 Oct 2024 14:35:46 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.44
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:46 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>
Subject: [PATCH v2 5/8] net: af_can: do not leave a dangling sk pointer in
 can_create()
Date: Mon,  7 Oct 2024 22:34:59 +0100
Message-Id: <20241007213502.28183-6-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

On error can_create() frees the allocated sk object, but sock_init_data()
has already attached it to the provided sock object. This will leave a
dangling sk pointer in the sock object and may cause use-after-free later.

Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/can/af_can.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/can/af_can.c b/net/can/af_can.c
index 707576eeeb58..01f3fbb3b67d 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
 		/* release sk on errors */
 		sock_orphan(sk);
 		sock_put(sk);
+		sock->sk = NULL;
 	}
 
  errout:

From patchwork Mon Oct  7 21:35:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 834142
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6B601DA61B
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.46
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336952; cv=none;
 b=reCn4MODv/D8HRtVCgB2w0AZ+4gW/x9AgMXQNWq3JR8K7t/o/xpYkRf35AyKyy6Zdg54Fon7OGij5y8eh3m+hrxQkLo5aQPIGkVkCt2ZDpQ3kZvgQq6IHqHLVSNgmJFpBLd6c0yFOWEHMMAHLgtfYOhY80Cj1hIYBRwqj2xDWLE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336952; c=relaxed/simple;
 bh=CZ5nZ72LPsUscQ/XLvrhFET6jRbMhyKZW1WicnfpLPA=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=Aza5iQor/4QrPfvB+dQf6wtU6fvt9M0K7gRbvbxkoGOJz6Bgo2YP1htR9iPPSpEUq0n0tyyR9smeHECgXeuggjCF0t7Io0ZmjEtRndbdQycSDWC72xxtXH7fivm5UrrrD1iyfn+zDP7T9k7QlIUxrF4WE0vyGTVPPgdLbPOKr3c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=XbgRrvyu; arc=none smtp.client-ip=209.85.128.46
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="XbgRrvyu"
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-42cb2191107so43926045e9.1
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336949; x=1728941749;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=BU52YEIbPPjVkPgQ3Y9wQ3w91aLQy4KsNcSSu3XlZvI=;
 b=XbgRrvyuC2C4UUGZm1Kyg96OotgJi3Y38sEyztjS4C7nn6SzwMxGBHUv+ISEXyhnCe
 NwCcE5oQT+9dmYlJgr4gj7chS4UxdDFK/yvxlG6ToSyZk/7mFcz9HRHnfgtjH4n+RDnQ
 Y9uLI7/25fDkq10IXfmGRUhdKg8ek/QPQiatskwJDBcE5sZp1/cRIfnkfUSvngRmMyFU
 qGG67meoIL8OdvgiUmEF5XBWJtcQGpV53mCCeAAFh5tfYNLlu9S76mcaFC5SzHUQo9hA
 O1B6ZCKm6FzwhcasSZe1SCWk4GdzS+65+UWUWatz8tpZklAEPMPbq6Zp78R9NMz7Z6HJ
 0coA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336949; x=1728941749;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=BU52YEIbPPjVkPgQ3Y9wQ3w91aLQy4KsNcSSu3XlZvI=;
 b=xNluzniectQEW6bXbKhKVnCoaABZ42E9/Oy83hhKZ5nQjzdoGpeKxeZA3R0D2+cN7M
 4SXVZ/w6rWDwZQmQcir+bGVC3DyfQE2LAlFh/2WKjyBZXPG/LXYE1WcNADy5zBb584Nl
 PKTDvQBIcUKk6XCYHGGRVlojhfQN/LtG3J87PhWk8yZGNLJigJ+y4ijZHceILh1FBTf8
 zKGqBQQCcBPs2dzYVZJ9E6nHvAmZCReWLD7lm2/e37ECDYgsvGXseJ+oJoy5tYM09uNP
 A1izoIoHoKq5F2YHaI+Y7TpIqlOabvhSUNd8gKC/txv4YeFj7Ang+MgydY9imae4Yupn
 uezw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVdJg8rmGRc+43CfO1GhJhlfCZPHGvbvcT04cQ7VTgubcwkPEtFsG5mIncrs4JKpondkvb7h5XKfMakhHhbuGk=@vger.kernel.org
X-Gm-Message-State: AOJu0YwkZ+ldL5XW9eS8EjJ8Q4wBg5aUA3nuPTltli5ubs8mzkeGYiUf
 73JkXvchbe8/qmxq4Z3+VffMaMBtQKAEgyNjNTABf/xsrOSjn4HW7PvkgfmngQE=
X-Google-Smtp-Source: AGHT+IF3Mr1m0BA+tyZxEbsXfJoH0mYfnXmhY4oQRsrEz2kQrNeN0a7g/aWeWG/UvI2YgEescmo9xg==
X-Received: by 2002:a5d:5f88:0:b0:37c:d179:2f77 with SMTP id
 ffacd0b85a97d-37d0e6bc9f8mr9021915f8f.12.1728336949047;
 Mon, 07 Oct 2024 14:35:49 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.47
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:48 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>
Subject: [PATCH v2 6/8] net: ieee802154: do not leave a dangling sk pointer in
 ieee802154_create()
Date: Mon,  7 Oct 2024 22:35:00 +0100
Message-Id: <20241007213502.28183-7-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

sock_init_data() attaches the allocated sk object to the provided sock
object. If ieee802154_create() fails later, the allocated sk object is
freed, but the dangling pointer remains in the provided sock object, which
may allow use-after-free.

Clear the sk pointer in the sock object on error.

Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/ieee802154/socket.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index 990a83455dcf..18d267921bb5 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -1043,19 +1043,21 @@ static int ieee802154_create(struct net *net, struct socket *sock,
 
 	if (sk->sk_prot->hash) {
 		rc = sk->sk_prot->hash(sk);
-		if (rc) {
-			sk_common_release(sk);
-			goto out;
-		}
+		if (rc)
+			goto out_sk_release;
 	}
 
 	if (sk->sk_prot->init) {
 		rc = sk->sk_prot->init(sk);
 		if (rc)
-			sk_common_release(sk);
+			goto out_sk_release;
 	}
 out:
 	return rc;
+out_sk_release:
+	sk_common_release(sk);
+	sock->sk = NULL;
+	goto out;
 }
 
 static const struct net_proto_family ieee802154_family_ops = {

From patchwork Mon Oct  7 21:35:01 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 833384
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CECA1DE8B7
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336955; cv=none;
 b=gJ0cIunjJyAfkUAQ8B+5uY+sAIwugxnkFVVBI2IeSMvHud9AqfqE+QmAKfVBnco7G4xY9/6rAQOKaa3HNRKXWejbkDZ2Pv/0qBCt1t2Dq3Csw9gf010H1GQACcES2rY1HliQxjBXWb1cZ7wGItTlSXqrmfyWyEHbtUpowr1FyHU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336955; c=relaxed/simple;
 bh=TykJJMM5IzwfbahmKZJTnRFTzpHvJ80eOgoE0YjZMYM=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=luFtD9UyzV5XWmC1iJ2ah4puKOzlMvQajnqb/7pYlkONlIJiwTnKNXes1vy7D1SD5dFPc0Ade9BgB4SBXNFC01BzEXCbMH2G6nkMYhv75MfjhaWlCn6SFZDfr1QXVZ7oYfaN/0wgSqV38S4iOf4deKgbdjTnY29seU9vHxJEZNg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=IadjJ5WE; arc=none smtp.client-ip=209.85.128.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="IadjJ5WE"
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-42e748f78d6so44023695e9.0
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336952; x=1728941752;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=;
 b=IadjJ5WEYC2qjD9w97BQkm7IndEvOut78OQ5wJZuFBpbNNc/limp5VYD4IP4DhcOWs
 3Tuw20KC0iaDMS3EcevV8IYAWcFCuLryo71ZofZ4uoMrsj3nk2t5uUfoEUvboGQYNt70
 XSM7M6Z4Brd/od18tMRWCblm5xsG8Y+1MI5vbxjD2Zxl7VwU5wlOa4dZLhIQOJL48Stz
 Mj2pTa4l46fGKnkOpLVt4yoZdys0Nlu3sbstkmTl28dUrsvrt+uVrl/suE6FteSR0rV7
 RMlQz9sOqnvJWxkCCYkztNpM0ve2jdh3TiwJrJkeoJzJf878Wur0G26cWBa3hlKULuoU
 nEtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336952; x=1728941752;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=49ytr3oVzMOQdVnJdbtLDkZg4U2+YqG6lYXkOtuknMY=;
 b=f6d5an0ihFcrsEjm5b2fiZZyf8JFUTPMFybrUXTR8nG8mWsEmcSt9vsvN6IlyrD/Qr
 WTGiY6194AStR+ZcEvTusf2WLhFzEHXK6SNosnPjRYA3YHttqHEV1+ac/BycJZM2v4wh
 ymvRFMaNdvd6I2/5vYHc4RDwTOByepgda+v167Yfgp9Rg0M+KJo50g/do/vim7I7+eci
 iHpeyapPV3dRKPf8PEpXHIKg14itTv1cnMP7+HQBE/naI7modvVexsJ1V1iqU0X7v62I
 5yqiaCf3fho0rEDL2ZZ1B6uBOGhhYlgchrg8HQ9F5ajMxql4JkqP8+b3Oge6sVJWLbgF
 hrzw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUr/7SE0kOVYmyLwnO524X/7TtsG9IYG7nhqiUk7qEXOJKZ5IfSMlSuflj/N7mGql1L2hQTuBsGUZWwmdh2Lms=@vger.kernel.org
X-Gm-Message-State: AOJu0YxA7NAlmiZcVgsXyd2HM10Ve3nbAq6Vym6tvYFf/exYmyvLRs8T
 k6acYge6A3vNLNXiXx97D8JeGOnyLFSvHUsFXfkT/4/2cRr69CSWSxqv+d807Fk=
X-Google-Smtp-Source: AGHT+IEANzLF+YRzAcqDXPNSr1m41nJQ4hZi4WyDM2XMIIfrfbIkQHrP+5IaWRoz90/emp42kZFqcQ==
X-Received: by 2002:a05:600c:3c94:b0:428:ec2a:8c94 with SMTP id
 5b1f17b1804b1-42f85ab8972mr102989265e9.10.1728336951961;
 Mon, 07 Oct 2024 14:35:51 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.49
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:51 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>
Subject: [PATCH v2 7/8] net: inet: do not leave a dangling sk pointer in
 inet_create()
Date: Mon,  7 Oct 2024 22:35:01 +0100
Message-Id: <20241007213502.28183-8-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

sock_init_data() attaches the allocated sk object to the provided sock
object. If inet_create() fails later, the sk object is freed, but the
sock object retains the dangling pointer, which may create use-after-free
later.

Clear the sk pointer in the sock object on error.

Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/ipv4/af_inet.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index b24d74616637..8095e82de808 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -376,32 +376,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
 		inet->inet_sport = htons(inet->inet_num);
 		/* Add to protocol hash chains. */
 		err = sk->sk_prot->hash(sk);
-		if (err) {
-			sk_common_release(sk);
-			goto out;
-		}
+		if (err)
+			goto out_sk_release;
 	}
 
 	if (sk->sk_prot->init) {
 		err = sk->sk_prot->init(sk);
-		if (err) {
-			sk_common_release(sk);
-			goto out;
-		}
+		if (err)
+			goto out_sk_release;
 	}
 
 	if (!kern) {
 		err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk);
-		if (err) {
-			sk_common_release(sk);
-			goto out;
-		}
+		if (err)
+			goto out_sk_release;
 	}
 out:
 	return err;
 out_rcu_unlock:
 	rcu_read_unlock();
 	goto out;
+out_sk_release:
+	sk_common_release(sk);
+	sock->sk = NULL;
+	goto out;
 }
 
 

From patchwork Mon Oct  7 21:35:02 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ignat Korchagin <ignat@cloudflare.com>
X-Patchwork-Id: 834141
Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com
 [209.85.221.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id 03F7D1DED71
 for <linux-bluetooth@vger.kernel.org>; Mon,  7 Oct 2024 21:35:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1728336958; cv=none;
 b=BfqR33cMSbc77nSGAVonJh72UR8A9CeOoqxYawnd6LyAwKkqgOeEzxJRKvqHzYl6pSqAEb9/UlZ1uD3h9tc0+uVLHaRTTiZqRGcVrYiKuGSl4+ny6zJSrU7x6cazAQyWn5icy0nl5BRONL7gWS5GKGnEjI7kHJ1dDlt0pqhcwZk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1728336958; c=relaxed/simple;
 bh=B2jIOs9L3gzL5PsTv6zAjfQ7uhJ1V7bXBI/aVWUwbYc=;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=YoRXPZlLfUJLjiTrC82jRVzAn903jd7mTg0nO3XVT/izjjcuacHwPCbpy6eF3OEnU9I5Duh0ykoMrNNr4xR/fMetBECXUiyfh8JAdo5A0uLT675by+SyuIdCS8QHsCwkiCZLUzAT7KNnSFpefcfz98sCcNa1G1VKpw8g6m1zhlo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=fwi1TuZE; arc=none smtp.client-ip=209.85.221.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="fwi1TuZE"
Received: by mail-wr1-f43.google.com with SMTP id
 ffacd0b85a97d-37ccdc0d7f6so3176987f8f.0
 for <linux-bluetooth@vger.kernel.org>;
 Mon, 07 Oct 2024 14:35:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google09082023; t=1728336955; x=1728941755;
 darn=vger.kernel.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=;
 b=fwi1TuZE6U+cV626UHx2sfHQOtvBK4ewje5Ti3AQ+2l1Aez2OmKyZ6zr5pIdE2z6v9
 /XZjYBsm/b/6WmY3v8aFONI+5YPww37GCXD6u8W/NN9oEJgEB7Jz5EiqXw6Gw9oBuiU0
 AlqwxE5oYzKjXOiKQFya+KrrOIfXcOKO9fMt8GBWw+fhgNMnwXn5RwDuvSlM0HDZGxGz
 HRE40KxC7KmVwbRUIoWtoh0kKW5s/pmSozzLAknn/9x0x12Jq4HX9oHB/ts2R2OGPdL2
 e7sGq8iO92k3xIxqiXHEmcqjMZfAraBxkD982nldy2zJxZyrprysYOuMpnQ4zuAUuLoE
 6BLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1728336955; x=1728941755;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=lc//y1BjgJvxxX3rGB4aDZ3xX09SUgENBX50qA84hL0=;
 b=CD0o7EwNSDZZsOyvVQoDw/JDRfZqKFw4Z/CV1ymF8EdE/tVlwQlCdoCKXqN0rCRp2z
 RTZIZmfgmaTeo31u69fKbvoGmwoPhYJaRQr4NGF1qOxcxjwSprpeqIu4KoZNBBs33ddy
 sVOYM/uNnYsTnOlT+qY8vNPuUHn7Y9UWrDWOGZPrUZPkj147wYbYmHUqAZFMaZd2mUYD
 BiKDsVHrOi91TBZeGUncGAa3bhbKdOQIg9VohEnKReeslMuCepUduWHe9xGIQbM3mdY6
 4D4W69TrjhXI/e1eL3ZYgYUtdPw4nboeEI4VvDoRs+7C2eId6CQTIOVRGvxSW9OvZQzO
 gWIg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXAEFivT2cKNS50cWKSySHsvL43aBkvevHIb8tC1b7C8iPYg205gFYt15/6l0GXJtY8duROkN6VzWHIhIz3eHI=@vger.kernel.org
X-Gm-Message-State: AOJu0YzacAONpPP3fBWUGeU16Mr4vtekJw3LgCNK4Csmp9JwmnY8ObTx
 FqywJ/krk730eNwOYphBYv9F7mqqSvZorp8Ae/9HgWvXBcWf+rpcxenRwWoEQCQ=
X-Google-Smtp-Source: AGHT+IFlr52AJGKwlZWzuyM1U26fNN+5lWsZfsZ3/C7NwJE8QNsJ8h0z9W2aZlJldJJxtKVirxozSQ==
X-Received: by 2002:adf:ec03:0:b0:374:c11c:c5c3 with SMTP id
 ffacd0b85a97d-37d0e7d3e2amr7529022f8f.41.1728336955301;
 Mon, 07 Oct 2024 14:35:55 -0700 (PDT)
Received: from localhost.localdomain ([104.28.192.66])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-37d1691a4absm6535887f8f.29.2024.10.07.14.35.52
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Mon, 07 Oct 2024 14:35:53 -0700 (PDT)
From: Ignat Korchagin <ignat@cloudflare.com>
To: "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
 Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>,
 Johan Hedberg <johan.hedberg@gmail.com>,
 Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
 Oliver Hartkopp <socketcan@hartkopp.net>,
 Marc Kleine-Budde <mkl@pengutronix.de>,
 Alexander Aring <alex.aring@gmail.com>,
 Stefan Schmidt <stefan@datenfreihafen.org>,
 Miquel Raynal <miquel.raynal@bootlin.com>,
 David Ahern <dsahern@kernel.org>,
 Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
 linux-bluetooth@vger.kernel.org, linux-can@vger.kernel.org,
 linux-wpan@vger.kernel.org
Cc: kernel-team@cloudflare.com, kuniyu@amazon.com, alibuda@linux.alibaba.com,
 Ignat Korchagin <ignat@cloudflare.com>
Subject: [PATCH v2 8/8] inet6: do not leave a dangling sk pointer in
 inet6_create()
Date: Mon,  7 Oct 2024 22:35:02 +0100
Message-Id: <20241007213502.28183-9-ignat@cloudflare.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20241007213502.28183-1-ignat@cloudflare.com>
References: <20241007213502.28183-1-ignat@cloudflare.com>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

sock_init_data() attaches the allocated sk pointer to the provided sock
object. If inet6_create() fails later, the sk object is released, but the
sock object retains the dangling sk pointer, which may cause use-after-free
later.

Clear the sock sk pointer on error.

Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/ipv6/af_inet6.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index ba69b86f1c7d..f60ec8b0f8ea 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -252,31 +252,29 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
 		 */
 		inet->inet_sport = htons(inet->inet_num);
 		err = sk->sk_prot->hash(sk);
-		if (err) {
-			sk_common_release(sk);
-			goto out;
-		}
+		if (err)
+			goto out_sk_release;
 	}
 	if (sk->sk_prot->init) {
 		err = sk->sk_prot->init(sk);
-		if (err) {
-			sk_common_release(sk);
-			goto out;
-		}
+		if (err)
+			goto out_sk_release;
 	}
 
 	if (!kern) {
 		err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk);
-		if (err) {
-			sk_common_release(sk);
-			goto out;
-		}
+		if (err)
+			goto out_sk_release;
 	}
 out:
 	return err;
 out_rcu_unlock:
 	rcu_read_unlock();
 	goto out;
+out_sk_release:
+	sk_common_release(sk);
+	sock->sk = NULL;
+	goto out;
 }
 
 static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,