From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>,
linux-afs@lists.infradead.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 23/37] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
Date: Fri, 25 Oct 2019 09:55:47 -0400 [thread overview]
Message-ID: <20191025135603.25093-23-sashal@kernel.org> (raw)
In-Reply-To: <20191025135603.25093-1-sashal@kernel.org>
From: David Howells <dhowells@redhat.com>
[ Upstream commit 9ebeddef58c41bd700419cdcece24cf64ce32276 ]
The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.
This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
Fix this by taking a ref on the local record for the peer record.
Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/peer_object.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
index 72b4ad210426e..b91b090217cdb 100644
--- a/net/rxrpc/peer_object.c
+++ b/net/rxrpc/peer_object.c
@@ -220,7 +220,7 @@ struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp)
peer = kzalloc(sizeof(struct rxrpc_peer), gfp);
if (peer) {
atomic_set(&peer->usage, 1);
- peer->local = local;
+ peer->local = rxrpc_get_local(local);
INIT_HLIST_HEAD(&peer->error_targets);
peer->service_conns = RB_ROOT;
seqlock_init(&peer->service_conn_lock);
@@ -311,7 +311,6 @@ void rxrpc_new_incoming_peer(struct rxrpc_sock *rx, struct rxrpc_local *local,
unsigned long hash_key;
hash_key = rxrpc_peer_hash_key(local, &peer->srx);
- peer->local = local;
rxrpc_init_peer(rx, peer, hash_key);
spin_lock(&rxnet->peer_hash_lock);
@@ -421,6 +420,7 @@ static void __rxrpc_put_peer(struct rxrpc_peer *peer)
list_del_init(&peer->keepalive_link);
spin_unlock_bh(&rxnet->peer_hash_lock);
+ rxrpc_put_local(peer->local);
kfree_rcu(peer, rcu);
}
@@ -457,6 +457,7 @@ void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
if (n == 0) {
hash_del_rcu(&peer->hash_link);
list_del_init(&peer->keepalive_link);
+ rxrpc_put_local(peer->local);
kfree_rcu(peer, rcu);
}
}
--
2.20.1
next prev parent reply other threads:[~2019-10-25 13:56 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 13:55 [PATCH AUTOSEL 4.19 01/37] PCI/ASPM: Do not initialize link state when aspm_disabled is set Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 02/37] HID: i2c-hid: Add Odys Winbook 13 to descriptor override Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 03/37] ACPI: video: Use vendor backlight on Sony VPCEH3U1E Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 04/37] rseq/selftests: x86: Work-around bogus gcc-8 optimisation Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 05/37] f2fs: fix to do sanity check on valid node/block count Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 06/37] ALSA: hda: Fix race between creating and refreshing sysfs entries Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 07/37] Fixed https://bugzilla.kernel.org/show_bug.cgi?id=202935 allow write on the same file Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 08/37] nvme-pci: fix conflicting p2p resource adds Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 09/37] scsi: qedf: Do not retry ELS request if qedf_alloc_cmd fails Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 10/37] driver core: platform: Fix the usage of platform device name(pdev->name) Sasha Levin
2019-10-26 7:44 ` Greg Kroah-Hartman
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 11/37] KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 12/37] drm/amdgpu/display: Fix reload driver error Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 13/37] powerpc/pseries/hvconsole: Fix stack overread via udbg Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 14/37] scsi: RDMA/srp: Fix a sleep-in-invalid-context bug Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 15/37] scsi: bnx2fc: Only put reference to io_req in bnx2fc_abts_cleanup if cleanup times out Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 16/37] xfrm interface: fix memory leak on creation Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 17/37] drm/msm: stop abusing dma_map/unmap for cache Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 18/37] drm/msm: Use the correct dma_sync calls in msm_gem Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 19/37] net: ipv6: fix listify ip6_rcv_finish in case of forwarding Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 20/37] sch_netem: fix rcu splat in netem_enqueue() Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 21/37] rxrpc: Fix call ref leak Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 22/37] rxrpc: Fix trace-after-put looking at the put peer record Sasha Levin
2019-10-25 13:55 ` Sasha Levin [this message]
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 24/37] llc: fix sk_buff leak in llc_sap_state_process() Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 25/37] llc: fix sk_buff leak in llc_conn_service() Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 26/37] NFC: pn533: fix use-after-free and memleaks Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 27/37] bonding: fix potential NULL deref in bond_update_slave_arr Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 28/37] net: usb: sr9800: fix uninitialized local variable Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 29/37] jbd2: flush_descriptor(): Do not decrease buffer head's ref count Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 30/37] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 31/37] Btrfs: fix hang when loading existing inode cache off disk Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 32/37] Btrfs: fix inode cache block reserve leak on failure to allocate data space Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 33/37] ubi: ubi_wl_get_peb: Increase the number of attempts while getting PEB Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 34/37] RDMA/iwcm: Fix a lock inversion issue Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 4.19 35/37] ipv6: Handle race in addrconf_dad_work Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.19 36/37] bdi: Do not use freezable workqueue Sasha Levin
2019-10-25 13:56 ` [PATCH AUTOSEL 4.19 37/37] ALSA: hda: Add codec on bus address table lately Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191025135603.25093-23-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox