releases/4.9.136/llc-set-sock_rcu_free-in-llc_sap_add_socket.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Fri Nov  2 10:04:04 CET 2018
 From: Cong Wang <xiyou.wangcong@gmail.com>
 Date: Thu, 11 Oct 2018 11:15:13 -0700
 Subject: llc: set SOCK_RCU_FREE in llc_sap_add_socket()

 From: Cong Wang <xiyou.wangcong@gmail.com>

 [ Upstream commit 5a8e7aea953bdb6d4da13aff6f1e7f9c62023499 ]

 WHen an llc sock is added into the sk_laddr_hash of an llc_sap,
 it is not marked with SOCK_RCU_FREE.

 This causes that the sock could be freed while it is still being
 read by __llc_lookup_established() with RCU read lock. sock is
 refcounted, but with RCU read lock, nothing prevents the readers
 getting a zero refcnt.

 Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket().

 Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com
 Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/llc/llc_conn.c |    1 +
  1 file changed, 1 insertion(+)

 --- a/net/llc/llc_conn.c
 +++ b/net/llc/llc_conn.c
 @@ -734,6 +734,7 @@ void llc_sap_add_socket(struct llc_sap *
  	llc_sk(sk)->sap = sap;

  	spin_lock_bh(&sap->sk_lock);
 +	sock_set_flag(sk, SOCK_RCU_FREE);
  	sap->sk_count++;
  	sk_nulls_add_node_rcu(sk, laddr_hb);
  	hlist_add_head(&llc->dev_hash_node, dev_hb);
	From foo@baz Fri Nov 2 10:04:04 CET 2018
	From: Cong Wang <xiyou.wangcong@gmail.com>
	Date: Thu, 11 Oct 2018 11:15:13 -0700
	Subject: llc: set SOCK_RCU_FREE in llc_sap_add_socket()

	From: Cong Wang <xiyou.wangcong@gmail.com>

	[ Upstream commit 5a8e7aea953bdb6d4da13aff6f1e7f9c62023499 ]

	WHen an llc sock is added into the sk_laddr_hash of an llc_sap,
	it is not marked with SOCK_RCU_FREE.

	This causes that the sock could be freed while it is still being
	read by __llc_lookup_established() with RCU read lock. sock is
	refcounted, but with RCU read lock, nothing prevents the readers
	getting a zero refcnt.

	Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket().

	Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com
	Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/llc/llc_conn.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/net/llc/llc_conn.c
	+++ b/net/llc/llc_conn.c
	@@ -734,6 +734,7 @@ void llc_sap_add_socket(struct llc_sap *
	llc_sk(sk)->sap = sap;

	spin_lock_bh(&sap->sk_lock);
	+ sock_set_flag(sk, SOCK_RCU_FREE);
	sap->sk_count++;
	sk_nulls_add_node_rcu(sk, laddr_hb);
	hlist_add_head(&llc->dev_hash_node, dev_hb);