| From f68c4a101ed947aec1ca429f53a2a0f947818a17 Mon Sep 17 00:00:00 2001 |
| From: David Howells <dhowells@redhat.com> |
| Date: Mon, 7 Oct 2019 10:58:29 +0100 |
| Subject: [PATCH] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local |
| record |
| |
| commit 9ebeddef58c41bd700419cdcece24cf64ce32276 upstream. |
| |
| The rxrpc_peer record needs to hold a reference on the rxrpc_local record |
| it points as the peer is used as a base to access information in the |
| rxrpc_local record. |
| |
| This can cause problems in __rxrpc_put_peer(), where we need the network |
| namespace pointer, and in rxrpc_send_keepalive(), where we need to access |
| the UDP socket, leading to symptoms like: |
| |
| BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411 |
| [inline] |
| BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0 |
| net/rxrpc/peer_object.c:435 |
| Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216 |
| |
| Fix this by taking a ref on the local record for the peer record. |
| |
| Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive") |
| Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing") |
| Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c |
| index 9c3ac96f71cb..e6623a978922 100644 |
| --- a/net/rxrpc/peer_object.c |
| +++ b/net/rxrpc/peer_object.c |
| @@ -216,7 +216,7 @@ struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp) |
| peer = kzalloc(sizeof(struct rxrpc_peer), gfp); |
| if (peer) { |
| atomic_set(&peer->usage, 1); |
| - peer->local = local; |
| + peer->local = rxrpc_get_local(local); |
| INIT_HLIST_HEAD(&peer->error_targets); |
| peer->service_conns = RB_ROOT; |
| seqlock_init(&peer->service_conn_lock); |
| @@ -307,7 +307,6 @@ void rxrpc_new_incoming_peer(struct rxrpc_sock *rx, struct rxrpc_local *local, |
| unsigned long hash_key; |
| |
| hash_key = rxrpc_peer_hash_key(local, &peer->srx); |
| - peer->local = local; |
| rxrpc_init_peer(rx, peer, hash_key); |
| |
| spin_lock(&rxnet->peer_hash_lock); |
| @@ -417,6 +416,7 @@ static void __rxrpc_put_peer(struct rxrpc_peer *peer) |
| list_del_init(&peer->keepalive_link); |
| spin_unlock_bh(&rxnet->peer_hash_lock); |
| |
| + rxrpc_put_local(peer->local); |
| kfree_rcu(peer, rcu); |
| } |
| |
| @@ -450,6 +450,7 @@ void rxrpc_put_peer_locked(struct rxrpc_peer *peer) |
| if (n == 0) { |
| hash_del_rcu(&peer->hash_link); |
| list_del_init(&peer->keepalive_link); |
| + rxrpc_put_local(peer->local); |
| kfree_rcu(peer, rcu); |
| } |
| } |
| -- |
| 2.7.4 |
| |