| From c48fc11b69e95007109206311b0187a3090591f3 Mon Sep 17 00:00:00 2001 |
| From: David Howells <dhowells@redhat.com> |
| Date: Mon, 7 Oct 2019 10:58:28 +0100 |
| Subject: rxrpc: Fix call ref leak |
| |
| From: David Howells <dhowells@redhat.com> |
| |
| commit c48fc11b69e95007109206311b0187a3090591f3 upstream. |
| |
| When sendmsg() finds a call to continue on with, if the call is in an |
| inappropriate state, it doesn't release the ref it just got on that call |
| before returning an error. |
| |
| This causes the following symptom to show up with kasan: |
| |
| BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 |
| net/rxrpc/output.c:635 |
| Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077 |
| |
| where line 635 is: |
| |
| whdr.epoch = htonl(peer->local->rxnet->epoch); |
| |
| The local endpoint (which cannot be pinned by the call) has been released, |
| but not the peer (which is pinned by the call). |
| |
| Fix this by releasing the call in the error path. |
| |
| Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception") |
| Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/rxrpc/sendmsg.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/rxrpc/sendmsg.c |
| +++ b/net/rxrpc/sendmsg.c |
| @@ -661,6 +661,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock * |
| case RXRPC_CALL_SERVER_PREALLOC: |
| case RXRPC_CALL_SERVER_SECURING: |
| case RXRPC_CALL_SERVER_ACCEPTING: |
| + rxrpc_put_call(call, rxrpc_call_put); |
| ret = -EBUSY; |
| goto error_release_sock; |
| default: |