• Sean Tranchetti's avatar
    af_key: unconditionally clone on broadcast · 978e0388
    Sean Tranchetti authored
    [ Upstream commit fc2d5cfd ]
    
    Attempting to avoid cloning the skb when broadcasting by inflating
    the refcount with sock_hold/sock_put while under RCU lock is dangerous
    and violates RCU principles. It leads to subtle race conditions when
    attempting to free the SKB, as we may reference sockets that have
    already been freed by the stack.
    
    Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b
    [006b6b6b6b6b6c4b] address between user and kernel address ranges
    Internal error: Oops: 96000004 [#1] PREEMPT SMP
    task: fffffff78f65b380 task.stack: ffffff8049a88000
    pc : sock_rfree+0x38/0x6c
    lr : skb_release_head_state+0x6c/0xcc
    Process repro (pid: 7117, stack limit = 0xffffff8049a88000)
    Call trace:
    	sock_rfree+0x38/0x6c
    	skb_release_head_state+0x6c/0xcc
    	skb_release_all+0x1c/0x38
    	__kfree_skb+0x1c/0x30
    	kfree_skb+0xd0/0xf4
    	pfkey_broadcast+0x14c/0x18c
    	pfkey_sendmsg+0x1d8/0x408
    	sock_sendmsg+0x44/0x60
    	___sys_sendmsg+0x1d0/0x2a8
    	__sys_sendmsg+0x64/0xb4
    	SyS_sendmsg+0x34/0x4c
    	el0_svc_naked+0x34/0x38
    Kernel panic - not syncing: Fatal exception
    Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    978e0388
af_key.c 101 KB