diff options
| author | David Howells <dhowells@redhat.com> | 2019-10-07 11:58:29 +0200 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2019-10-07 12:05:05 +0200 |
| commit | 9ebeddef58c41bd700419cdcece24cf64ce32276 (patch) | |
| tree | 7e4fbd61beb570d2abca88a4e00276f9c8b3ebc4 /net/rxrpc/conn_client.c | |
| parent | rxrpc: Fix trace-after-put looking at the put call record (diff) | |
| download | linux-9ebeddef58c41bd700419cdcece24cf64ce32276.tar.xz linux-9ebeddef58c41bd700419cdcece24cf64ce32276.zip | |
rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.
This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
Fix this by taking a ref on the local record for the peer record.
Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'net/rxrpc/conn_client.c')
0 files changed, 0 insertions, 0 deletions