From: Sasha Levin Date: Tue, 27 Aug 2019 18:24:49 +0000 (-0400) Subject: fixes for 5.2 X-Git-Tag: v4.14.141~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e450c58e4061c99ef1faf0bb76c7d8616ef0a57a;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.2 Signed-off-by: Sasha Levin --- diff --git a/queue-5.2/rxrpc-fix-local-endpoint-replacement.patch b/queue-5.2/rxrpc-fix-local-endpoint-replacement.patch new file mode 100644 index 00000000000..527b71add04 --- /dev/null +++ b/queue-5.2/rxrpc-fix-local-endpoint-replacement.patch @@ -0,0 +1,50 @@ +From 20fa19f5667e3fac82769e32c24f45081818b575 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 12 Aug 2019 23:30:06 +0100 +Subject: rxrpc: Fix local endpoint replacement + +[ Upstream commit b00df840fb4004b7087940ac5f68801562d0d2de ] + +When a local endpoint (struct rxrpc_local) ceases to be in use by any +AF_RXRPC sockets, it starts the process of being destroyed, but this +doesn't cause it to be removed from the namespace endpoint list immediately +as tearing it down isn't trivial and can't be done in softirq context, so +it gets deferred. + +If a new socket comes along that wants to bind to the same endpoint, a new +rxrpc_local object will be allocated and rxrpc_lookup_local() will use +list_replace() to substitute the new one for the old. + +Then, when the dying object gets to rxrpc_local_destroyer(), it is removed +unconditionally from whatever list it is on by calling list_del_init(). + +However, list_replace() doesn't reset the pointers in the replaced +list_head and so the list_del_init() will likely corrupt the local +endpoints list. + +Fix this by using list_replace_init() instead. + +Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting") +Reported-by: syzbot+193e29e9387ea5837f1d@syzkaller.appspotmail.com +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/local_object.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index 9368dae857cac..68e9342fd4335 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -283,7 +283,7 @@ struct rxrpc_local *rxrpc_lookup_local(struct net *net, + goto sock_error; + + if (cursor != &rxnet->local_endpoints) +- list_replace(cursor, &local->link); ++ list_replace_init(cursor, &local->link); + else + list_add_tail(&local->link, cursor); + age = "new"; +-- +2.20.1 + diff --git a/queue-5.2/series b/queue-5.2/series index 44192cf3858..374f055128e 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -160,3 +160,4 @@ io_uring-add-need_resched-check-in-inner-poll-loop.patch powerpc-allow-flush_-inval_-dcache_range-to-work-across-ranges-4gb.patch rxrpc-fix-local-endpoint-refcounting.patch rxrpc-fix-read-after-free-in-rxrpc_queue_local.patch +rxrpc-fix-local-endpoint-replacement.patch