af_unix: Fix NULL pointer bug in unix_shutdown
Commit
94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
introduced a bug for af_unix SEQPACKET type. In unix_shutdown, the
unhash function will call prot->unhash(), which is NULL for SEQPACKET.
And kernel will panic. On ARM32, it will show following messages: (it
likely affects x86 too).
Fix the bug by checking the prot->unhash is NULL or not first.
Kernel log:
<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address
00000000
pgd =
2fba1ffb
*pgd=
00000000
Internal error: Oops:
80000005 [#1] PREEMPT SMP THUMB2
Modules linked in:
CPU: 1 PID: 1999 Comm: falkon Tainted: G W
5.14.0-rc5-01175-g94531cfcbe79-dirty #9240
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
PC is at 0x0
LR is at unix_shutdown+0x81/0x1a8
pc : [<
00000000>] lr : [<
c08f3311>] psr:
600f0013
sp :
e45aff70 ip :
e463a3c0 fp :
beb54f04
r10:
00000125 r9 :
e45ae000 r8 :
c4a56664
r7 :
00000001 r6 :
c4a56464 r5 :
00000001 r4 :
c4a56400
r3 :
00000000 r2 :
c5a6b180 r1 :
00000000 r0 :
c4a56400
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control:
50c5387d Table:
05aa804a DAC:
00000051
Register r0 information: slab PING start
c4a56400 pointer offset 0
Register r1 information: NULL pointer
Register r2 information: slab task_struct start
c5a6b180 pointer offset 0
Register r3 information: NULL pointer
Register r4 information: slab PING start
c4a56400 pointer offset 0
Register r5 information: non-paged memory
Register r6 information: slab PING start
c4a56400 pointer offset 100
Register r7 information: non-paged memory
Register r8 information: slab PING start
c4a56400 pointer offset 612
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-paged memory
Register r11 information: non-paged memory
Register r12 information: slab filp start
e463a3c0 pointer offset 0
Process falkon (pid: 1999, stack limit = 0x9ec48895)
Stack: (0xe45aff70 to 0xe45b0000)
ff60:
e45ae000 c5f26a00 00000000 00000125
ff80:
c0100264 c07f7fa3 beb54f04 fffffff7 00000001 e6f3fc0e b5e5e9ec beb54ec4
ffa0:
b5da0ccc c010024b b5e5e9ec beb54ec4 0000000f 00000000 00000000 beb54ebc
ffc0:
b5e5e9ec beb54ec4 b5da0ccc 00000125 beb54f58 00785238 beb5529c beb54f04
ffe0:
b5da1e24 beb54eac b301385c b62b6ee8 600f0030 0000000f 00000000 00000000
[<
c08f3311>] (unix_shutdown) from [<
c07f7fa3>] (__sys_shutdown+0x2f/0x50)
[<
c07f7fa3>] (__sys_shutdown) from [<
c010024b>]
(__sys_trace_return+0x1/0x16)
Exception stack(0xe45affa8 to 0xe45afff0)
Fixes: 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
Reported-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Jiang Wang <jiang.wang@bytedance.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
Link: https://lore.kernel.org/bpf/20210821180738.1151155-1-jiang.wang@bytedance.com
projects / linux.git / commit