Description
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: fix race in sock_map_free() sock_map_free() calls release_sock(sk) without owning a reference on the socket. This can cause use-after-free as syzbot found [1] Jakub Sitnicki already took care of a similar issue in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free") [1] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246 RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0 RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5 R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004 R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] __sock_put include/net/sock.h:779 [inline] tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092 release_sock+0xaf/0x1c0 net/core/sock.c:3468 sock_map_free+0x219/0x2c0 net/core/sock_map.c:356 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK>
Product status
20ae0cb8983b05136d5293c47fadc99a8ca8ca2d (git) before 4cabc3af4a6f36c222fecb15858c1060e59218e7
7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b (git) before be719496ae6a7fc325e9e5056a52f63ebc84cc0c
7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b (git) before a443c55d96dede82a724df6e70a318ad15c199e1
7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b (git) before e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62
7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b (git) before 5c3568166129bc73fd6b37748d2d8f95cd8f22f3
7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b (git) before 0a182f8d607464911756b4dbef5d6cad8de22469
5.5
Any version before 5.5
5.4.229 (semver)
5.10.163 (semver)
5.15.86 (semver)
6.0.16 (semver)
6.1.2 (semver)
6.2 (original_commit_for_fix)
References
git.kernel.org/...c/4cabc3af4a6f36c222fecb15858c1060e59218e7
git.kernel.org/...c/be719496ae6a7fc325e9e5056a52f63ebc84cc0c
git.kernel.org/...c/a443c55d96dede82a724df6e70a318ad15c199e1
git.kernel.org/...c/e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62
git.kernel.org/...c/5c3568166129bc73fd6b37748d2d8f95cd8f22f3
git.kernel.org/...c/0a182f8d607464911756b4dbef5d6cad8de22469
