]>
Commit | Line | Data |
---|---|---|
8cbcfc8d GKH |
1 | From foo@baz Fri Mar 15 21:00:09 PDT 2019 |
2 | From: Eric Dumazet <edumazet@google.com> | |
3 | Date: Mon, 11 Mar 2019 13:48:44 -0700 | |
4 | Subject: net/x25: reset state in x25_connect() | |
5 | ||
6 | From: Eric Dumazet <edumazet@google.com> | |
7 | ||
8 | [ Upstream commit ee74d0bd4325efb41e38affe5955f920ed973f23 ] | |
9 | ||
10 | In case x25_connect() fails and frees the socket neighbour, | |
11 | we also need to undo the change done to x25->state. | |
12 | ||
13 | Before my last bug fix, we had use-after-free so this | |
14 | patch fixes a latent bug. | |
15 | ||
16 | syzbot report : | |
17 | ||
18 | kasan: CONFIG_KASAN_INLINE enabled | |
19 | kasan: GPF could be caused by NULL-ptr deref or user memory access | |
20 | general protection fault: 0000 [#1] PREEMPT SMP KASAN | |
21 | CPU: 1 PID: 16137 Comm: syz-executor.1 Not tainted 5.0.0+ #117 | |
22 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 | |
23 | RIP: 0010:x25_write_internal+0x1e8/0xdf0 net/x25/x25_subr.c:173 | |
24 | Code: 00 40 88 b5 e0 fe ff ff 0f 85 01 0b 00 00 48 8b 8b 80 04 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d 79 1c 48 89 fe 48 c1 ee 03 <0f> b6 34 16 48 89 fa 83 e2 07 83 c2 03 40 38 f2 7c 09 40 84 f6 0f | |
25 | RSP: 0018:ffff888076717a08 EFLAGS: 00010207 | |
26 | RAX: ffff88805f2f2292 RBX: ffff8880a0ae6000 RCX: 0000000000000000 | |
27 | kobject: 'loop5' (0000000018d0d0ee): kobject_uevent_env | |
28 | RDX: dffffc0000000000 RSI: 0000000000000003 RDI: 000000000000001c | |
29 | RBP: ffff888076717b40 R08: ffff8880950e0580 R09: ffffed100be5e46d | |
30 | R10: ffffed100be5e46c R11: ffff88805f2f2363 R12: ffff888065579840 | |
31 | kobject: 'loop5' (0000000018d0d0ee): fill_kobj_path: path = '/devices/virtual/block/loop5' | |
32 | R13: 1ffff1100ece2f47 R14: 0000000000000013 R15: 0000000000000013 | |
33 | FS: 00007fb88cf43700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 | |
34 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
35 | CR2: 00007f9a42a41028 CR3: 0000000087a67000 CR4: 00000000001406e0 | |
36 | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 | |
37 | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 | |
38 | Call Trace: | |
39 | x25_release+0xd0/0x340 net/x25/af_x25.c:658 | |
40 | __sock_release+0xd3/0x2b0 net/socket.c:579 | |
41 | sock_close+0x1b/0x30 net/socket.c:1162 | |
42 | __fput+0x2df/0x8d0 fs/file_table.c:278 | |
43 | ____fput+0x16/0x20 fs/file_table.c:309 | |
44 | task_work_run+0x14a/0x1c0 kernel/task_work.c:113 | |
45 | get_signal+0x1961/0x1d50 kernel/signal.c:2388 | |
46 | do_signal+0x87/0x1940 arch/x86/kernel/signal.c:816 | |
47 | exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:162 | |
48 | prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] | |
49 | syscall_return_slowpath arch/x86/entry/common.c:268 [inline] | |
50 | do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293 | |
51 | entry_SYSCALL_64_after_hwframe+0x49/0xbe | |
52 | RIP: 0033:0x457f29 | |
53 | Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 | |
54 | RSP: 002b:00007fb88cf42c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a | |
55 | RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 0000000000457f29 | |
56 | RDX: 0000000000000012 RSI: 0000000020000080 RDI: 0000000000000004 | |
57 | RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 | |
58 | R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb88cf436d4 | |
59 | R13: 00000000004be462 R14: 00000000004cec98 R15: 00000000ffffffff | |
60 | Modules linked in: | |
61 | ||
62 | Fixes: 95d6ebd53c79 ("net/x25: fix use-after-free in x25_device_event()") | |
63 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
64 | Cc: andrew hendry <andrew.hendry@gmail.com> | |
65 | Reported-by: syzbot <syzkaller@googlegroups.com> | |
66 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
67 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
68 | --- | |
69 | net/x25/af_x25.c | 1 + | |
70 | 1 file changed, 1 insertion(+) | |
71 | ||
72 | --- a/net/x25/af_x25.c | |
73 | +++ b/net/x25/af_x25.c | |
74 | @@ -817,6 +817,7 @@ out_put_neigh: | |
75 | x25_neigh_put(x25->neighbour); | |
76 | x25->neighbour = NULL; | |
77 | read_unlock_bh(&x25_list_lock); | |
78 | + x25->state = X25_STATE_0; | |
79 | } | |
80 | out_put_route: | |
81 | x25_route_put(rt); |