CVE-2023-54142

In the Linux kernel, the following vulnerability has been resolved:

gtp: Fix use-after-free in __gtpencapdestroy().

syzkaller reported use-after-free in __gtpencapdestroy(). [0]

It shows the same process freed sk and touched it illegally.

Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added locksock() and releasesock() in __gtpencapdestroy() to protect sk->skuserdata, but releasesock() is called after sockput() releases the last refcnt.

BUG: KASAN: slab-use-after-free in atomictrycmpxchgacquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queuedspinlock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in dorawspinlock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in _rawspinlockbh include/linux/spinlockapismp.h:127 [inline] BUG: KASAN: slab-use-after-free in rawspinlockbh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401

CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x72/0xa0 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:351 [inline] printreport+0xcc/0x620 mm/kasan/report.c:462 kasanreport+0xb2/0xe0 mm/kasan/report.c:572 checkregioninline mm/kasan/generic.c:181 [inline] kasancheckrange+0x39/0x1c0 mm/kasan/generic.c:187 instrumentatomicreadwrite include/linux/instrumented.h:96 [inline] atomictrycmpxchgacquire include/linux/atomic/atomic-instrumented.h:541 [inline] queuedspinlock include/asm-generic/qspinlock.h:111 [inline] dorawspinlock include/linux/spinlock.h:186 [inline] __rawspinlockbh include/linux/spinlockapismp.h:127 [inline] rawspinlockbh+0x75/0xe0 kernel/locking/spinlock.c:178 spinlockbh include/linux/spinlock.h:355 [inline] releasesock+0x1f/0x1a0 net/core/sock.c:3526 gtpencapdisablesock drivers/net/gtp.c:651 [inline] gtpencapdisable+0xb9/0x220 drivers/net/gtp.c:664 gtpdevuninit+0x19/0x50 drivers/net/gtp.c:728 unregisternetdevicemanynotify+0x97e/0x1520 net/core/dev.c:10841 rtnldeletelink net/core/rtnetlink.c:3216 [inline] rtnldellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlinkrcvmsg+0x450/0xb10 net/core/rtnetlink.c:6423 netlinkrcvskb+0x15d/0x450 net/netlink/afnetlink.c:2548 netlinkunicastkernel net/netlink/afnetlink.c:1339 [inline] netlinkunicast+0x700/0x930 net/netlink/afnetlink.c:1365 netlinksendmsg+0x91c/0xe30 net/netlink/afnetlink.c:1913 socksendmsgnosec net/socket.c:724 [inline] socksendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __syssendmsg+0xfe/0x1d0 net/socket.c:2576 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3f/0x90 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK>

Allocated by task 1483: kasansavestack+0x22/0x50 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 __kasanslaballoc+0x ---truncated---