[PATCH 3.18 16/24] llc: hold llc_sap before release_sock()

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com,
	Cong Wang <xiyou.wangcong@gmail.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 16/24] llc: hold llc_sap before release_sock()
Date: Fri, 27 Apr 2018 15:57:51 +0200	[thread overview]
Message-ID: <20180427135632.245037935@linuxfoundation.org> (raw)
In-Reply-To: <20180427135631.584839868@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>


[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ]

syzbot reported we still access llc->sap in llc_backlog_rcv()
after it is freed in llc_sap_remove_socket():

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
 llc_conn_service net/llc/llc_conn.c:400 [inline]
 llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
 llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
 sk_backlog_rcv include/net/sock.h:909 [inline]
 __release_sock+0x12f/0x3a0 net/core/sock.c:2335
 release_sock+0xa4/0x2b0 net/core/sock.c:2850
 llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204

llc->sap is refcount'ed and llc_sap_remove_socket() is paired
with llc_sap_add_socket(). This can be amended by holding its refcount
before llc_sap_remove_socket() and releasing it after release_sock().

Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/llc/af_llc.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -187,6 +187,7 @@ static int llc_ui_release(struct socket
 {
 	struct sock *sk = sock->sk;
 	struct llc_sock *llc;
+	struct llc_sap *sap;
 
 	if (unlikely(sk == NULL))
 		goto out;
@@ -197,9 +198,15 @@ static int llc_ui_release(struct socket
 		llc->laddr.lsap, llc->daddr.lsap);
 	if (!llc_send_disc(sk))
 		llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
+	sap = llc->sap;
+	/* Hold this for release_sock(), so that llc_backlog_rcv() could still
+	 * use it.
+	 */
+	llc_sap_hold(sap);
 	if (!sock_flag(sk, SOCK_ZAPPED))
 		llc_sap_remove_socket(llc->sap, sk);
 	release_sock(sk);
+	llc_sap_put(sap);
 	if (llc->dev)
 		dev_put(llc->dev);
 	sock_put(sk);

next prev parent reply	other threads:[~2018-04-27 13:58 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-27 13:57 [PATCH 3.18 00/24] 3.18.107-stable review Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 01/24] cifs: do not allow creating sockets except with SMB1 posix exensions Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 02/24] x86/tsc: Prevent 32bit truncation in calc_hpet_ref() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 03/24] ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 04/24] ext4: bugfix for mmaped pages in mpage_release_unused_pages() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 05/24] ext4: dont update checksum of new initialized bitmaps Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 06/24] perf: Return proper values for user stack errors Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 07/24] mm/filemap.c: fix NULL pointer in page_cache_tree_insert() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 08/24] jbd2: fix use after free in kjournald2() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 09/24] bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 10/24] KEYS: DNS: limit the length of option strings Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 11/24] l2tp: check sockaddr length in pppol2tp_connect() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 12/24] tcp: dont read out-of-bounds opsize Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 13/24] team: avoid adding twice the same option to the event list Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 14/24] team: fix netconsole setup over team Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 15/24] pppoe: check sockaddr length in pppoe_connect() Greg Kroah-Hartman
2018-04-27 13:57 ` Greg Kroah-Hartman [this message]
2018-04-27 13:57 ` [PATCH 3.18 17/24] llc: fix NULL pointer deref for SOCK_ZAPPED Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 18/24] packet: fix bitfield update race Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 19/24] tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 20/24] net: af_packet: fix race in PACKET_{R|T}X_RING Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 21/24] llc: delete timers synchronously in llc_sk_free() Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 22/24] ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 23/24] scsi: mptsas: Disable WRITE SAME Greg Kroah-Hartman
2018-04-27 13:57 ` [PATCH 3.18 24/24] cdrom: information leak in cdrom_ioctl_media_changed() Greg Kroah-Hartman
2018-04-27 16:00 ` [PATCH 3.18 00/24] 3.18.107-stable review Dede Dindin Qudsy
2018-04-28  5:51   ` Greg Kroah-Hartman
2018-04-28  6:40     ` Harsh Shandilya
2018-04-27 18:12 ` Shuah Khan
2018-04-28  5:02   ` Greg Kroah-Hartman
2018-04-27 19:03 ` kernelci.org bot
2018-04-27 19:41 ` Theodore Y. Ts'o
2018-04-28  4:35   ` Greg Kroah-Hartman
2018-04-27 21:33 ` Harsh Shandilya
2018-04-28  5:02   ` Greg Kroah-Hartman
2018-04-28 14:24 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180427135632.245037935@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).