diff options
| author | David Howells <dhowells@redhat.com> | 2019-10-07 05:58:29 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2019-10-07 06:05:05 -0400 |
| commit | 9ebeddef58c41bd700419cdcece24cf64ce32276 (patch) | |
| tree | 7e4fbd61beb570d2abca88a4e00276f9c8b3ebc4 /net | |
| parent | 48c9e0ec7cbbb7370448f859ccc8e3b7eb69e755 (diff) | |
rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.
This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
Fix this by taking a ref on the local record for the peer record.
Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/rxrpc/peer_object.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c index b700b7ecaa3d..64830d8c1fdb 100644 --- a/net/rxrpc/peer_object.c +++ b/net/rxrpc/peer_object.c | |||
| @@ -216,7 +216,7 @@ struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp) | |||
| 216 | peer = kzalloc(sizeof(struct rxrpc_peer), gfp); | 216 | peer = kzalloc(sizeof(struct rxrpc_peer), gfp); |
| 217 | if (peer) { | 217 | if (peer) { |
| 218 | atomic_set(&peer->usage, 1); | 218 | atomic_set(&peer->usage, 1); |
| 219 | peer->local = local; | 219 | peer->local = rxrpc_get_local(local); |
| 220 | INIT_HLIST_HEAD(&peer->error_targets); | 220 | INIT_HLIST_HEAD(&peer->error_targets); |
| 221 | peer->service_conns = RB_ROOT; | 221 | peer->service_conns = RB_ROOT; |
| 222 | seqlock_init(&peer->service_conn_lock); | 222 | seqlock_init(&peer->service_conn_lock); |
| @@ -307,7 +307,6 @@ void rxrpc_new_incoming_peer(struct rxrpc_sock *rx, struct rxrpc_local *local, | |||
| 307 | unsigned long hash_key; | 307 | unsigned long hash_key; |
| 308 | 308 | ||
| 309 | hash_key = rxrpc_peer_hash_key(local, &peer->srx); | 309 | hash_key = rxrpc_peer_hash_key(local, &peer->srx); |
| 310 | peer->local = local; | ||
| 311 | rxrpc_init_peer(rx, peer, hash_key); | 310 | rxrpc_init_peer(rx, peer, hash_key); |
| 312 | 311 | ||
| 313 | spin_lock(&rxnet->peer_hash_lock); | 312 | spin_lock(&rxnet->peer_hash_lock); |
| @@ -417,6 +416,7 @@ static void __rxrpc_put_peer(struct rxrpc_peer *peer) | |||
| 417 | list_del_init(&peer->keepalive_link); | 416 | list_del_init(&peer->keepalive_link); |
| 418 | spin_unlock_bh(&rxnet->peer_hash_lock); | 417 | spin_unlock_bh(&rxnet->peer_hash_lock); |
| 419 | 418 | ||
| 419 | rxrpc_put_local(peer->local); | ||
| 420 | kfree_rcu(peer, rcu); | 420 | kfree_rcu(peer, rcu); |
| 421 | } | 421 | } |
| 422 | 422 | ||
| @@ -453,6 +453,7 @@ void rxrpc_put_peer_locked(struct rxrpc_peer *peer) | |||
| 453 | if (n == 0) { | 453 | if (n == 0) { |
| 454 | hash_del_rcu(&peer->hash_link); | 454 | hash_del_rcu(&peer->hash_link); |
| 455 | list_del_init(&peer->keepalive_link); | 455 | list_del_init(&peer->keepalive_link); |
| 456 | rxrpc_put_local(peer->local); | ||
| 456 | kfree_rcu(peer, rcu); | 457 | kfree_rcu(peer, rcu); |
| 457 | } | 458 | } |
| 458 | } | 459 | } |