Forwarded: Re: [PATCH] atm: lec: fix use-after-free in send_to_lecd

[syzbot <syzbot+f50072212ab792c86925@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [PATCH] atm: lec: fix use-after-free in send_to_lecd
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

In send_to_lecd(), the socket is extracted via sk_atm(priv->lecd)
without holding a reference. The APIC timer triggers a softirq which
runs RCU callbacks, and if the RCU grace period has elapsed, the socket
can be freed via rcu_do_batch() while send_to_lecd() is still accessing
it, triggering a use-after-free bug.

Fix this by adding sock_hold() before accessing the socket and
sock_put() after all usage is done to prevent premature freeing.

Reported-by: syzbot+f50072212ab792c86925@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f50072212ab792c86925
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/atm/lec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/atm/lec.c b/net/atm/lec.c
index fb93c6e1c329..4e752b4b623e 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -534,9 +534,9 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type,

        atm_force_charge(priv->lecd, skb->truesize);
        sk = sk_atm(priv->lecd);
+       sock_hold(sk);
        skb_queue_tail(&sk->sk_receive_queue, skb);
        sk->sk_data_ready(sk);
-
        if (data != NULL) {
                pr_debug("about to send %d bytes of data\n", data->len);
                atm_force_charge(priv->lecd, data->truesize);
@@ -544,6 +544,7 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type,
                sk->sk_data_ready(sk);
        }

+        sock_put(sk);
        return 0;
 }

--
2.43.0