From d45f6ed1a9d868bf35372b5e68e58c1998c5f9ec Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 28 Aug 2019 23:38:11 -0400 Subject: [PATCH] fixes for 5.2 Signed-off-by: Sasha Levin --- queue-5.2/rxrpc-fix-local-refcounting.patch | 73 +++++++++++++++++++++ queue-5.2/series | 1 + 2 files changed, 74 insertions(+) create mode 100644 queue-5.2/rxrpc-fix-local-refcounting.patch diff --git a/queue-5.2/rxrpc-fix-local-refcounting.patch b/queue-5.2/rxrpc-fix-local-refcounting.patch new file mode 100644 index 00000000000..6ba2d07ec89 --- /dev/null +++ b/queue-5.2/rxrpc-fix-local-refcounting.patch @@ -0,0 +1,73 @@ +From 538b95803f29e038e66876d89b8bf0c2abc6b43c Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 9 Aug 2019 22:47:47 +0100 +Subject: rxrpc: Fix local refcounting + +[ Upstream commit 68553f1a6f746bf860bce3eb42d78c26a717d9c0 ] + +Fix rxrpc_unuse_local() to handle a NULL local pointer as it can be called +on an unbound socket on which rx->local is not yet set. + +The following reproduced (includes omitted): + + int main(void) + { + socket(AF_RXRPC, SOCK_DGRAM, AF_INET); + return 0; + } + +causes the following oops to occur: + + BUG: kernel NULL pointer dereference, address: 0000000000000010 + ... + RIP: 0010:rxrpc_unuse_local+0x8/0x1b + ... + Call Trace: + rxrpc_release+0x2b5/0x338 + __sock_release+0x37/0xa1 + sock_close+0x14/0x17 + __fput+0x115/0x1e9 + task_work_run+0x72/0x98 + do_exit+0x51b/0xa7a + ? __context_tracking_exit+0x4e/0x10e + do_group_exit+0xab/0xab + __x64_sys_exit_group+0x14/0x17 + do_syscall_64+0x89/0x1d4 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Reported-by: syzbot+20dee719a2e090427b5f@syzkaller.appspotmail.com +Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting") +Signed-off-by: David Howells +cc: Jeffrey Altman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/local_object.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index 68e9342fd4335..72a6e12a9304f 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -403,11 +403,13 @@ void rxrpc_unuse_local(struct rxrpc_local *local) + { + unsigned int au; + +- au = atomic_dec_return(&local->active_users); +- if (au == 0) +- rxrpc_queue_local(local); +- else +- rxrpc_put_local(local); ++ if (local) { ++ au = atomic_dec_return(&local->active_users); ++ if (au == 0) ++ rxrpc_queue_local(local); ++ else ++ rxrpc_put_local(local); ++ } + } + + /* +-- +2.20.1 + diff --git a/queue-5.2/series b/queue-5.2/series index 374f055128e..18da4844704 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -161,3 +161,4 @@ powerpc-allow-flush_-inval_-dcache_range-to-work-across-ranges-4gb.patch rxrpc-fix-local-endpoint-refcounting.patch rxrpc-fix-read-after-free-in-rxrpc_queue_local.patch rxrpc-fix-local-endpoint-replacement.patch +rxrpc-fix-local-refcounting.patch -- 2.47.3