DO-NOT-MERGE: mptcp: use kmalloc on kasan build

Helps detection UaF, which apparently kasan misses with kmem_cache allocator. We also need to always set the SOCK_RCU_FREE flag, to preserved the current code leveraging SLAB_TYPESAFE_BY_RCU. This latter change will make unreachable some existing errors path, but I don't see other options. Signed-off-by: Paolo Abeni <[email protected]>
geliangtang · Jun 4, 2022 · b04c04e · b04c04e
1 parent 6af975b
commit b04c04e
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
@@ -313,7 +313,10 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
 	answer_flags = answer->flags;
 	rcu_read_unlock();
 
+#if !IS_ENABLED(CONFIG_KASAN)
+	/* with kasan we use kmalloc */
 	WARN_ON(!answer_prot->slab);
+#endif
 
 	err = -ENOMEM;
 	sk = sk_alloc(net, PF_INET, GFP_KERNEL, answer_prot, kern);

diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
@@ -178,7 +178,10 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
 	answer_flags = answer->flags;
 	rcu_read_unlock();
 
+#if !IS_ENABLED(CONFIG_KASAN)
+	/* with kasan we use kmalloc */
 	WARN_ON(!answer_prot->slab);
+#endif
 
 	err = -ENOBUFS;
 	sk = sk_alloc(net, PF_INET6, GFP_KERNEL, answer_prot, kern);

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
@@ -2596,6 +2596,10 @@ static int __mptcp_init_sock(struct sock *sk)
 	timer_setup(&msk->sk.icsk_retransmit_timer, mptcp_retransmit_timer, 0);
 	timer_setup(&sk->sk_timer, mptcp_timeout_timer, 0);
 
+#if IS_ENABLED(CONFIG_KASAN)
+	sock_set_flag(sk, SOCK_RCU_FREE);
+#endif
+
 	return 0;
 }
 
@@ -2975,7 +2979,9 @@ struct sock *mptcp_sk_clone(const struct sock *sk,
 		atomic64_set(&msk->rcv_wnd_sent, ack_seq);
 	}
 
+#if !IS_ENABLED(CONFIG_KASAN)
 	sock_reset_flag(nsk, SOCK_RCU_FREE);
+#endif
 	/* will be fully established after successful MPC subflow creation */
 	inet_sk_state_store(nsk, TCP_SYN_RECV);
 
@@ -3748,6 +3754,12 @@ static int mptcp_napi_poll(struct napi_struct *napi, int budget)
 	return work_done;
 }
 
+#if IS_ENABLED(CONFIG_KASAN)
+#define MPTCP_USE_SLAB		0
+#else
+#define MPTCP_USE_SLAB		1
+#endif
+
 void __init mptcp_proto_init(void)
 {
 	struct mptcp_delegated_action *delegated;
@@ -3771,7 +3783,7 @@ void __init mptcp_proto_init(void)
 	mptcp_pm_init();
 	mptcp_token_init();
 
-	if (proto_register(&mptcp_prot, 1) != 0)
+	if (proto_register(&mptcp_prot, MPTCP_USE_SLAB) != 0)
 		panic("Failed to register MPTCP proto.\n");
 
 	inet_register_protosw(&mptcp_protosw);
@@ -3831,7 +3843,7 @@ int __init mptcp_proto_v6_init(void)
 	mptcp_v6_prot.destroy = mptcp_v6_destroy;
 	mptcp_v6_prot.obj_size = sizeof(struct mptcp6_sock);
 
-	err = proto_register(&mptcp_v6_prot, 1);
+	err = proto_register(&mptcp_v6_prot, MPTCP_USE_SLAB);
 	if (err)
 		return err;