Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2480893imm; Mon, 24 Sep 2018 05:13:54 -0700 (PDT) X-Google-Smtp-Source: ACcGV614VSD3hNq+Ho95ZPrdPQn+eQpKzHHErE38RnD2ktUgYNJLPufS59zqXjgZ4fZwsXeMAArs X-Received: by 2002:a17:902:9a48:: with SMTP id x8-v6mr10430811plv.72.1537791233996; Mon, 24 Sep 2018 05:13:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537791233; cv=none; d=google.com; s=arc-20160816; b=DBJnmRZZNJAFeBhTAU4kxc5JY6u+U8fYyelc7J8zo1oGoh8JTyLed+e/6xXlMUaQTm PSn49GbZO/rG6Tzesv/jKFx80AIJoWCW174cRdgjwTyJC+rVVRCWctPJWXsJXfm1Zk6v HIZd6Bb1czKkhFKkdJphoOXVpMibMesxzAt8ILUsLy27kp3OVuVLxPSKxtroZoHME0Fh G0hWMGKXYuhyvjdycui1ExoEKc+jrMwx8c47ecrmZAwDz19KnONBrGAy79TovHbhD9JH 2ukfRi51KBLE2nkBPENaBsi/P72F7P4CkG8koG0QcaQfh6rl0JGhSEk8NogwcSnvs9ZP bHeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=WDxSBld57sbzLth43kRJnLFGZM7iKs2IJws8N1u995M=; b=NLcYcysM25r1ga5OyjPITpM3qmIxo1s9AL5JxUmm7hjRLMltGV8x+m9FfXSK7L9T2q tUtusKg12lne/CB4YiLqSKMHWMYBPDQ52VNHRphMYwnZjCg6evYSkRvEUXfa5KHBWwo8 XdQJnHlArNaYsXzMrFYue9WlMEBW6K7rITWuUeAFed0NvmBAJQe4Uiw6s2dFJeGN+p3h pjQ9UFFmtv0gDrDByFdmEEea2AMl1xGFymM+OzNduPOlZiqiS6CKMvLNqSwAj+aE8ymY mcdckyUn+sXPH3DaWDDeBg57AkFR8zMZPy60+irA+7U6jk2to4ODKo9HVS0rIqWRf5Dc c1cw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1-v6si36822494pfj.149.2018.09.24.05.13.38; Mon, 24 Sep 2018 05:13:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731427AbeIXSOe (ORCPT + 99 others); Mon, 24 Sep 2018 14:14:34 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55064 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727822AbeIXSOd (ORCPT ); Mon, 24 Sep 2018 14:14:33 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 07933107D; Mon, 24 Sep 2018 12:12:43 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+93a5839deb355537440f@syzkaller.appspotmail.com, Sowmini Varadhan , Santosh Shilimkar , rds-devel@oss.oracle.com, Cong Wang , Santosh Shilimkar , "David S. Miller" Subject: [PATCH 4.14 004/173] rds: fix two RCU related problems Date: Mon, 24 Sep 2018 13:50:38 +0200 Message-Id: <20180924113114.845407997@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180924113114.334025954@linuxfoundation.org> References: <20180924113114.334025954@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang [ Upstream commit cc4dfb7f70a344f24c1c71e298deea0771dadcb2 ] When a rds sock is bound, it is inserted into the bind_hash_table which is protected by RCU. But when releasing rds sock, after it is removed from this hash table, it is freed immediately without respecting RCU grace period. This could cause some use-after-free as reported by syzbot. Mark the rds sock with SOCK_RCU_FREE before inserting it into the bind_hash_table, so that it would be always freed after a RCU grace period. The other problem is in rds_find_bound(), the rds sock could be freed in between rhashtable_lookup_fast() and rds_sock_addref(), so we need to extend RCU read lock protection in rds_find_bound() to close this race condition. Reported-and-tested-by: syzbot+8967084bcac563795dc6@syzkaller.appspotmail.com Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com Cc: Sowmini Varadhan Cc: Santosh Shilimkar Cc: rds-devel@oss.oracle.com Signed-off-by: Cong Wang Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/rds/bind.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/net/rds/bind.c +++ b/net/rds/bind.c @@ -60,11 +60,13 @@ struct rds_sock *rds_find_bound(__be32 a u64 key = ((u64)addr << 32) | port; struct rds_sock *rs; - rs = rhashtable_lookup_fast(&bind_hash_table, &key, ht_parms); + rcu_read_lock(); + rs = rhashtable_lookup(&bind_hash_table, &key, ht_parms); if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD)) rds_sock_addref(rs); else rs = NULL; + rcu_read_unlock(); rdsdebug("returning rs %p for %pI4:%u\n", rs, &addr, ntohs(port)); @@ -157,6 +159,7 @@ int rds_bind(struct socket *sock, struct goto out; } + sock_set_flag(sk, SOCK_RCU_FREE); ret = rds_add_bound(rs, sin->sin_addr.s_addr, &sin->sin_port); if (ret) goto out;