release/5.2.26/rxrpc-rxrpc_peer-needs-to-hold-a-ref-on-the-rxrpc_lo.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From f68c4a101ed947aec1ca429f53a2a0f947818a17 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 7 Oct 2019 10:58:29 +0100
 Subject: [PATCH] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local
  record

 commit 9ebeddef58c41bd700419cdcece24cf64ce32276 upstream.

 The rxrpc_peer record needs to hold a reference on the rxrpc_local record
 it points as the peer is used as a base to access information in the
 rxrpc_local record.

 This can cause problems in __rxrpc_put_peer(), where we need the network
 namespace pointer, and in rxrpc_send_keepalive(), where we need to access
 the UDP socket, leading to symptoms like:

     BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
     [inline]
     BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
     net/rxrpc/peer_object.c:435
     Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

 Fix this by taking a ref on the local record for the peer record.

 Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
 Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
 Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
 Signed-off-by: David Howells <dhowells@redhat.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
 index 9c3ac96f71cb..e6623a978922 100644
 --- a/net/rxrpc/peer_object.c
 +++ b/net/rxrpc/peer_object.c
 @@ -216,7 +216,7 @@ struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp)
  	peer = kzalloc(sizeof(struct rxrpc_peer), gfp);
  	if (peer) {
  		atomic_set(&peer->usage, 1);
 -		peer->local = local;
 +		peer->local = rxrpc_get_local(local);
  		INIT_HLIST_HEAD(&peer->error_targets);
  		peer->service_conns = RB_ROOT;
  		seqlock_init(&peer->service_conn_lock);
 @@ -307,7 +307,6 @@ void rxrpc_new_incoming_peer(struct rxrpc_sock *rx, struct rxrpc_local *local,
  	unsigned long hash_key;

  	hash_key = rxrpc_peer_hash_key(local, &peer->srx);
 -	peer->local = local;
  	rxrpc_init_peer(rx, peer, hash_key);

  	spin_lock(&rxnet->peer_hash_lock);
 @@ -417,6 +416,7 @@ static void __rxrpc_put_peer(struct rxrpc_peer *peer)
  	list_del_init(&peer->keepalive_link);
  	spin_unlock_bh(&rxnet->peer_hash_lock);

 +	rxrpc_put_local(peer->local);
  	kfree_rcu(peer, rcu);
  }

 @@ -450,6 +450,7 @@ void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
  	if (n == 0) {
  		hash_del_rcu(&peer->hash_link);
  		list_del_init(&peer->keepalive_link);
 +		rxrpc_put_local(peer->local);
  		kfree_rcu(peer, rcu);
  	}
  }
 --
 2.7.4
	From f68c4a101ed947aec1ca429f53a2a0f947818a17 Mon Sep 17 00:00:00 2001
	From: David Howells <dhowells@redhat.com>
	Date: Mon, 7 Oct 2019 10:58:29 +0100
	Subject: [PATCH] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local
	record

	commit 9ebeddef58c41bd700419cdcece24cf64ce32276 upstream.

	The rxrpc_peer record needs to hold a reference on the rxrpc_local record
	it points as the peer is used as a base to access information in the
	rxrpc_local record.

	This can cause problems in __rxrpc_put_peer(), where we need the network
	namespace pointer, and in rxrpc_send_keepalive(), where we need to access
	the UDP socket, leading to symptoms like:

	BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
	[inline]
	BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
	net/rxrpc/peer_object.c:435
	Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

	Fix this by taking a ref on the local record for the peer record.

	Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
	Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
	Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
	Signed-off-by: David Howells <dhowells@redhat.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
	index 9c3ac96f71cb..e6623a978922 100644
	--- a/net/rxrpc/peer_object.c
	+++ b/net/rxrpc/peer_object.c
	@@ -216,7 +216,7 @@ struct rxrpc_peer rxrpc_alloc_peer(struct rxrpc_local local, gfp_t gfp)
	peer = kzalloc(sizeof(struct rxrpc_peer), gfp);
	if (peer) {
	atomic_set(&peer->usage, 1);
	- peer->local = local;
	+ peer->local = rxrpc_get_local(local);
	INIT_HLIST_HEAD(&peer->error_targets);
	peer->service_conns = RB_ROOT;
	seqlock_init(&peer->service_conn_lock);
	@@ -307,7 +307,6 @@ void rxrpc_new_incoming_peer(struct rxrpc_sock rx, struct rxrpc_local local,
	unsigned long hash_key;

	hash_key = rxrpc_peer_hash_key(local, &peer->srx);
	- peer->local = local;
	rxrpc_init_peer(rx, peer, hash_key);

	spin_lock(&rxnet->peer_hash_lock);
	@@ -417,6 +416,7 @@ static void __rxrpc_put_peer(struct rxrpc_peer *peer)
	list_del_init(&peer->keepalive_link);
	spin_unlock_bh(&rxnet->peer_hash_lock);

	+ rxrpc_put_local(peer->local);
	kfree_rcu(peer, rcu);
	}

	@@ -450,6 +450,7 @@ void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
	if (n == 0) {
	hash_del_rcu(&peer->hash_link);
	list_del_init(&peer->keepalive_link);
	+ rxrpc_put_local(peer->local);
	kfree_rcu(peer, rcu);
	}
	}
	--
	2.7.4