hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/net
History
David Howells 0041cd5a50 rxrpc: Fix notification call on completion of discarded calls 
When preallocated service calls are being discarded, they're passed to
->discard_new_call() to have the caller clean up any attached higher-layer
preallocated pieces before being marked completed.  However, the act of
marking them completed now invokes the call's notification function - which
causes a problem because that function might assume that the previously
freed pieces of memory are still there.

Fix this by setting a dummy notification function on the socket after
calling ->discard_new_call().

This results in the following kasan message when the kafs module is
removed.

==================================================================
BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707
Write of size 1 at addr ffff8880946c39e4 by task kworker/u4:1/21

CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707
 rxrpc_notify_socket+0x1db/0x5d0 net/rxrpc/recvmsg.c:40
 __rxrpc_set_call_completion.part.0+0x172/0x410 net/rxrpc/recvmsg.c:76
 __rxrpc_call_completed net/rxrpc/recvmsg.c:112 [inline]
 rxrpc_call_completed+0xca/0xf0 net/rxrpc/recvmsg.c:111
 rxrpc_discard_prealloc+0x781/0xab0 net/rxrpc/call_accept.c:233
 rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245
 afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110
 afs_net_exit+0x1bc/0x310 fs/afs/main.c:155
 ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186
 cleanup_net+0x511/0xa50 net/core/net_namespace.c:603
 process_one_work+0x965/0x1690 kernel/workqueue.c:2269
 worker_thread+0x96/0xe10 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Allocated by task 6820:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc mm/kasan/common.c:494 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467
 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 afs_alloc_call+0x55/0x630 fs/afs/rxrpc.c:141
 afs_charge_preallocation+0xe9/0x2d0 fs/afs/rxrpc.c:757
 afs_open_socket+0x292/0x360 fs/afs/rxrpc.c:92
 afs_net_init+0xa6c/0xe30 fs/afs/main.c:125
 ops_init+0xaf/0x420 net/core/net_namespace.c:151
 setup_net+0x2de/0x860 net/core/net_namespace.c:341
 copy_net_ns+0x293/0x590 net/core/net_namespace.c:482
 create_new_namespaces+0x3fb/0xb30 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231
 ksys_unshare+0x43d/0x8e0 kernel/fork.c:2983
 __do_sys_unshare kernel/fork.c:3051 [inline]
 __se_sys_unshare kernel/fork.c:3049 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3049
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 21:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x109/0x2b0 mm/slab.c:3757
 afs_put_call+0x585/0xa40 fs/afs/rxrpc.c:190
 rxrpc_discard_prealloc+0x764/0xab0 net/rxrpc/call_accept.c:230
 rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245
 afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110
 afs_net_exit+0x1bc/0x310 fs/afs/main.c:155
 ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186
 cleanup_net+0x511/0xa50 net/core/net_namespace.c:603
 process_one_work+0x965/0x1690 kernel/workqueue.c:2269
 worker_thread+0x96/0xe10 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff8880946c3800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 484 bytes inside of
 1024-byte region [ffff8880946c3800, ffff8880946c3c00)
The buggy address belongs to the page:
page:ffffea000251b0c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002546508 ffffea00024fa248 ffff8880aa000c40
raw: 0000000000000000 ffff8880946c3000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880946c3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880946c3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880946c3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8880946c3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880946c3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Reported-by: syzbot+d3eccef36ddbd02713e9@syzkaller.appspotmail.com
Fixes: 5ac0d62226 ("rxrpc: Fix missing notification")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2020-06-20 21:31:43 -07:00
..
6lowpan treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
9p 9p/xen: increase XEN_9PFS_RING_ORDER 2020-06-02 08:00:39 +02:00
802 net: 802: psnap.c: Use built-in RCU list checking 2020-02-24 13:02:53 -08:00
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
appletalk ipv4,appletalk: move SIOCADDRT and SIOCDELRT handling into ->compat_ioctl 2020-05-18 17:35:02 -07:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-24 13:47:27 -07:00
batman-adv net: change addr_list_lock back to static key 2020-06-09 12:59:45 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bpf bpf: Fix too large copy from user in bpf_test_init 2020-05-19 17:56:34 +02:00
bpfilter bpfilter: document build requirements for bpfilter_umh 2020-05-26 00:03:16 +09:00
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
caif treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
can treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ceph The highlights are: 2020-06-08 12:49:18 -07:00
core net: flow_offload: fix flow_indr_dev_unregister path 2020-06-19 20:12:58 -07:00
dcb treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
decnet treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
dns_resolver docs: networking: convert dns_resolver.txt to ReST 2020-04-28 14:39:46 -07:00
dsa Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
ethernet net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
ethtool net: ethtool: add missing NETIF_F_GSO_FRAGLIST feature string 2020-06-18 20:37:11 -07:00
hsr treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ieee802154 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ife net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
ipv4 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-06-19 13:03:47 -07:00
ipv6 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-06-19 13:03:47 -07:00
iucv net/af_iucv: clean up function prototypes 2020-05-19 12:50:14 -07:00
kcm treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
key
l2tp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
l3mdev treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
lapb treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
llc af_llc: fix if-statement empty body warning 2020-02-26 20:38:13 -08:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
mac802154 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mpls treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mptcp mptcp: drop MP_JOIN request sock on syn cookies 2020-06-18 20:25:51 -07:00
ncsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
netfilter net: flow_offload: fix flow_indr_dev_unregister path 2020-06-19 20:12:58 -07:00
netlabel treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
netrom net: change addr_list_lock back to static key 2020-06-09 12:59:45 -07:00
nfc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
nsh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
openvswitch treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
packet treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
phonet sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
psample net: psample: fix build error when CONFIG_INET is not enabled 2020-05-23 16:36:05 -07:00
qrtr treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
rds net/rds: NULL pointer de-reference in rds_ib_add_one() 2020-06-15 12:58:59 -07:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2019-12-16 10:15:49 +01:00
rose net: change addr_list_lock back to static key 2020-06-09 12:59:45 -07:00
rxrpc rxrpc: Fix notification call on completion of discarded calls 2020-06-20 21:31:43 -07:00
sched net/sched: cls_api: fix nooffloaddevcnt warning dmesg log 2020-06-19 20:12:58 -07:00
sctp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
smc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
strparser
sunrpc NFS Client Updates for Linux 5.8 2020-06-11 12:22:41 -07:00
switchdev treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
tls treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
unix treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vmw_vsock vsock/vmci: make vmci_vsock_transport_cb() static 2020-06-05 13:18:26 -07:00
wimax wimax: no need to check return value of debugfs_create functions 2019-08-10 15:25:47 -07:00
wireless Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
x25 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-06-13 16:27:13 -07:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-06-19 13:03:47 -07:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
compat.c switch cmsghdr_from_user_compat_to_kern() to copy_from_user() 2020-06-01 12:05:45 -07:00
devres.c net: devres: provide devm_register_netdev() 2020-05-23 16:56:17 -07:00
socket.c net: remove kernel_setsockopt 2020-05-29 13:10:39 -07:00
sysctl_net.c