Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2467177imd; Fri, 2 Nov 2018 11:55:25 -0700 (PDT) X-Google-Smtp-Source: AJdET5dLHacpCn30PtNylEBuZIZrnpU14TqNQ0JI2IogjY8DOe+feT42BRVmYKF6Xjt2hfDpPwQ7 X-Received: by 2002:a17:902:28a8:: with SMTP id f37-v6mr12894566plb.264.1541184925419; Fri, 02 Nov 2018 11:55:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541184925; cv=none; d=google.com; s=arc-20160816; b=aNzo67ae6BMWgYqIWAMaYNDmOtQZfVvEFOoYkL3gf2wiTigQkEc3UsS7Ry1yCBbqlX 8PGPzA3PN/RQvdQ5+RU/aY55zGgU8n51usQFVByaCWCaOiOpursTYnh0cjtx7/aHAS7v eEnUStbzwznPchv/hq9F7N/agxudJi4kvYCgZixn/lvwD5X+fw0PZ6rvaw08i7Jpzsiz hdTUrNz95qgyWIpKM7005Qchku93ynqEDyqM8UbxZaRB8Z8w4ZYQMiobLgWifpUSo/Y6 rVH2CeC1NrfFFASsLrAyehWSzL3meW6Awh2HAYiy4nLNJwYlFSWRwEmWm4GvaG9XwIP8 xH6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=y3s+ibQg1yzrHRjhY0IjSxz4ALJVTk5XFCqIfBJpUAo=; b=QUAUIqkbPDdmSyxokgPyDoWMvatcQMi81iub8uwg2CkJClH2nJ50TOFDw6XSucE1Ia aJicksDH1J4WGNi8IU0izTX4Pbz5P/9VZObO7+R2ge4vTvEd0JyQmXEidFljE1s6mZyY Ji5/Fq38wgfyipAP6a2nGWZIFPDX3sP9AA8qpl8+XHTxFVdfukA43+rbRuldBy3qiB9C b7pdOL6Bj2i3f17kp7WqWOVsNWlvevWzWRsqjAr8Kabwk5+Ve6nQvBNcd7QGu+7fqDjo XhE16W18HzrwdMAAJnZfKMqfixK8mRCtwks5Tt9zJrcMxXsZ/UCuYejSQ6z7gFRMsZO9 yZjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QRo+R7lB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k2-v6si748963plt.254.2018.11.02.11.55.10; Fri, 02 Nov 2018 11:55:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QRo+R7lB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731258AbeKCEDB (ORCPT + 99 others); Sat, 3 Nov 2018 00:03:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:58782 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726150AbeKCEDB (ORCPT ); Sat, 3 Nov 2018 00:03:01 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C0BED20848; Fri, 2 Nov 2018 18:54:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541184885; bh=0Jg3ZZMg6RpXl3u23Oofso86bXwgPJ3IFpn/f18zids=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QRo+R7lBQIQIhv9/62pTUFkSj/OLUFR1D/KHTbwpVsPeCzj05ULnHA1kKGaenevxq 3MMQ/Q22i5DhpwM0mpORCgOeZ54/wvqkLsfEbgl9wqa5TmosGp/fxM2YJMdS2ch7nV PWs+4S03lQFbYbpZqzf6rR5ekWcGjA3aD4sUa+dc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com, Cong Wang , "David S. Miller" Subject: [PATCH 4.14 119/143] llc: set SOCK_RCU_FREE in llc_sap_add_socket() Date: Fri, 2 Nov 2018 19:35:04 +0100 Message-Id: <20181102182907.376353233@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182857.064326086@linuxfoundation.org> References: <20181102182857.064326086@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang [ Upstream commit 5a8e7aea953bdb6d4da13aff6f1e7f9c62023499 ] WHen an llc sock is added into the sk_laddr_hash of an llc_sap, it is not marked with SOCK_RCU_FREE. This causes that the sock could be freed while it is still being read by __llc_lookup_established() with RCU read lock. sock is refcounted, but with RCU read lock, nothing prevents the readers getting a zero refcnt. Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket(). Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/llc/llc_conn.c | 1 + 1 file changed, 1 insertion(+) --- a/net/llc/llc_conn.c +++ b/net/llc/llc_conn.c @@ -734,6 +734,7 @@ void llc_sap_add_socket(struct llc_sap * llc_sk(sk)->sap = sap; spin_lock_bh(&sap->sk_lock); + sock_set_flag(sk, SOCK_RCU_FREE); sap->sk_count++; sk_nulls_add_node_rcu(sk, laddr_hb); hlist_add_head(&llc->dev_hash_node, dev_hb);