From 4fccc362cf931e26bd586ca2cbbb4e79ed312123 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 10 Mar 2023 09:16:42 +0100 Subject: [PATCH] 6.2-stable patches added patches: net-avoid-double-iput-when-sock_alloc_file-fails.patch --- ...uble-iput-when-sock_alloc_file-fails.patch | 99 +++++++++++++++++++ queue-6.2/series | 1 + 2 files changed, 100 insertions(+) create mode 100644 queue-6.2/net-avoid-double-iput-when-sock_alloc_file-fails.patch diff --git a/queue-6.2/net-avoid-double-iput-when-sock_alloc_file-fails.patch b/queue-6.2/net-avoid-double-iput-when-sock_alloc_file-fails.patch new file mode 100644 index 00000000000..33c6553b5d9 --- /dev/null +++ b/queue-6.2/net-avoid-double-iput-when-sock_alloc_file-fails.patch @@ -0,0 +1,99 @@ +From 649c15c7691e9b13cbe9bf6c65c365350e056067 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 7 Mar 2023 14:37:07 -0300 +Subject: net: avoid double iput when sock_alloc_file fails + +From: Thadeu Lima de Souza Cascardo + +commit 649c15c7691e9b13cbe9bf6c65c365350e056067 upstream. + +When sock_alloc_file fails to allocate a file, it will call sock_release. +__sys_socket_file should then not call sock_release again, otherwise there +will be a double free. + +[ 89.319884] ------------[ cut here ]------------ +[ 89.320286] kernel BUG at fs/inode.c:1764! +[ 89.320656] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 89.321051] CPU: 7 PID: 125 Comm: iou-sqp-124 Not tainted 6.2.0+ #361 +[ 89.321535] RIP: 0010:iput+0x1ff/0x240 +[ 89.321808] Code: d1 83 e1 03 48 83 f9 02 75 09 48 81 fa 00 10 00 00 77 05 83 e2 01 75 1f 4c 89 ef e8 fb d2 ba 00 e9 80 fe ff ff c3 cc cc cc cc <0f> 0b 0f 0b e9 d0 fe ff ff 0f 0b eb 8d 49 8d b4 24 08 01 00 00 48 +[ 89.322760] RSP: 0018:ffffbdd60068bd50 EFLAGS: 00010202 +[ 89.323036] RAX: 0000000000000000 RBX: ffff9d7ad3cacac0 RCX: 0000000000001107 +[ 89.323412] RDX: 000000000003af00 RSI: 0000000000000000 RDI: ffff9d7ad3cacb40 +[ 89.323785] RBP: ffffbdd60068bd68 R08: ffffffffffffffff R09: ffffffffab606438 +[ 89.324157] R10: ffffffffacb3dfa0 R11: 6465686361657256 R12: ffff9d7ad3cacb40 +[ 89.324529] R13: 0000000080000001 R14: 0000000080000001 R15: 0000000000000002 +[ 89.324904] FS: 00007f7b28516740(0000) GS:ffff9d7aeb1c0000(0000) knlGS:0000000000000000 +[ 89.325328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 89.325629] CR2: 00007f0af52e96c0 CR3: 0000000002a02006 CR4: 0000000000770ee0 +[ 89.326004] PKRU: 55555554 +[ 89.326161] Call Trace: +[ 89.326298] +[ 89.326419] __sock_release+0xb5/0xc0 +[ 89.326632] __sys_socket_file+0xb2/0xd0 +[ 89.326844] io_socket+0x88/0x100 +[ 89.327039] ? io_issue_sqe+0x6a/0x430 +[ 89.327258] io_issue_sqe+0x67/0x430 +[ 89.327450] io_submit_sqes+0x1fe/0x670 +[ 89.327661] io_sq_thread+0x2e6/0x530 +[ 89.327859] ? __pfx_autoremove_wake_function+0x10/0x10 +[ 89.328145] ? __pfx_io_sq_thread+0x10/0x10 +[ 89.328367] ret_from_fork+0x29/0x50 +[ 89.328576] RIP: 0033:0x0 +[ 89.328732] Code: Unable to access opcode bytes at 0xffffffffffffffd6. +[ 89.329073] RSP: 002b:0000000000000000 EFLAGS: 00000202 ORIG_RAX: 00000000000001a9 +[ 89.329477] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7b28637a3d +[ 89.329845] RDX: 00007fff4e4318a8 RSI: 00007fff4e4318b0 RDI: 0000000000000400 +[ 89.330216] RBP: 00007fff4e431830 R08: 00007fff4e431711 R09: 00007fff4e4318b0 +[ 89.330584] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff4e441b38 +[ 89.330950] R13: 0000563835e3e725 R14: 0000563835e40d10 R15: 00007f7b28784040 +[ 89.331318] +[ 89.331441] Modules linked in: +[ 89.331617] ---[ end trace 0000000000000000 ]--- + +Fixes: da214a475f8b ("net: add __sys_socket_file()") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Jens Axboe +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230307173707.468744-1-cascardo@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -449,7 +449,9 @@ static struct file_system_type sock_fs_t + * + * Returns the &file bound with @sock, implicitly storing it + * in sock->file. If dname is %NULL, sets to "". +- * On failure the return is a ERR pointer (see linux/err.h). ++ * ++ * On failure @sock is released, and an ERR pointer is returned. ++ * + * This function uses GFP_KERNEL internally. + */ + +@@ -1613,7 +1615,6 @@ static struct socket *__sys_socket_creat + struct file *__sys_socket_file(int family, int type, int protocol) + { + struct socket *sock; +- struct file *file; + int flags; + + sock = __sys_socket_create(family, type, protocol); +@@ -1624,11 +1625,7 @@ struct file *__sys_socket_file(int famil + if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK)) + flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK; + +- file = sock_alloc_file(sock, flags, NULL); +- if (IS_ERR(file)) +- sock_release(sock); +- +- return file; ++ return sock_alloc_file(sock, flags, NULL); + } + + int __sys_socket(int family, int type, int protocol) diff --git a/queue-6.2/series b/queue-6.2/series index 59012a6e65a..c35897016be 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -996,3 +996,4 @@ drm-edid-fix-avi-infoframe-aspect-ratio-handling.patch drm-edid-fix-parsing-of-3d-modes-from-hdmi-vsdb.patch qede-avoid-uninitialized-entries-in-coal_entry-array.patch brd-use-radix_tree_maybe_preload-instead-of-radix_tree_preload.patch +net-avoid-double-iput-when-sock_alloc_file-fails.patch -- 2.47.3