From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 634F7CA9EA0 for ; Fri, 25 Oct 2019 13:57:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 31F6A21D82 for ; Fri, 25 Oct 2019 13:57:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572011863; bh=DPX5Xd1J8hqUFZgtTHhYIe6T0e8+tX+LXmSYcR1K0nE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=SRG2C2SIOiZQqioBEd1hZXYysGRq89HxVMsiswRfy5ra/iQ9rjUYxxx/kjksnyFGw Y/69D8/SHS0De36elS7slV9QTLLc5DE1AS6gk1+pvYF2UI+CBdJr5y5RZlK9ops3kQ sR3lQ/R4Co2zGlmzXjmRDPbrIxWOK68ky2W5WkZg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2502381AbfJYN5l (ORCPT ); Fri, 25 Oct 2019 09:57:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:52518 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2632864AbfJYN5g (ORCPT ); Fri, 25 Oct 2019 09:57:36 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B181D222CB; Fri, 25 Oct 2019 13:57:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572011855; bh=DPX5Xd1J8hqUFZgtTHhYIe6T0e8+tX+LXmSYcR1K0nE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zITL3r+PEJBFfuwlUrILmwQq79TutHGj1NJ7kPhHAs/n2mN0Z+TZv9BId5ER80Atd 225jFWGhTrfWVcw25W50Hf795Kh7MwQNstp9+IC3o881Zotihc6JvVWn9p+o0bYBpg jFsx2T1NFe9oo9bCvtFpTTpE8RDVFEL3LzmFqGMA= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: David Howells , syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com, Sasha Levin , linux-afs@lists.infradead.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.14 13/25] rxrpc: Fix call ref leak Date: Fri, 25 Oct 2019 09:57:01 -0400 Message-Id: <20191025135715.25468-13-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191025135715.25468-1-sashal@kernel.org> References: <20191025135715.25468-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells [ Upstream commit c48fc11b69e95007109206311b0187a3090591f3 ] When sendmsg() finds a call to continue on with, if the call is in an inappropriate state, it doesn't release the ref it just got on that call before returning an error. This causes the following symptom to show up with kasan: BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077 where line 635 is: whdr.epoch = htonl(peer->local->rxnet->epoch); The local endpoint (which cannot be pinned by the call) has been released, but not the peer (which is pinned by the call). Fix this by releasing the call in the error path. Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception") Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Sasha Levin --- net/rxrpc/sendmsg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c index 016e293681b8c..a980b49d7a4f8 100644 --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -586,6 +586,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len) case RXRPC_CALL_SERVER_PREALLOC: case RXRPC_CALL_SERVER_SECURING: case RXRPC_CALL_SERVER_ACCEPTING: + rxrpc_put_call(call, rxrpc_call_put); ret = -EBUSY; goto error_release_sock; default: -- 2.20.1