From: Sasha Levin Date: Thu, 29 Aug 2019 03:38:12 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.14.141~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c7efce02eb4f7db4c8ecc9944b85c6b28febfa9;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/rxrpc-fix-local-refcounting.patch b/queue-4.19/rxrpc-fix-local-refcounting.patch new file mode 100644 index 00000000000..fdadc6bab08 --- /dev/null +++ b/queue-4.19/rxrpc-fix-local-refcounting.patch @@ -0,0 +1,73 @@ +From ff320ff4fb793dbc818edab538f5e660259b0024 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 9 Aug 2019 22:47:47 +0100 +Subject: rxrpc: Fix local refcounting + +[ Upstream commit 68553f1a6f746bf860bce3eb42d78c26a717d9c0 ] + +Fix rxrpc_unuse_local() to handle a NULL local pointer as it can be called +on an unbound socket on which rx->local is not yet set. + +The following reproduced (includes omitted): + + int main(void) + { + socket(AF_RXRPC, SOCK_DGRAM, AF_INET); + return 0; + } + +causes the following oops to occur: + + BUG: kernel NULL pointer dereference, address: 0000000000000010 + ... + RIP: 0010:rxrpc_unuse_local+0x8/0x1b + ... + Call Trace: + rxrpc_release+0x2b5/0x338 + __sock_release+0x37/0xa1 + sock_close+0x14/0x17 + __fput+0x115/0x1e9 + task_work_run+0x72/0x98 + do_exit+0x51b/0xa7a + ? __context_tracking_exit+0x4e/0x10e + do_group_exit+0xab/0xab + __x64_sys_exit_group+0x14/0x17 + do_syscall_64+0x89/0x1d4 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Reported-by: syzbot+20dee719a2e090427b5f@syzkaller.appspotmail.com +Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting") +Signed-off-by: David Howells +cc: Jeffrey Altman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/local_object.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index 27f4bbe85e799..c752ad4870678 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -407,11 +407,13 @@ void rxrpc_unuse_local(struct rxrpc_local *local) + { + unsigned int au; + +- au = atomic_dec_return(&local->active_users); +- if (au == 0) +- rxrpc_queue_local(local); +- else +- rxrpc_put_local(local); ++ if (local) { ++ au = atomic_dec_return(&local->active_users); ++ if (au == 0) ++ rxrpc_queue_local(local); ++ else ++ rxrpc_put_local(local); ++ } + } + + /* +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 2f60c4576cd..904bfca5a89 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -97,3 +97,4 @@ powerpc-allow-flush_-inval_-dcache_range-to-work-across-ranges-4gb.patch rxrpc-fix-local-endpoint-refcounting.patch rxrpc-fix-read-after-free-in-rxrpc_queue_local.patch rxrpc-fix-local-endpoint-replacement.patch +rxrpc-fix-local-refcounting.patch