From fef69a909c7f6ddc82f04a6d0652e02c23bb05de Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 27 Aug 2019 14:24:49 -0400 Subject: [PATCH] fixes for 4.19 Signed-off-by: Sasha Levin --- ...rxrpc-fix-local-endpoint-replacement.patch | 50 +++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 51 insertions(+) create mode 100644 queue-4.19/rxrpc-fix-local-endpoint-replacement.patch diff --git a/queue-4.19/rxrpc-fix-local-endpoint-replacement.patch b/queue-4.19/rxrpc-fix-local-endpoint-replacement.patch new file mode 100644 index 00000000000..4ee740389d4 --- /dev/null +++ b/queue-4.19/rxrpc-fix-local-endpoint-replacement.patch @@ -0,0 +1,50 @@ +From 36c970d6426c44215c63243483780a71d0383abe Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 12 Aug 2019 23:30:06 +0100 +Subject: rxrpc: Fix local endpoint replacement + +[ Upstream commit b00df840fb4004b7087940ac5f68801562d0d2de ] + +When a local endpoint (struct rxrpc_local) ceases to be in use by any +AF_RXRPC sockets, it starts the process of being destroyed, but this +doesn't cause it to be removed from the namespace endpoint list immediately +as tearing it down isn't trivial and can't be done in softirq context, so +it gets deferred. + +If a new socket comes along that wants to bind to the same endpoint, a new +rxrpc_local object will be allocated and rxrpc_lookup_local() will use +list_replace() to substitute the new one for the old. + +Then, when the dying object gets to rxrpc_local_destroyer(), it is removed +unconditionally from whatever list it is on by calling list_del_init(). + +However, list_replace() doesn't reset the pointers in the replaced +list_head and so the list_del_init() will likely corrupt the local +endpoints list. + +Fix this by using list_replace_init() instead. + +Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting") +Reported-by: syzbot+193e29e9387ea5837f1d@syzkaller.appspotmail.com +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/local_object.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index 34ec96e5898e6..27f4bbe85e799 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -287,7 +287,7 @@ struct rxrpc_local *rxrpc_lookup_local(struct net *net, + goto sock_error; + + if (cursor != &rxnet->local_endpoints) +- list_replace(cursor, &local->link); ++ list_replace_init(cursor, &local->link); + else + list_add_tail(&local->link, cursor); + age = "new"; +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 418aac9e570..2f60c4576cd 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -96,3 +96,4 @@ dm-zoned-fix-potential-null-dereference-in-dmz_do_re.patch powerpc-allow-flush_-inval_-dcache_range-to-work-across-ranges-4gb.patch rxrpc-fix-local-endpoint-refcounting.patch rxrpc-fix-read-after-free-in-rxrpc_queue_local.patch +rxrpc-fix-local-endpoint-replacement.patch -- 2.47.3