From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>,
linux-afs@lists.infradead.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.3 05/33] rxrpc: Fix trace-after-put looking at the put peer record
Date: Fri, 25 Oct 2019 09:54:37 -0400 [thread overview]
Message-ID: <20191025135505.24762-5-sashal@kernel.org> (raw)
In-Reply-To: <20191025135505.24762-1-sashal@kernel.org>
From: David Howells <dhowells@redhat.com>
[ Upstream commit 55f6c98e3674ce16038a1949c3f9ca5a9a99f289 ]
rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
of the refcount - which looks at the debug_id in the peer record. But
unless the refcount was reduced to zero, we no longer have the right to
look in the record and, indeed, it may be deleted by some other thread.
Fix this by getting the debug_id out before decrementing the refcount and
then passing that into the tracepoint.
This can cause the following symptoms:
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
Fixes: 1159d4b496f5 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/rxrpc.h | 6 +++---
net/rxrpc/peer_object.c | 11 +++++++----
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
index edc5c887a44c8..45556fe771c36 100644
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -519,10 +519,10 @@ TRACE_EVENT(rxrpc_local,
);
TRACE_EVENT(rxrpc_peer,
- TP_PROTO(struct rxrpc_peer *peer, enum rxrpc_peer_trace op,
+ TP_PROTO(unsigned int peer_debug_id, enum rxrpc_peer_trace op,
int usage, const void *where),
- TP_ARGS(peer, op, usage, where),
+ TP_ARGS(peer_debug_id, op, usage, where),
TP_STRUCT__entry(
__field(unsigned int, peer )
@@ -532,7 +532,7 @@ TRACE_EVENT(rxrpc_peer,
),
TP_fast_assign(
- __entry->peer = peer->debug_id;
+ __entry->peer = peer_debug_id;
__entry->op = op;
__entry->usage = usage;
__entry->where = where;
diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
index 9c3ac96f71cbf..b700b7ecaa3d8 100644
--- a/net/rxrpc/peer_object.c
+++ b/net/rxrpc/peer_object.c
@@ -382,7 +382,7 @@ struct rxrpc_peer *rxrpc_get_peer(struct rxrpc_peer *peer)
int n;
n = atomic_inc_return(&peer->usage);
- trace_rxrpc_peer(peer, rxrpc_peer_got, n, here);
+ trace_rxrpc_peer(peer->debug_id, rxrpc_peer_got, n, here);
return peer;
}
@@ -396,7 +396,7 @@ struct rxrpc_peer *rxrpc_get_peer_maybe(struct rxrpc_peer *peer)
if (peer) {
int n = atomic_fetch_add_unless(&peer->usage, 1, 0);
if (n > 0)
- trace_rxrpc_peer(peer, rxrpc_peer_got, n + 1, here);
+ trace_rxrpc_peer(peer->debug_id, rxrpc_peer_got, n + 1, here);
else
peer = NULL;
}
@@ -426,11 +426,13 @@ static void __rxrpc_put_peer(struct rxrpc_peer *peer)
void rxrpc_put_peer(struct rxrpc_peer *peer)
{
const void *here = __builtin_return_address(0);
+ unsigned int debug_id;
int n;
if (peer) {
+ debug_id = peer->debug_id;
n = atomic_dec_return(&peer->usage);
- trace_rxrpc_peer(peer, rxrpc_peer_put, n, here);
+ trace_rxrpc_peer(debug_id, rxrpc_peer_put, n, here);
if (n == 0)
__rxrpc_put_peer(peer);
}
@@ -443,10 +445,11 @@ void rxrpc_put_peer(struct rxrpc_peer *peer)
void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
{
const void *here = __builtin_return_address(0);
+ unsigned int debug_id = peer->debug_id;
int n;
n = atomic_dec_return(&peer->usage);
- trace_rxrpc_peer(peer, rxrpc_peer_put, n, here);
+ trace_rxrpc_peer(debug_id, rxrpc_peer_put, n, here);
if (n == 0) {
hash_del_rcu(&peer->hash_link);
list_del_init(&peer->keepalive_link);
--
2.20.1
next prev parent reply other threads:[~2019-10-25 14:07 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 13:54 [PATCH AUTOSEL 5.3 01/33] net: ipv6: fix listify ip6_rcv_finish in case of forwarding Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 02/33] sch_netem: fix rcu splat in netem_enqueue() Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 03/33] net: sched: sch_sfb: don't call qdisc_put() while holding tree lock Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 04/33] rxrpc: Fix call ref leak Sasha Levin
2019-10-25 13:54 ` Sasha Levin [this message]
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 06/33] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 07/33] llc: fix sk_buff leak in llc_sap_state_process() Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 08/33] llc: fix sk_buff leak in llc_conn_service() Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 09/33] NFC: pn533: fix use-after-free and memleaks Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 10/33] bonding: fix potential NULL deref in bond_update_slave_arr Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 11/33] netfilter: conntrack: avoid possible false sharing Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 12/33] blackhole_netdev: fix syzkaller reported issue Sasha Levin
2019-10-25 15:49 ` Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 13/33] net: usb: sr9800: fix uninitialized local variable Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 16/33] netfilter: connlabels: prefer static lock initialiser Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 19/33] net/rds: Whitelist rdma_cookie and rx_tstamp for usercopy Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 21/33] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 25/33] net: sched: sch_htb: don't call qdisc_put() while holding tree lock Sasha Levin
2019-10-25 13:54 ` [PATCH AUTOSEL 5.3 26/33] net: sched: multiq: " Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 5.3 29/33] ipv6: Handle race in addrconf_dad_work Sasha Levin
2019-10-25 13:55 ` [PATCH AUTOSEL 5.3 31/33] sctp: add chunks to sk_backlog when the newsk sk_socket is not set Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191025135505.24762-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).