From e78642876387357da325093ad691b7961140eac4 Mon Sep 17 00:00:00 2001 From: Paolo Abeni Date: Thu, 21 Jan 2021 06:49:34 +0000 Subject: [PATCH] DO-NOT-MERGE: mptcp: use kmalloc on kasan build Helps detection UaF, which apparently kasan misses with kmem_cache allocator. We also need to always set the SOCK_RCU_FREE flag, to preserved the current code leveraging SLAB_TYPESAFE_BY_RCU. This latter change will make unreachable some existing errors path, but I don't see other options. Signed-off-by: Paolo Abeni --- net/ipv4/af_inet.c | 3 +++ net/ipv6/af_inet6.c | 3 +++ net/mptcp/protocol.c | 16 ++++++++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index b94fa8eb831bf..22ea207c9776d 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -316,7 +316,10 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, answer_flags = answer->flags; rcu_read_unlock(); +#if !IS_ENABLED(CONFIG_KASAN) + /* with kasan we use kmalloc */ WARN_ON(!answer_prot->slab); +#endif err = -ENOBUFS; sk = sk_alloc(net, PF_INET, GFP_KERNEL, answer_prot, kern); diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 8e9c3e9ea36e3..5924e06f1c6fe 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -177,7 +177,10 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, answer_flags = answer->flags; rcu_read_unlock(); +#if !IS_ENABLED(CONFIG_KASAN) + /* with kasan we use kmalloc */ WARN_ON(!answer_prot->slab); +#endif err = -ENOBUFS; sk = sk_alloc(net, PF_INET6, GFP_KERNEL, answer_prot, kern); diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 93134b72490ac..e9ad8cb5268b0 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2332,6 +2332,10 @@ static int __mptcp_init_sock(struct sock *sk) /* re-use the csk retrans timer for MPTCP-level retrans */ timer_setup(&msk->sk.icsk_retransmit_timer, mptcp_retransmit_timer, 0); timer_setup(&sk->sk_timer, mptcp_timeout_timer, 0); + +#if IS_ENABLED(CONFIG_KASAN) + sock_set_flag(sk, SOCK_RCU_FREE); +#endif return 0; } @@ -2666,7 +2670,9 @@ struct sock *mptcp_sk_clone(const struct sock *sk, WRITE_ONCE(msk->rcv_wnd_sent, ack_seq); } +#if !IS_ENABLED(CONFIG_KASAN) sock_reset_flag(nsk, SOCK_RCU_FREE); +#endif /* will be fully established after successful MPC subflow creation */ inet_sk_state_store(nsk, TCP_SYN_RECV); @@ -3404,6 +3410,12 @@ static int mptcp_napi_poll(struct napi_struct *napi, int budget) return work_done; } +#if IS_ENABLED(CONFIG_KASAN) +#define MPTCP_USE_SLAB 0 +#else +#define MPTCP_USE_SLAB 1 +#endif + void __init mptcp_proto_init(void) { struct mptcp_delegated_action *delegated; @@ -3427,7 +3439,7 @@ void __init mptcp_proto_init(void) mptcp_pm_init(); mptcp_token_init(); - if (proto_register(&mptcp_prot, 1) != 0) + if (proto_register(&mptcp_prot, MPTCP_USE_SLAB) != 0) panic("Failed to register MPTCP proto.\n"); inet_register_protosw(&mptcp_protosw); @@ -3487,7 +3499,7 @@ int __init mptcp_proto_v6_init(void) mptcp_v6_prot.destroy = mptcp_v6_destroy; mptcp_v6_prot.obj_size = sizeof(struct mptcp6_sock); - err = proto_register(&mptcp_v6_prot, 1); + err = proto_register(&mptcp_v6_prot, MPTCP_USE_SLAB); if (err) return err;