Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1625713pxb; Mon, 12 Apr 2021 02:45:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwa8Wno4TJq8MmCg6Cr/HBrt7Qus6MT2BZ24QezPDyk7zOyJc2mCLEXCtQyW3AhagCNFK0f X-Received: by 2002:a62:1e06:0:b029:24b:6b23:a72c with SMTP id e6-20020a621e060000b029024b6b23a72cmr6542089pfe.42.1618220743618; Mon, 12 Apr 2021 02:45:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618220743; cv=none; d=google.com; s=arc-20160816; b=nisN43R/tin0xcAIJf3xY/ZkoqjkO87Na5FFGQUEbwpVGYMh5jbxoccyySfvVaXxzg /VJHIae26a8OiEu2gbC0qjxox1nXwrnvzj9oNeY6kLjADTQ39nIY8p5umceKasbzmnTt K4yhu3nYT108fYrJeyxlf2k+erNnKD9kqED/EyPi8JXkvfFzpG7Qt1OGUV7raEZdfFxs WTCjw178Q94+9n3Nx20pTiMwIYp8e2ZPlQtPxF+HtlXF8juO0Fk80CX+RKnx1mNdIRuK 2Hj82nAY0MJQ2irF+JxOfOpLGYVNoL8jKTsXukZlGb3j1KwTUJV3qkeK5dPuOiPujDr/ YXIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7+cVq9DzhMbfhpGUzHzhHlXyd0utoCY6WAyj96QF7HM=; b=jptgLwJTdYJf7CYNiHo+pRCsEX2fsc022JCUgUtJkhXg46w2Ejn3cZ8gDjBct8lD0b 1szjgB4aJrNiY8oECIZ/7XW/TctFYZOymovkWnBGqisALlGfqX5i3j0Q18roSdA7y7Oq EA9h9fcrPDMATM6WoZqkE72Hdr5QbwFl6Ts7CX3ESYycHqQtJDLp5xtefWxFDHvQebTp gpXqS/Gg+knzWe5FF8fzjMQz8JoLOo50El5/MMM4Do/EmFkwpDaP0uG9dPrFGX+Jfuq5 C8q29/8pkg7XFhhijylB6/ORBY7XrjXGF8Ds31gCxHWWTCGJOVqGxPvO2dPzSwvTAXsa 7QpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=a2CqrtOw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v4si10630982plz.190.2021.04.12.02.45.31; Mon, 12 Apr 2021 02:45:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=a2CqrtOw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243704AbhDLJmm (ORCPT + 99 others); Mon, 12 Apr 2021 05:42:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:34456 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240690AbhDLJKw (ORCPT ); Mon, 12 Apr 2021 05:10:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 958126135C; Mon, 12 Apr 2021 09:06:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1618218379; bh=aIWSXVPs/ssgdoRjvq1cQKyT8rYYsx9cBo3Abtpr+GA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=a2CqrtOwiX+x5oOvsuPVq0QH8wEvf8jc2/sLCCt6KRCxrzUxo7PX3drCa3MyUq1UB iREJgZKZ32XX51Ni9kqTC+FTRPLQPGTpFf6ym1tUiuZ1IqSuKPM09G1KjBQbtHlkn9 hPXaj3TmCfMH54cjovJV/IEKWwv5UgBF8sfq1Q4A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Li Shuang , Xin Long , "David S. Miller" , Sasha Levin Subject: [PATCH 5.11 176/210] tipc: increment the tmp aead refcnt before attaching it Date: Mon, 12 Apr 2021 10:41:21 +0200 Message-Id: <20210412084021.881024941@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210412084016.009884719@linuxfoundation.org> References: <20210412084016.009884719@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 2a2403ca3add03f542f6b34bef9f74649969b06d ] Li Shuang found a NULL pointer dereference crash in her testing: [] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 [] RIP: 0010:tipc_crypto_rcv_complete+0xc8/0x7e0 [tipc] [] Call Trace: [] [] tipc_crypto_rcv+0x2d9/0x8f0 [tipc] [] tipc_rcv+0x2fc/0x1120 [tipc] [] tipc_udp_recv+0xc6/0x1e0 [tipc] [] udpv6_queue_rcv_one_skb+0x16a/0x460 [] udp6_unicast_rcv_skb.isra.35+0x41/0xa0 [] ip6_protocol_deliver_rcu+0x23b/0x4c0 [] ip6_input+0x3d/0xb0 [] ipv6_rcv+0x395/0x510 [] __netif_receive_skb_core+0x5fc/0xc40 This is caused by NULL returned by tipc_aead_get(), and then crashed when dereferencing it later in tipc_crypto_rcv_complete(). This might happen when tipc_crypto_rcv_complete() is called by two threads at the same time: the tmp attached by tipc_crypto_key_attach() in one thread may be released by the one attached by that in the other thread. This patch is to fix it by incrementing the tmp's refcnt before attaching it instead of calling tipc_aead_get() after attaching it. Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Reported-by: Li Shuang Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/tipc/crypto.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index f4fca8f7f63f..97710ce36047 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -1941,12 +1941,13 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead, goto rcv; if (tipc_aead_clone(&tmp, aead) < 0) goto rcv; + WARN_ON(!refcount_inc_not_zero(&tmp->refcnt)); if (tipc_crypto_key_attach(rx, tmp, ehdr->tx_key, false) < 0) { tipc_aead_free(&tmp->rcu); goto rcv; } tipc_aead_put(aead); - aead = tipc_aead_get(tmp); + aead = tmp; } if (unlikely(err)) { -- 2.30.2