Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5048337pxb;
        Mon, 15 Feb 2021 08:11:52 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz9VoK9pVB4IMV3Qggslpfq9/RPRaUA7YmkLCBIUaF4TujYPYa+7eZptNpScfPToMUdE4pk
X-Received: by 2002:a05:6402:1398:: with SMTP id b24mr15866682edv.108.1613405511937;
        Mon, 15 Feb 2021 08:11:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1613405511; cv=none;
        d=google.com; s=arc-20160816;
        b=BYpO+0YtB/Dze3HDbGEHfs+3e/DK5ITWzJWlw7P91sNgsEZO5HBscMe1xr0JuGehKg
         Ya7Gf7KyEF6ikxfb5VKZdIaPwTQp4e/RPnaM3IundQG0isZDl/dB6rDp8fi4CiR8CATw
         1u49rpe1UJdyJZRgLinckuR4OrjXDXDsCizE1QIj3Zwm+8XR0RzsMT8aHHFRYG00vQO/
         P7mtnYPfyf6n6UAtiAB5X3EVP36KBLccJoNRGg8GRhnkxXNI41iJg9PHjl4Zbf+4NlBN
         qbaJgfYj9IIJxYvyoHtVn3DorAH9RdMGcFzdq+QMo6SP32eh3HC9GnXi7zn4aLJ46k9Z
         Oh8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=GqPBqMF9z+okNHKYcXYWf3jqKBoma6JzRe6kP9wn9QQ=;
        b=Jmsl+TclspE+OClF2vFMI6csNzDvPaDJhI3nEOyxB6kQ4gnaUwQuOensUpcKEuJwDm
         QxCXpLSEuxf2fq1r5UNcrEFMLhlkHQfzgye0dllDttq1KRxTxL2a7EXDAJe24SrCcsgv
         a14HzSJWBEdnh29kvo9srkwOL9rDzBFfS8Gx6FYQz+euV+XTxSB3xPLYua2si0wNwBA2
         D+eAp8W8mMY/anbAvgEzJ6+WLs9UOQirAF/a3Fxsju4sYQS07M3C69Vs8l2eXq5n08il
         +V/vombnuWRLxEFBzXw7UvdSA2CrpQvX9CxUlVwfOoNizPz4ma04gTE6j1U8nG9uZjiq
         AN/A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BtT4362c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id re10si8339685ejb.493.2021.02.15.08.11.27;
        Mon, 15 Feb 2021 08:11:51 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BtT4362c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232252AbhBOQH7 (ORCPT <rfc822;lowstz@gmail.com> + 99 others);
        Mon, 15 Feb 2021 11:07:59 -0500
Received: from mail.kernel.org ([198.145.29.99]:45568 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231379AbhBOPdH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Feb 2021 10:33:07 -0500
Received: by mail.kernel.org (Postfix) with ESMTPSA id 0EBF264EB4;
        Mon, 15 Feb 2021 15:30:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1613403048;
        bh=IyfM8QAqxdmKj3ed2+J8pq6AN14oeZqETF42m9dQf5Y=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=BtT4362cvuwVZh3gEwm/38iVBxDNRG//3jiceNc/xwlRHK6bb4H50fhDiQloszuy4
         e6Kryl03LmW92FeTOzBJSgihONOQsCYXUibUj0IBhjvz7JMqFxG90aVcQUDkSfPXpc
         Xoszs02XsTirkP2NzcA2/2l3bICIv6+ekNDA1aQM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+174de899852504e4a74a@syzkaller.appspotmail.com,
        syzbot+3d1c772efafd3c38d007@syzkaller.appspotmail.com,
        David Howells <dhowells@redhat.com>,
        Hillf Danton <hdanton@sina.com>,
        Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.4 49/60] rxrpc: Fix clearance of Tx/Rx ring when releasing a call
Date:   Mon, 15 Feb 2021 16:27:37 +0100
Message-Id: <20210215152716.946569241@linuxfoundation.org>
X-Mailer: git-send-email 2.30.1
In-Reply-To: <20210215152715.401453874@linuxfoundation.org>
References: <20210215152715.401453874@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Howells <dhowells@redhat.com>

commit 7b5eab57cac45e270a0ad624ba157c5b30b3d44d upstream.

At the end of rxrpc_release_call(), rxrpc_cleanup_ring() is called to clear
the Rx/Tx skbuff ring, but this doesn't lock the ring whilst it's accessing
it.  Unfortunately, rxrpc_resend() might be trying to retransmit a packet
concurrently with this - and whilst it does lock the ring, this isn't
protection against rxrpc_cleanup_call().

Fix this by removing the call to rxrpc_cleanup_ring() from
rxrpc_release_call().  rxrpc_cleanup_ring() will be called again anyway
from rxrpc_cleanup_call().  The earlier call is just an optimisation to
recycle skbuffs more quickly.

Alternative solutions include rxrpc_release_call() could try to cancel the
work item or wait for it to complete or rxrpc_cleanup_ring() could lock
when accessing the ring (which would require a bh lock).

This can produce a report like the following:

  BUG: KASAN: use-after-free in rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
  Read of size 4 at addr ffff888011606e04 by task kworker/0:0/5
  ...
  Workqueue: krxrpcd rxrpc_process_call
  Call Trace:
   ...
   kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
   rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
   rxrpc_resend net/rxrpc/call_event.c:266 [inline]
   rxrpc_process_call+0x1634/0x1f60 net/rxrpc/call_event.c:412
   process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
   ...

  Allocated by task 2318:
   ...
   sock_alloc_send_pskb+0x793/0x920 net/core/sock.c:2348
   rxrpc_send_data+0xb51/0x2bf0 net/rxrpc/sendmsg.c:358
   rxrpc_do_sendmsg+0xc03/0x1350 net/rxrpc/sendmsg.c:744
   rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:560
   ...

  Freed by task 2318:
   ...
   kfree_skb+0x140/0x3f0 net/core/skbuff.c:704
   rxrpc_free_skb+0x11d/0x150 net/rxrpc/skbuff.c:78
   rxrpc_cleanup_ring net/rxrpc/call_object.c:485 [inline]
   rxrpc_release_call+0x5dd/0x860 net/rxrpc/call_object.c:552
   rxrpc_release_calls_on_socket+0x21c/0x300 net/rxrpc/call_object.c:579
   rxrpc_release_sock net/rxrpc/af_rxrpc.c:885 [inline]
   rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:916
   __sock_release+0xcd/0x280 net/socket.c:597
   ...

  The buggy address belongs to the object at ffff888011606dc0
   which belongs to the cache skbuff_head_cache of size 232

Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
Reported-by: syzbot+174de899852504e4a74a@syzkaller.appspotmail.com
Reported-by: syzbot+3d1c772efafd3c38d007@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
Link: https://lore.kernel.org/r/161234207610.653119.5287360098400436976.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rxrpc/call_object.c |    2 --
 1 file changed, 2 deletions(-)

--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -507,8 +507,6 @@ void rxrpc_release_call(struct rxrpc_soc
 		rxrpc_disconnect_call(call);
 	if (call->security)
 		call->security->free_call_crypto(call);
-
-	rxrpc_cleanup_ring(call);
 	_leave("");
 }