linux/net/rxrpc
David Howells 7b5eab57ca rxrpc: Fix clearance of Tx/Rx ring when releasing a call
At the end of rxrpc_release_call(), rxrpc_cleanup_ring() is called to clear
the Rx/Tx skbuff ring, but this doesn't lock the ring whilst it's accessing
it.  Unfortunately, rxrpc_resend() might be trying to retransmit a packet
concurrently with this - and whilst it does lock the ring, this isn't
protection against rxrpc_cleanup_call().

Fix this by removing the call to rxrpc_cleanup_ring() from
rxrpc_release_call().  rxrpc_cleanup_ring() will be called again anyway
from rxrpc_cleanup_call().  The earlier call is just an optimisation to
recycle skbuffs more quickly.

Alternative solutions include rxrpc_release_call() could try to cancel the
work item or wait for it to complete or rxrpc_cleanup_ring() could lock
when accessing the ring (which would require a bh lock).

This can produce a report like the following:

  BUG: KASAN: use-after-free in rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
  Read of size 4 at addr ffff888011606e04 by task kworker/0:0/5
  ...
  Workqueue: krxrpcd rxrpc_process_call
  Call Trace:
   ...
   kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
   rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
   rxrpc_resend net/rxrpc/call_event.c:266 [inline]
   rxrpc_process_call+0x1634/0x1f60 net/rxrpc/call_event.c:412
   process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
   ...

  Allocated by task 2318:
   ...
   sock_alloc_send_pskb+0x793/0x920 net/core/sock.c:2348
   rxrpc_send_data+0xb51/0x2bf0 net/rxrpc/sendmsg.c:358
   rxrpc_do_sendmsg+0xc03/0x1350 net/rxrpc/sendmsg.c:744
   rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:560
   ...

  Freed by task 2318:
   ...
   kfree_skb+0x140/0x3f0 net/core/skbuff.c:704
   rxrpc_free_skb+0x11d/0x150 net/rxrpc/skbuff.c:78
   rxrpc_cleanup_ring net/rxrpc/call_object.c:485 [inline]
   rxrpc_release_call+0x5dd/0x860 net/rxrpc/call_object.c:552
   rxrpc_release_calls_on_socket+0x21c/0x300 net/rxrpc/call_object.c:579
   rxrpc_release_sock net/rxrpc/af_rxrpc.c:885 [inline]
   rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:916
   __sock_release+0xcd/0x280 net/socket.c:597
   ...

  The buggy address belongs to the object at ffff888011606dc0
   which belongs to the cache skbuff_head_cache of size 232

Fixes: 248f219cb8 ("rxrpc: Rewrite the data and ack handling code")
Reported-by: syzbot+174de899852504e4a74a@syzkaller.appspotmail.com
Reported-by: syzbot+3d1c772efafd3c38d007@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
Link: https://lore.kernel.org/r/161234207610.653119.5287360098400436976.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-02-04 18:11:08 -08:00
..
Kconfig docs: networking: convert rxrpc.txt to ReST 2020-04-30 12:56:38 -07:00
Makefile rxrpc: Split the server key type (rxrpc_s) into its own file 2020-11-23 18:09:29 +00:00
af_rxrpc.c rxrpc: Fix deadlock around release of dst cached on udp tunnel 2021-01-29 21:38:11 -08:00
ar-internal.h rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
call_accept.c rxrpc: Fix memory leak in rxrpc_lookup_local 2021-01-28 13:12:14 -08:00
call_event.c rxrpc: Fix afs large storage transmission performance drop 2020-06-17 23:01:39 +01:00
call_object.c rxrpc: Fix clearance of Tx/Rx ring when releasing a call 2021-02-04 18:11:08 -08:00
conn_client.c rxrpc: Merge prime_packet_security into init_connection_security 2020-11-23 18:09:30 +00:00
conn_event.c rxrpc: Merge prime_packet_security into init_connection_security 2020-11-23 18:09:30 +00:00
conn_object.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
conn_service.c rxrpc: Don't retain the server key in the connection 2020-11-23 18:09:29 +00:00
input.c rxrpc: Call state should be read with READ_ONCE() under some circumstances 2021-01-13 10:38:20 -08:00
insecure.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
key.c rxrpc: Fix handling of an unsupported token type in rxrpc_read() 2021-01-13 10:38:00 -08:00
local_event.c rxrpc: Use the tx-phase skb flag to simplify tracing 2019-08-27 10:04:18 +01:00
local_object.c rxrpc: Rewrite the client connection manager 2020-09-08 21:11:43 +01:00
misc.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-11 16:42:28 +01:00
net_ns.c rxrpc: Rewrite the client connection manager 2020-09-08 21:11:43 +01:00
output.c rxrpc: Rewrite the client connection manager 2020-09-08 21:11:43 +01:00
peer_event.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
peer_object.c rxrpc: Make rxrpc_kernel_get_srtt() indicate validity 2020-08-20 18:21:28 +01:00
proc.c rxrpc: Rewrite the client connection manager 2020-09-08 21:11:43 +01:00
protocol.h rxrpc: Improve jumbo packet counting 2019-08-27 09:48:37 +01:00
recvmsg.c net: rxrpc: convert comma to semicolon 2020-12-09 16:23:07 -08:00
rtt.c rxrpc: Remove unused macro rxrpc_min_rtt_wlen 2020-09-07 15:04:41 -07:00
rxkad.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
security.c rxrpc: Hand server key parsing off to the security class 2020-11-23 18:09:29 +00:00
sendmsg.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
server_key.c rxrpc: Allow security classes to give more info on server keys 2020-11-23 18:09:29 +00:00
skbuff.c rxrpc: Use skb_unshare() rather than skb_cow_data() 2019-08-27 10:13:46 +01:00
sysctl.c rxrpc: Rewrite the client connection manager 2020-09-08 21:11:43 +01:00
utils.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00