Linux Kernel Skmsg GFP Argument Vulnerability in Alloc Sk Msg Function

A vulnerability in the Linux kernel's skmsg subsystem allows the function alloc_sk_msg() to be called from a non-sleepable context, which can lead to improper handling of memory allocation. This issue arises because sk_psock_verdict_recv() operates under RCU read lock protection, requiring callers to pass a gfp_t argument to prevent potential problems. The vulnerability was reported by syzbot, highlighting a bug where a sleeping function was invoked from an invalid context, causing a disruption in the expected RCU nesting.

Impact

Exploitation of this vulnerability can cause sleeping functions to be called from invalid contexts, leading to potential disruptions in the kernel's scheduling and RCU (Read-Copy-Update) mechanisms.

Reproduction

The vulnerability can be reproduced by invoking the alloc_sk_msg() function from a non-sleepable context, such as during the handling of a TCP packet in the tcp_v4_do_rcv() function. This can be achieved by sending a TCP packet to a socket that has an associated psock structure, which will trigger the sk_psock_skb_ingress_self() function. This function, in turn, calls alloc_sk_msg() without the necessary gfp_t argument, creating the invalid context that the vulnerability exploits.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the alloc_sk_msg() function to accept a gfp_t argument. Callers of this function must now pass the appropriate allocation flags to ensure that the function can be safely called from non-sleepable contexts.