[5.10,087/104] rxrpc: Fix clearance of Tx/Rx ring when releasing a call

From: David Howells <dhowells@redhat.com>

From: David Howells <dhowells@redhat.com>

commit 7b5eab57cac45e270a0ad624ba157c5b30b3d44d upstream.

At the end of rxrpc_release_call(), rxrpc_cleanup_ring() is called to clear
the Rx/Tx skbuff ring, but this doesn't lock the ring whilst it's accessing
it.  Unfortunately, rxrpc_resend() might be trying to retransmit a packet
concurrently with this - and whilst it does lock the ring, this isn't
protection against rxrpc_cleanup_call().

Fix this by removing the call to rxrpc_cleanup_ring() from
rxrpc_release_call().  rxrpc_cleanup_ring() will be called again anyway
from rxrpc_cleanup_call().  The earlier call is just an optimisation to
recycle skbuffs more quickly.

Alternative solutions include rxrpc_release_call() could try to cancel the
work item or wait for it to complete or rxrpc_cleanup_ring() could lock
when accessing the ring (which would require a bh lock).

This can produce a report like the following:

  BUG: KASAN: use-after-free in rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
  Read of size 4 at addr ffff888011606e04 by task kworker/0:0/5
  ...
  Workqueue: krxrpcd rxrpc_process_call
  Call Trace:
   ...
   kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
   rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
   rxrpc_resend net/rxrpc/call_event.c:266 [inline]
   rxrpc_process_call+0x1634/0x1f60 net/rxrpc/call_event.c:412
   process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
   ...

  Allocated by task 2318:
   ...
   sock_alloc_send_pskb+0x793/0x920 net/core/sock.c:2348
   rxrpc_send_data+0xb51/0x2bf0 net/rxrpc/sendmsg.c:358
   rxrpc_do_sendmsg+0xc03/0x1350 net/rxrpc/sendmsg.c:744
   rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:560
   ...

  Freed by task 2318:
   ...
   kfree_skb+0x140/0x3f0 net/core/skbuff.c:704
   rxrpc_free_skb+0x11d/0x150 net/rxrpc/skbuff.c:78
   rxrpc_cleanup_ring net/rxrpc/call_object.c:485 [inline]
   rxrpc_release_call+0x5dd/0x860 net/rxrpc/call_object.c:552
   rxrpc_release_calls_on_socket+0x21c/0x300 net/rxrpc/call_object.c:579
   rxrpc_release_sock net/rxrpc/af_rxrpc.c:885 [inline]
   rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:916
   __sock_release+0xcd/0x280 net/socket.c:597
   ...

  The buggy address belongs to the object at ffff888011606dc0
   which belongs to the cache skbuff_head_cache of size 232

Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
Reported-by: syzbot+174de899852504e4a74a@syzkaller.appspotmail.com
Reported-by: syzbot+3d1c772efafd3c38d007@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
Link: https://lore.kernel.org/r/161234207610.653119.5287360098400436976.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rxrpc/call_object.c |    2 --
 1 file changed, 2 deletions(-)

Message ID	20210215152722.264884406@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91190C433E6 for <stable@archiver.kernel.org>; Mon, 15 Feb 2021 15:43:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6654D64E8E for <stable@archiver.kernel.org>; Mon, 15 Feb 2021 15:43:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231483AbhBOPms (ORCPT <rfc822;stable@archiver.kernel.org>); Mon, 15 Feb 2021 10:42:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:49648 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231140AbhBOPiK (ORCPT <rfc822;stable@vger.kernel.org>); Mon, 15 Feb 2021 10:38:10 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8D86064EF2; Mon, 15 Feb 2021 15:34:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1613403255; bh=0E08mI+AalxikaHCYFbHxJVQdmeRgju6IU3SyRsu1GI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=u1RmVLvm00DXcG2DUNq1H/oXpHR9IrdGmrieSPvQXOvHOdBijG36BjjzNKAiXhXja ASoJe8sCaCmK+on9jk4qoOtHwuiwH8HY+Dr0m6sXh3VFQz0iaAovmmuIsI1coBT7KJ CLcsHZNPhNmh0e7pDwKLT5FMOrp7Jkj8tx+GjyGk= From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, syzbot+174de899852504e4a74a@syzkaller.appspotmail.com, syzbot+3d1c772efafd3c38d007@syzkaller.appspotmail.com, David Howells <dhowells@redhat.com>, Hillf Danton <hdanton@sina.com>, Jakub Kicinski <kuba@kernel.org> Subject: [PATCH 5.10 087/104] rxrpc: Fix clearance of Tx/Rx ring when releasing a call Date: Mon, 15 Feb 2021 16:27:40 +0100 Message-Id: <20210215152722.264884406@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210215152719.459796636@linuxfoundation.org> References: <20210215152719.459796636@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: <stable.vger.kernel.org> X-Mailing-List: stable@vger.kernel.org
Series	None \| expand [5.10,002/104] Revert "dts: phy: add GPIO number and active state used for phy reset" [5.10,004/104] gpio: ep93xx: fix BUG_ON port F usage [5.10,005/104] gpio: ep93xx: Fix single irqchip with multi gpiochips [5.10,006/104] tracing: Do not count ftrace events in top level enable output [5.10,007/104] tracing: Check length before giving out the filter buffer [5.10,008/104] drm/i915: Fix overlay frontbuffer tracking [5.10,009/104] arm/xen: Dont probe xenbus as part of an early initcall [5.10,010/104] cgroup: fix psi monitor for root cgroup [5.10,011/104] Revert "drm/amd/display: Update NV1x SR latency values" [5.10,012/104] drm/i915/tgl+: Make sure TypeC FIA is powered up when initializing it [5.10,015/104] tmpfs: disallow CONFIG_TMPFS_INODE64 on s390 [5.10,017/104] soc: ti: omap-prm: Fix boot time errors for rst_map_012 bits 0 and 1 [5.10,018/104] arm64: dts: rockchip: Fix PCIe DT properties on rk3399 [5.10,019/104] arm64: dts: qcom: sdm845: Reserve LPASS clocks in gcc [5.10,021/104] arm64: dts: rockchip: remove interrupt-names property from rk3399 vdec node [5.10,022/104] kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gcc [5.10,024/104] arm64: dts: rockchip: Disable display for NanoPi R2S [5.10,026/104] cap: fix conversions on getxattr [5.10,027/104] ovl: skip getxattr of security labels [5.10,030/104] nvme-pci: ignore the subsysem NQN on Phison E16 [5.10,031/104] drm/amd/display: Fix DPCD translation for LTTPR AUX_RD_INTERVAL [5.10,036/104] drm/amd/display: Decrement refcount of dc_sink before reassignment [5.10,037/104] riscv: virt_addr_valid must check the address belongs to linear mapping [5.10,040/104] kallsyms: fix nonconverging kallsyms table with lld [5.10,041/104] ARM: ensure the signal page contains defined contents [5.10,042/104] ARM: kexec: fix oops after TLB are invalidated [5.10,044/104] ubsan: implement __ubsan_handle_alignment_assumption [5.10,047/104] lkdtm: dont move ctors to .rodata [5.10,050/104] dmaengine: idxd: fix misc interrupt completion [5.10,051/104] ath9k: fix build error with LEDS_CLASS=m [5.10,056/104] bpf: Check for integer overflow when using roundup_pow_of_two() [5.10,057/104] netfilter: xt_recent: Fix attempt to update deleted entry [5.10,059/104] netfilter: nftables: fix possible UAF over chains from packet path in netns [5.10,061/104] xen/netback: avoid race in xenvif_rx_ring_slots_available() [5.10,062/104] net: hdlc_x25: Return meaningful error code in x25_open [5.10,063/104] net: ipa: set error code in gsi_channel_setup() [5.10,064/104] hv_netvsc: Reset the RSC count if NVSP_STAT_FAIL in netvsc_receive() [5.10,066/104] selftests: txtimestamp: fix compilation issue [5.10,068/104] ibmvnic: Clear failover_pending if unable to schedule [5.10,072/104] net: dsa: felix: implement port flushing on .phylink_mac_link_down [5.10,074/104] net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx() [5.10,075/104] net: hns3: add a check for index in hclge_get_rss_key() [5.10,078/104] drm/sun4i: dw-hdmi: always set clock rate [5.10,079/104] drm/sun4i: Fix H6 HDMI PHY configuration [5.10,081/104] clk: sunxi-ng: mp: fix parent rate change flag check [5.10,082/104] i2c: stm32f7: fix configuration of the digital filter [5.10,083/104] h8300: fix PREEMPTION build, TI_PRE_COUNT undefined [5.10,086/104] arm64: mte: Allow PTRACE_PEEKMTETAGS access to the zero page [5.10,087/104] rxrpc: Fix clearance of Tx/Rx ring when releasing a call [5.10,088/104] udp: fix skb_copy_and_csum_datagram with odd segment sizes [5.10,090/104] cpufreq: ACPI: Extend frequency tables to cover boost frequencies [5.10,092/104] net: gro: do not keep too many GRO packets in napi->rx_list [5.10,093/104] net: fix iteration for sctp transport seq_files [5.10,095/104] net/vmw_vsock: improve locking in vsock_connect_timeout() [5.10,097/104] bridge: mrp: Fix the usage of br_mrp_port_switchdev_set_state [5.10,103/104] ovl: expand warning in ovl_d_real()

[5.10,087/104] rxrpc: Fix clearance of Tx/Rx ring when releasing a call

Commit Message

Patch