Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4484362ybx;
        Mon, 4 Nov 2019 14:11:41 -0800 (PST)
X-Google-Smtp-Source: APXvYqyvXVa+IKpUJQXNiddVsFk4NV+VQGP4zyz3QdkEn9SUnKdnv0DspuW6qo6RK8o3PMqqFdRE
X-Received: by 2002:aa7:ca0c:: with SMTP id y12mr31849628eds.224.1572905501083;
        Mon, 04 Nov 2019 14:11:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1572905501; cv=none;
        d=google.com; s=arc-20160816;
        b=B64QjTKvZNFVQ81PUcMzyTZgiD8AIBxJEojtybM3dANm2Sm6Dj1hBk9m+FXTpYFQFq
         fb9huR1YmNeskP5i4xfhl7E6nSglWxN3m16XiBcT6K/6fAfcQXpUVpGpxqTGPMlXHrRP
         Wwtr4K1IyQHKFCFQJVdCiwUy2zbV0zM2yWFU+Ud/h5qdj1fBETCR8wSfus9Hcn0mYwp3
         /h/eLQBBkDbzCnC0KFkdHeMdP6fcAg8RkH6fw9JGy0PiY1T7tNlpe6Y55ECtRLRIgY3V
         N+p4T2Ro3NrcEiIuTFPpDo7rMqS7NbxfWtieCfMj6FKLMzH+2jIENSqevi0p6ZoOPtb3
         asWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=pdMi47UswcAgRGttIlq0WvmJsh9QDRwWuv/eBIxZRMc=;
        b=SndOjYrYCcksKP0WyjH49gbiCX416WAuOfN6LB+LN6vIgwHwDy6KJBOERiWuvBrJRT
         ZTZ4HE23OSneJqi2JagHW7Nxx8DMIbXut1tpFiw+drr79EYUv3lIZEAVF7qWGlVHQyqn
         d14QCTZfeK88gH4wfFe6M7q6ms81inr3Uhcl0C4UogyMn+k4l3Pml67+eVMwh9TLXz6J
         fdWIQm5mYnWAL7+qlMbIaq/EGKPOskDx02+aNNMR3pSs6APAA2EsyQP7SbenhlNQTXEl
         qTFQtEe9S+Td8yUP9tfGnplpmY25anm20y/YNiGYG4DJNd5UN/DrUs3PZrOLQk/JuOHf
         5Trw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=FBTcvc3B;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e21si2039713ejt.77.2019.11.04.14.11.17;
        Mon, 04 Nov 2019 14:11:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=FBTcvc3B;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390592AbfKDWKv (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Mon, 4 Nov 2019 17:10:51 -0500
Received: from mail.kernel.org ([198.145.29.99]:44062 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2389445AbfKDWKs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Nov 2019 17:10:48 -0500
Received: from localhost (6.204-14-84.ripe.coltfrance.com [84.14.204.6])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 45D9F2084D;
        Mon,  4 Nov 2019 22:10:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1572905447;
        bh=H5yZze1um2DcFh8WKRdM4zHAKbDGFDEHhYWEA6paFsM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=FBTcvc3BvD0KDEDPcwJJqIpZiTecGeGNMl+Iuz8XQ9bxyJHcd9TooLuV/LzNl+hJk
         ZDngru9Dg5cj0Yxi34tqDUXHGvtnJ1emYvqkEK7lSQ/MI29KlfHHGOp7feFWltny2y
         IQbgYWRh7Ev16ZWWyhr80mK84ZYr0JGpqVxOqgSg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com,
        David Howells <dhowells@redhat.com>
Subject: [PATCH 5.3 150/163] rxrpc: Fix trace-after-put looking at the put peer record
Date:   Mon,  4 Nov 2019 22:45:40 +0100
Message-Id: <20191104212151.170983217@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191104212140.046021995@linuxfoundation.org>
References: <20191104212140.046021995@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Howells <dhowells@redhat.com>

commit 55f6c98e3674ce16038a1949c3f9ca5a9a99f289 upstream.

rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
of the refcount - which looks at the debug_id in the peer record.  But
unless the refcount was reduced to zero, we no longer have the right to
look in the record and, indeed, it may be deleted by some other thread.

Fix this by getting the debug_id out before decrementing the refcount and
then passing that into the tracepoint.

This can cause the following symptoms:

    BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
    [inline]
    BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
    net/rxrpc/peer_object.c:435
    Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fixes: 1159d4b496f5 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/trace/events/rxrpc.h |    6 +++---
 net/rxrpc/peer_object.c      |   11 +++++++----
 2 files changed, 10 insertions(+), 7 deletions(-)

--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -519,10 +519,10 @@ TRACE_EVENT(rxrpc_local,
 	    );
 
 TRACE_EVENT(rxrpc_peer,
-	    TP_PROTO(struct rxrpc_peer *peer, enum rxrpc_peer_trace op,
+	    TP_PROTO(unsigned int peer_debug_id, enum rxrpc_peer_trace op,
 		     int usage, const void *where),
 
-	    TP_ARGS(peer, op, usage, where),
+	    TP_ARGS(peer_debug_id, op, usage, where),
 
 	    TP_STRUCT__entry(
 		    __field(unsigned int,	peer		)
@@ -532,7 +532,7 @@ TRACE_EVENT(rxrpc_peer,
 			     ),
 
 	    TP_fast_assign(
-		    __entry->peer = peer->debug_id;
+		    __entry->peer = peer_debug_id;
 		    __entry->op = op;
 		    __entry->usage = usage;
 		    __entry->where = where;
--- a/net/rxrpc/peer_object.c
+++ b/net/rxrpc/peer_object.c
@@ -381,7 +381,7 @@ struct rxrpc_peer *rxrpc_get_peer(struct
 	int n;
 
 	n = atomic_inc_return(&peer->usage);
-	trace_rxrpc_peer(peer, rxrpc_peer_got, n, here);
+	trace_rxrpc_peer(peer->debug_id, rxrpc_peer_got, n, here);
 	return peer;
 }
 
@@ -395,7 +395,7 @@ struct rxrpc_peer *rxrpc_get_peer_maybe(
 	if (peer) {
 		int n = atomic_fetch_add_unless(&peer->usage, 1, 0);
 		if (n > 0)
-			trace_rxrpc_peer(peer, rxrpc_peer_got, n + 1, here);
+			trace_rxrpc_peer(peer->debug_id, rxrpc_peer_got, n + 1, here);
 		else
 			peer = NULL;
 	}
@@ -426,11 +426,13 @@ static void __rxrpc_put_peer(struct rxrp
 void rxrpc_put_peer(struct rxrpc_peer *peer)
 {
 	const void *here = __builtin_return_address(0);
+	unsigned int debug_id;
 	int n;
 
 	if (peer) {
+		debug_id = peer->debug_id;
 		n = atomic_dec_return(&peer->usage);
-		trace_rxrpc_peer(peer, rxrpc_peer_put, n, here);
+		trace_rxrpc_peer(debug_id, rxrpc_peer_put, n, here);
 		if (n == 0)
 			__rxrpc_put_peer(peer);
 	}
@@ -443,10 +445,11 @@ void rxrpc_put_peer(struct rxrpc_peer *p
 void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
 {
 	const void *here = __builtin_return_address(0);
+	unsigned int debug_id = peer->debug_id;
 	int n;
 
 	n = atomic_dec_return(&peer->usage);
-	trace_rxrpc_peer(peer, rxrpc_peer_put, n, here);
+	trace_rxrpc_peer(debug_id, rxrpc_peer_put, n, here);
 	if (n == 0) {
 		hash_del_rcu(&peer->hash_link);
 		list_del_init(&peer->keepalive_link);