Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4479241ybx; Mon, 4 Nov 2019 14:06:51 -0800 (PST) X-Google-Smtp-Source: APXvYqwA2sStwU5o4W5apsnRztCFA1CJGn6XrFitF5mupW0zb2DfN7+4em5xGZryG7ihq5oOKpm8 X-Received: by 2002:aa7:c0c8:: with SMTP id j8mr8852649edp.235.1572905211768; Mon, 04 Nov 2019 14:06:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572905211; cv=none; d=google.com; s=arc-20160816; b=G4xrp+40LqUf02XWv8MXk4juuMgozL37w5GsFxBGdoYzlCaMJthejDTYarE5HYsQkn 3iOf0NK8dEkQQXKh3O+7YNUlr1GZZ2we2vc5YZDfJwiKTFdo99fVeaff5XCJcAcDwLM0 gnDEK/3A/oThq/zhRgpfjkm9g1l8TWK8DJ/Oy3wZ4hujUUun+DakCEXS7ec6kRgieQp4 fLjZb7akwMGiEmynAJJMgUBVLteoL6mK+JhsQoJ8Mf1T1U7+MHko08wZOvHIcYZp7aKB Kkeb9FUjX/0c2UThHnotcAG3fVuqs9jtpMcm5ZX7cR3VB4y2QqvM8pBDuRFhCNAmdci4 CZkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Hs3a88XVAOhBN2Jpvyxr1MMG7hfsiEx6P73pDZnuVG0=; b=a70NgN29G7/j1srY5emsDbjfEW/fFjVBXBAox0W7kRndRR3m5iXkc7pyJOd1lAAY/t AZnZRq6vuuIyrjMRo4pWSjTw29KtZOMyYS7fvyDK26jFzY6EaKf/u60wRim3Nss01Qbe e7NM0cred2LgkuSN5QYEKBSuh2p7XAcpCFUlboBYflwTLOpVTKG8kUGrdSozW11pycio p8GM/9+sDi+XIlE5r5hDlxeDGvaQTPNXn32K3ueiMKdwSwGeHHaaY0XO/9bpKA3Mcha6 21tptokJoM1ZQrOBlG9EXPcTkmD3/CyCSQpxGLZ89e93VwzcNnaKuxyfWzYwIqUOTczn tFLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qEoZ+ItR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b10si7493696eda.160.2019.11.04.14.06.28; Mon, 04 Nov 2019 14:06:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qEoZ+ItR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389445AbfKDWDE (ORCPT + 99 others); Mon, 4 Nov 2019 17:03:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:33292 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389427AbfKDWDB (ORCPT ); Mon, 4 Nov 2019 17:03:01 -0500 Received: from localhost (6.204-14-84.ripe.coltfrance.com [84.14.204.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4CDA32084D; Mon, 4 Nov 2019 22:02:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572904979; bh=k9jy+lx+shuuvnVRszCf8uaiSUPr42VBGyRwNfbn6ak=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qEoZ+ItRgMvt0QSAmDh7Cr+VsD1XPUIOq+y1z5yolAI5OSaZ/a9Y5JhyIy+QlLmAT ziiHBDAO9CVQUvLGnZ5Tk1/YKGq/FKV6LiKu4MgkYqMAzm1Jxi6np/lQvU4O1fy3+H rNwZku1qkdjUa3sDkowqxrLqrNHlHsg8j6+nS5u4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com, David Howells Subject: [PATCH 4.19 138/149] rxrpc: Fix call ref leak Date: Mon, 4 Nov 2019 22:45:31 +0100 Message-Id: <20191104212146.426119131@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191104212126.090054740@linuxfoundation.org> References: <20191104212126.090054740@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit c48fc11b69e95007109206311b0187a3090591f3 upstream. When sendmsg() finds a call to continue on with, if the call is in an inappropriate state, it doesn't release the ref it just got on that call before returning an error. This causes the following symptom to show up with kasan: BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077 where line 635 is: whdr.epoch = htonl(peer->local->rxnet->epoch); The local endpoint (which cannot be pinned by the call) has been released, but not the peer (which is pinned by the call). Fix this by releasing the call in the error path. Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception") Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman --- net/rxrpc/sendmsg.c | 1 + 1 file changed, 1 insertion(+) --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -661,6 +661,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock * case RXRPC_CALL_SERVER_PREALLOC: case RXRPC_CALL_SERVER_SECURING: case RXRPC_CALL_SERVER_ACCEPTING: + rxrpc_put_call(call, rxrpc_call_put); ret = -EBUSY; goto error_release_sock; default: