From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [net 1/1] tipc: fix unbalanced reference counter Date: Thu, 12 Apr 2018 21:49:32 -0400 (EDT) Message-ID: <20180412.214932.560777541908174607.davem@davemloft.net> References: <1523479929-28161-1-git-send-email-jon.maloy@ericsson.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, mohan.krishna.ghanta.krishnamurthy@ericsson.com, tung.q.nguyen@dektech.com.au, hoang.h.le@dektech.com.au, canh.d.luu@dektech.com.au, ying.xue@windriver.com, tipc-discussion@lists.sourceforge.net To: jon.maloy@ericsson.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:60428 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752584AbeDMBtd (ORCPT ); Thu, 12 Apr 2018 21:49:33 -0400 In-Reply-To: <1523479929-28161-1-git-send-email-jon.maloy@ericsson.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Jon Maloy Date: Wed, 11 Apr 2018 22:52:09 +0200 > When a topology subscription is created, we may encounter (or KASAN > may provoke) a failure to create a corresponding service instance in > the binding table. Instead of letting the tipc_nametbl_subscribe() > report the failure back to the caller, the function just makes a warning > printout and returns, without incrementing the subscription reference > counter as expected by the caller. > > This makes the caller believe that the subscription was successful, so > it will at a later moment try to unsubscribe the item. This involves > a sub_put() call. Since the reference counter never was incremented > in the first place, we get a premature delete of the subscription item, > followed by a "use-after-free" warning. > > We fix this by adding a return value to tipc_nametbl_subscribe() and > make the caller aware of the failure to subscribe. > > This bug seems to always have been around, but this fix only applies > back to the commit shown below. Given the low risk of this happening > we believe this to be sufficient. > > Fixes: commit 218527fe27ad ("tipc: replace name table service range > array with rb tree") > Reported-by: syzbot+aa245f26d42b8305d157@syzkaller.appspotmail.com > > Signed-off-by: Jon Maloy Applied and queued up for -stable.