* [Patch net] llc: hold llc_sap before release_sock()
@ 2018-04-18 18:51 Cong Wang
2018-04-19 17:54 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Cong Wang @ 2018-04-18 18:51 UTC (permalink / raw)
To: netdev; +Cc: Cong Wang
syzbot reported we still access llc->sap in llc_backlog_rcv()
after it is freed in llc_sap_remove_socket():
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
llc_conn_service net/llc/llc_conn.c:400 [inline]
llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
sk_backlog_rcv include/net/sock.h:909 [inline]
__release_sock+0x12f/0x3a0 net/core/sock.c:2335
release_sock+0xa4/0x2b0 net/core/sock.c:2850
llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
llc->sap is refcount'ed and llc_sap_remove_socket() is paired
with llc_sap_add_socket(). This can be amended by holding its refcount
before llc_sap_remove_socket() and releasing it after release_sock().
Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
net/llc/af_llc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 01dcc0823d1f..6d29b2b94e84 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -189,6 +189,7 @@ static int llc_ui_release(struct socket *sock)
{
struct sock *sk = sock->sk;
struct llc_sock *llc;
+ struct llc_sap *sap;
if (unlikely(sk == NULL))
goto out;
@@ -199,9 +200,15 @@ static int llc_ui_release(struct socket *sock)
llc->laddr.lsap, llc->daddr.lsap);
if (!llc_send_disc(sk))
llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
+ sap = llc->sap;
+ /* Hold this for release_sock(), so that llc_backlog_rcv() could still
+ * use it.
+ */
+ llc_sap_hold(sap);
if (!sock_flag(sk, SOCK_ZAPPED))
llc_sap_remove_socket(llc->sap, sk);
release_sock(sk);
+ llc_sap_put(sap);
if (llc->dev)
dev_put(llc->dev);
sock_put(sk);
--
2.13.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Patch net] llc: hold llc_sap before release_sock()
2018-04-18 18:51 [Patch net] llc: hold llc_sap before release_sock() Cong Wang
@ 2018-04-19 17:54 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-04-19 17:54 UTC (permalink / raw)
To: xiyou.wangcong; +Cc: netdev
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Wed, 18 Apr 2018 11:51:56 -0700
> @@ -199,9 +200,15 @@ static int llc_ui_release(struct socket *sock)
> llc->laddr.lsap, llc->daddr.lsap);
> if (!llc_send_disc(sk))
> llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
> + sap = llc->sap;
> + /* Hold this for release_sock(), so that llc_backlog_rcv() could still
> + * use it.
> + */
> + llc_sap_hold(sap);
> if (!sock_flag(sk, SOCK_ZAPPED))
> llc_sap_remove_socket(llc->sap, sk);
> release_sock(sk);
> + llc_sap_put(sap);
> if (llc->dev)
> dev_put(llc->dev);
> sock_put(sk);
Yeah, kind of a weird ordering issue here. It would have been nice if we could
remove the sap after the release_sock() but it appears that we can't.
Applied and queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-04-19 17:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-18 18:51 [Patch net] llc: hold llc_sap before release_sock() Cong Wang
2018-04-19 17:54 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).