Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4484362ybx; Mon, 4 Nov 2019 14:11:41 -0800 (PST) X-Google-Smtp-Source: APXvYqyvXVa+IKpUJQXNiddVsFk4NV+VQGP4zyz3QdkEn9SUnKdnv0DspuW6qo6RK8o3PMqqFdRE X-Received: by 2002:aa7:ca0c:: with SMTP id y12mr31849628eds.224.1572905501083; Mon, 04 Nov 2019 14:11:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572905501; cv=none; d=google.com; s=arc-20160816; b=B64QjTKvZNFVQ81PUcMzyTZgiD8AIBxJEojtybM3dANm2Sm6Dj1hBk9m+FXTpYFQFq fb9huR1YmNeskP5i4xfhl7E6nSglWxN3m16XiBcT6K/6fAfcQXpUVpGpxqTGPMlXHrRP Wwtr4K1IyQHKFCFQJVdCiwUy2zbV0zM2yWFU+Ud/h5qdj1fBETCR8wSfus9Hcn0mYwp3 /h/eLQBBkDbzCnC0KFkdHeMdP6fcAg8RkH6fw9JGy0PiY1T7tNlpe6Y55ECtRLRIgY3V N+p4T2Ro3NrcEiIuTFPpDo7rMqS7NbxfWtieCfMj6FKLMzH+2jIENSqevi0p6ZoOPtb3 asWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pdMi47UswcAgRGttIlq0WvmJsh9QDRwWuv/eBIxZRMc=; b=SndOjYrYCcksKP0WyjH49gbiCX416WAuOfN6LB+LN6vIgwHwDy6KJBOERiWuvBrJRT ZTZ4HE23OSneJqi2JagHW7Nxx8DMIbXut1tpFiw+drr79EYUv3lIZEAVF7qWGlVHQyqn d14QCTZfeK88gH4wfFe6M7q6ms81inr3Uhcl0C4UogyMn+k4l3Pml67+eVMwh9TLXz6J fdWIQm5mYnWAL7+qlMbIaq/EGKPOskDx02+aNNMR3pSs6APAA2EsyQP7SbenhlNQTXEl qTFQtEe9S+Td8yUP9tfGnplpmY25anm20y/YNiGYG4DJNd5UN/DrUs3PZrOLQk/JuOHf 5Trw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FBTcvc3B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e21si2039713ejt.77.2019.11.04.14.11.17; Mon, 04 Nov 2019 14:11:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FBTcvc3B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390592AbfKDWKv (ORCPT + 99 others); Mon, 4 Nov 2019 17:10:51 -0500 Received: from mail.kernel.org ([198.145.29.99]:44062 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389445AbfKDWKs (ORCPT ); Mon, 4 Nov 2019 17:10:48 -0500 Received: from localhost (6.204-14-84.ripe.coltfrance.com [84.14.204.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 45D9F2084D; Mon, 4 Nov 2019 22:10:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572905447; bh=H5yZze1um2DcFh8WKRdM4zHAKbDGFDEHhYWEA6paFsM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FBTcvc3BvD0KDEDPcwJJqIpZiTecGeGNMl+Iuz8XQ9bxyJHcd9TooLuV/LzNl+hJk ZDngru9Dg5cj0Yxi34tqDUXHGvtnJ1emYvqkEK7lSQ/MI29KlfHHGOp7feFWltny2y IQbgYWRh7Ev16ZWWyhr80mK84ZYr0JGpqVxOqgSg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com, David Howells Subject: [PATCH 5.3 150/163] rxrpc: Fix trace-after-put looking at the put peer record Date: Mon, 4 Nov 2019 22:45:40 +0100 Message-Id: <20191104212151.170983217@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191104212140.046021995@linuxfoundation.org> References: <20191104212140.046021995@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit 55f6c98e3674ce16038a1949c3f9ca5a9a99f289 upstream. rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement of the refcount - which looks at the debug_id in the peer record. But unless the refcount was reduced to zero, we no longer have the right to look in the record and, indeed, it may be deleted by some other thread. Fix this by getting the debug_id out before decrementing the refcount and then passing that into the tracepoint. This can cause the following symptoms: BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411 [inline] BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0 net/rxrpc/peer_object.c:435 Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216 Fixes: 1159d4b496f5 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting") Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman --- include/trace/events/rxrpc.h | 6 +++--- net/rxrpc/peer_object.c | 11 +++++++---- 2 files changed, 10 insertions(+), 7 deletions(-) --- a/include/trace/events/rxrpc.h +++ b/include/trace/events/rxrpc.h @@ -519,10 +519,10 @@ TRACE_EVENT(rxrpc_local, ); TRACE_EVENT(rxrpc_peer, - TP_PROTO(struct rxrpc_peer *peer, enum rxrpc_peer_trace op, + TP_PROTO(unsigned int peer_debug_id, enum rxrpc_peer_trace op, int usage, const void *where), - TP_ARGS(peer, op, usage, where), + TP_ARGS(peer_debug_id, op, usage, where), TP_STRUCT__entry( __field(unsigned int, peer ) @@ -532,7 +532,7 @@ TRACE_EVENT(rxrpc_peer, ), TP_fast_assign( - __entry->peer = peer->debug_id; + __entry->peer = peer_debug_id; __entry->op = op; __entry->usage = usage; __entry->where = where; --- a/net/rxrpc/peer_object.c +++ b/net/rxrpc/peer_object.c @@ -381,7 +381,7 @@ struct rxrpc_peer *rxrpc_get_peer(struct int n; n = atomic_inc_return(&peer->usage); - trace_rxrpc_peer(peer, rxrpc_peer_got, n, here); + trace_rxrpc_peer(peer->debug_id, rxrpc_peer_got, n, here); return peer; } @@ -395,7 +395,7 @@ struct rxrpc_peer *rxrpc_get_peer_maybe( if (peer) { int n = atomic_fetch_add_unless(&peer->usage, 1, 0); if (n > 0) - trace_rxrpc_peer(peer, rxrpc_peer_got, n + 1, here); + trace_rxrpc_peer(peer->debug_id, rxrpc_peer_got, n + 1, here); else peer = NULL; } @@ -426,11 +426,13 @@ static void __rxrpc_put_peer(struct rxrp void rxrpc_put_peer(struct rxrpc_peer *peer) { const void *here = __builtin_return_address(0); + unsigned int debug_id; int n; if (peer) { + debug_id = peer->debug_id; n = atomic_dec_return(&peer->usage); - trace_rxrpc_peer(peer, rxrpc_peer_put, n, here); + trace_rxrpc_peer(debug_id, rxrpc_peer_put, n, here); if (n == 0) __rxrpc_put_peer(peer); } @@ -443,10 +445,11 @@ void rxrpc_put_peer(struct rxrpc_peer *p void rxrpc_put_peer_locked(struct rxrpc_peer *peer) { const void *here = __builtin_return_address(0); + unsigned int debug_id = peer->debug_id; int n; n = atomic_dec_return(&peer->usage); - trace_rxrpc_peer(peer, rxrpc_peer_put, n, here); + trace_rxrpc_peer(debug_id, rxrpc_peer_put, n, here); if (n == 0) { hash_del_rcu(&peer->hash_link); list_del_init(&peer->keepalive_link);