Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4469649ybx; Mon, 4 Nov 2019 13:58:17 -0800 (PST) X-Google-Smtp-Source: APXvYqxigw1iXfnrEq+FzBuUjeIaHc+GdV8uv4Xt3LIJiclUY/nT34C0gLfYwM79935tjx1PZjSr X-Received: by 2002:aa7:cd69:: with SMTP id ca9mr22402019edb.129.1572904697193; Mon, 04 Nov 2019 13:58:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572904697; cv=none; d=google.com; s=arc-20160816; b=rpwyakDVqFbMs6ZiMjRYWYmc2XGeHBcTtc0Y1GnijXXnskJzzkQeg4o/VVFznYJj6P 8D8bESROtIf96qtjy4eb30Wc+cwpDCaW2Cv7knxiC8k/i4cVq6w+NEwOFAjj+YMEWwtm GMXH2yDrdTDaGR4AOX+C9CpXzWeVvDzYeKw9ULRtqkBsnqAHiiBSLNMhT5y6YuPPKzFQ X19baGJecZ3quQv6RhL7iAK6rjq0liAJxUV1zim0MasIa3j9KDuD+WLqL599ZQTFjpjP qQRmK8BYwbkPfIuw9SZLpiXvtIwzFbsQjDBG0PnqKJIk3zmHI/L7lvMgJOBRIewTMT41 JnZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vZ8k70F3ze1i3aDOgqMKqfSF3taExyDv5au8PwhvePU=; b=WGH/v0UdhKTTTUmGqVqfVMwPItdniMFmj5+8Qf/5V16NLprnHNVrLjyZfp7Lm7AYaZ V5N93WPWf7LF/L2chHBdmG4BJ1Yv0I63dNmISoZymvR89w/PT2eZe7hTYLmmujg47z5A iXckevPQYh/RzRUhk/UBmQhHZhn+Yp99RzhoQP0M40C28P9WUJScDSAY9q7nuLUejzcW f5++WoB/+zkRTnoYuUfXfjo/yLOZa2kDAKGhlR+3tBqwadu8IAii1+kzGNCJl5DA7H2d OsaG4DDA/oJ4D/5XjuGbeZg6ZGuLMFDx8Rsss5v6svjXLeDEeZbunvpZt/KhW8n+RiPr dz/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=z1OsZQaj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y42si9015394edd.191.2019.11.04.13.57.54; Mon, 04 Nov 2019 13:58:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=z1OsZQaj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388276AbfKDV4D (ORCPT + 99 others); Mon, 4 Nov 2019 16:56:03 -0500 Received: from mail.kernel.org ([198.145.29.99]:51374 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387794AbfKDVz4 (ORCPT ); Mon, 4 Nov 2019 16:55:56 -0500 Received: from localhost (6.204-14-84.ripe.coltfrance.com [84.14.204.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9FCA0217F4; Mon, 4 Nov 2019 21:55:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572904556; bh=SywRDDhnNd4t2iydPehiDA1ExUDmgRVwIdgfgRq7/7k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=z1OsZQajZwbmMz4k9QO3SdNnaPjFJy9u4Mp16lURmbcqmpv9apptjhufvUortEtld pehI8VbuS76gzB9yUSSDpVFpNKQhOAMPTNszkE8ah+x5HeB7dlpemnFcV55W5Ee0xc Czr2lZ36YIGVWKoWimzSnstlOMNs0+FAOn5ALDoc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com, David Howells Subject: [PATCH 4.14 86/95] rxrpc: Fix call ref leak Date: Mon, 4 Nov 2019 22:45:24 +0100 Message-Id: <20191104212123.283049638@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191104212038.056365853@linuxfoundation.org> References: <20191104212038.056365853@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit c48fc11b69e95007109206311b0187a3090591f3 upstream. When sendmsg() finds a call to continue on with, if the call is in an inappropriate state, it doesn't release the ref it just got on that call before returning an error. This causes the following symptom to show up with kasan: BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077 where line 635 is: whdr.epoch = htonl(peer->local->rxnet->epoch); The local endpoint (which cannot be pinned by the call) has been released, but not the peer (which is pinned by the call). Fix this by releasing the call in the error path. Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception") Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman --- net/rxrpc/sendmsg.c | 1 + 1 file changed, 1 insertion(+) --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -586,6 +586,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock * case RXRPC_CALL_SERVER_PREALLOC: case RXRPC_CALL_SERVER_SECURING: case RXRPC_CALL_SERVER_ACCEPTING: + rxrpc_put_call(call, rxrpc_call_put); ret = -EBUSY; goto error_release_sock; default: