git.baikalelectronics.ru Git - kernel.git/commit

author	David Howells <dhowells@redhat.com>
	Mon, 7 Oct 2019 09:58:29 +0000 (10:58 +0100)
committer	David Howells <dhowells@redhat.com>
	Mon, 7 Oct 2019 10:05:05 +0000 (11:05 +0100)
commit	c049f2875bcffd18bc91990a390b4db7a86e43c6
tree	7e4fbd61beb570d2abca88a4e00276f9c8b3ebc4	tree \| snapshot
parent	6ff4f81e30e754d5e03b9f12cdcc9b1a68b28e5c	commit \| diff

rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record

The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.

This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:

    BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
    [inline]
    BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
    net/rxrpc/peer_object.c:435
    Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fix this by taking a ref on the local record for the peer record.

Fixes: a5d3a0504782 ("rxrpc: Fix firewall route keepalive")
Fixes: 516fa1739d34 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>