brain-hackers_pepepper-mirror/linux-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/linux-brain.git synced 2024-06-09 15:26:21 +09:00
Code Issues Projects Releases Wiki Activity
4.14-2.0.x-imx
linux-brain/net/rxrpc
History
David Howells 43159c9ec1 rxrpc: Fix call ref leak 
commit c48fc11b69 upstream.

When sendmsg() finds a call to continue on with, if the call is in an
inappropriate state, it doesn't release the ref it just got on that call
before returning an error.

This causes the following symptom to show up with kasan:

	BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
	net/rxrpc/output.c:635
	Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077

where line 635 is:

	whdr.epoch	= htonl(peer->local->rxnet->epoch);

The local endpoint (which cannot be pinned by the call) has been released,
but not the peer (which is pinned by the call).

Fix this by releasing the call in the error path.

Fixes: 37411cad63 ("rxrpc: Fix potential NULL-pointer exception")
Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-06 12:43:37 +01:00
..
af_rxrpc.c rxrpc: Fix send on a connected, but unbound socket 2019-07-31 07:28:45 +02:00
ar-internal.h rxrpc: Fix connection-level abort handling 2018-11-04 14:52:46 +01:00
call_accept.c rxrpc: Fix connection-level abort handling 2018-11-04 14:52:46 +01:00
call_event.c rxrpc: Use negative error codes in rxrpc_call struct 2017-04-06 10:11:56 +01:00
call_object.c rxrpc: Fix net namespace cleanup 2019-05-08 07:20:44 +02:00
conn_client.c rxrpc: Fix client call queueing, waiting for channel 2019-03-19 13:13:23 +01:00
conn_event.c rxrpc: Fix connection-level abort handling 2018-11-04 14:52:46 +01:00
conn_object.c rxrpc: Fix service endpoint expiry 2018-02-03 17:39:01 +01:00
conn_service.c rxrpc: Make service connection lookup always check for retry 2017-09-05 14:39:17 -07:00
input.c rxrpc: Only take the rwind and mtu values from latest ACK 2018-11-04 14:52:46 +01:00
insecure.c rxrpc: Trace protocol errors in received packets 2017-04-06 11:09:39 +01:00
Kconfig rxrpc: Add config to inject packet loss 2016-09-17 11:24:04 +01:00
key.c rxrpc: Use correct timestamp from Kerberos 5 ticket 2017-08-29 10:55:06 +01:00
local_event.c rxrpc: Fix IPv6 support 2017-08-29 10:55:20 +01:00
local_object.c rxrpc: Fix error reception on AF_INET6 sockets 2018-06-21 04:02:56 +09:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
misc.c rxrpc: Fix handling of enums-to-string translation in tracing 2017-01-05 10:38:33 +00:00
net_ns.c rxrpc: Fix service endpoint expiry 2018-02-03 17:39:01 +01:00
output.c rxrpc: Fix send in rxrpc_send_data_packet() 2018-03-08 22:41:12 -08:00
peer_event.c rxrpc: Fix IPv6 support 2017-08-29 10:55:20 +01:00
peer_object.c rxrpc: Cache the congestion window setting 2017-06-14 15:42:45 -04:00
proc.c rxrpc: Separate the connection's protocol service ID from the lookup ID 2017-06-05 14:30:49 +01:00
protocol.h rxrpc: Move the packet.h include file into net/rxrpc/ 2017-07-21 11:00:20 +01:00
recvmsg.c rxrpc: bad unlock balance in rxrpc_recvmsg 2019-02-12 19:46:10 +01:00
rxkad.c rxrpc: Don't put crypto buffers on the stack 2018-04-26 11:02:19 +02:00
security.c rxrpc: Permit multiple service binding 2017-06-05 14:30:49 +01:00
sendmsg.c rxrpc: Fix call ref leak 2019-11-06 12:43:37 +01:00
skbuff.c net: convert sk_buff.users from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
sysctl.c rxrpc: Keep the call timeouts as ktimes rather than jiffies 2016-09-30 14:40:11 +01:00
utils.c rxrpc: Fix IPv6 support 2017-08-29 10:55:20 +01:00