From patchwork Tue Aug  7 19:41:38 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cong Wang <xiyou.wangcong@gmail.com>
X-Patchwork-Id: 954668
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="M5tYkG2z"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 41lPzV5F6zz9s4c
	for <patchwork-incoming-netdev@ozlabs.org>;
	Wed,  8 Aug 2018 05:41:58 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2390503AbeHGV5v (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Tue, 7 Aug 2018 17:57:51 -0400
Received: from mail-pg1-f196.google.com ([209.85.215.196]:37483 "EHLO
	mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2389752AbeHGV5v (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 7 Aug 2018 17:57:51 -0400
Received: by mail-pg1-f196.google.com with SMTP id n7-v6so8311005pgq.4
	for <netdev@vger.kernel.org>; Tue, 07 Aug 2018 12:41:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=GFFeVqqSwTXwvJv6GewazGFOQe/X6i4D7yOLS0LzZKk=;
	b=M5tYkG2z1EY9QbWl80mtayNbVBBC/riRsFYAXWplzMH1XqNLSXuG2oojfaIu0k9gDB
	rckCjO40l8iRwV8We7pcFUJdt6BDtwHQHLLPq+TP1/FvOqE3TD0By1RCnCgoqGak4697
	x+erTS8I7Ak8xgTqntWPMmPmXdAHgisjh6HWvaH/17o5W/9B/92MjBJMqt4z7dcr0xA+
	Fz+K17aj4Xsl03sshKWzSuTb0DW/hyjl+wQRkav4tNhYFI0lSP8Ez0Zt9oFhfl1mNIDc
	YthTdoYjoQtNVSOw7N4k4VuKQvNvHuyPuUtfaBL3pkr2mYfvkJTYgQX+t2WUFDw8nMgG
	3/8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=GFFeVqqSwTXwvJv6GewazGFOQe/X6i4D7yOLS0LzZKk=;
	b=DmTYDIldSKuCCkX+1ysoO+50rbWsFmHah5UUUxwkOvNgjVXRNqXRriE4AmyH4x61p9
	UBhSoNEjW4OMtXX1bMpCata2hnXBS7ELJbeI3rCtNtSs6cDd/0vkWUl9WdbKt/Bs+W99
	BHc6H66yn/8pyax20bRDIRWOW5PtFZMy0XMkFxKSI/EP3QISnxpJLyGeYIukiH9cxZDd
	glQbkVMFPid0JPVNo2TwCnS/ke4efCV6jI+XZsypp8nnvXyqr6Q8dlpgQeTbdjxGPJXe
	LKvTKq0AWQfcTgfbmmFn+cdd4JNS6J6g9R3daaqp059bwhxjDtZTG//qZncs5KWoasjD
	lLsw==
X-Gm-Message-State: AOUpUlF5oWnD6Rn6DCByasOhnDZba2Mn7tnzOi/EOHT11RRBkVexQaGQ
	MIL+k4QDFS7iM6UwFTuV2t2uIYbR
X-Google-Smtp-Source: 
 AAOMgpeQZMtjPVpLyjW+hJSy70OlT4PfDlDJBrTZYVBEeoQcoSVaAfy5zxeMtLTKCjCP8BcN+OGqSw==
X-Received: by 2002:a65:6109:: with SMTP id
	z9-v6mr19868396pgu.243.1533670916099;
	Tue, 07 Aug 2018 12:41:56 -0700 (PDT)
Received: from tw-172-25-29-37.office.twttr.net ([8.25.197.25])
	by smtp.gmail.com with ESMTPSA id
	a7-v6sm2187897pgv.51.2018.08.07.12.41.55
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 07 Aug 2018 12:41:55 -0700 (PDT)
From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Subject: [Patch net] llc: use refcount_inc_not_zero() for llc_sap_find()
Date: Tue,  7 Aug 2018 12:41:38 -0700
Message-Id: <20180807194138.5863-1-xiyou.wangcong@gmail.com>
X-Mailer: git-send-email 2.14.4
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

llc_sap_put() decreases the refcnt before deleting sap
from the global list. Therefore, there is a chance
llc_sap_find() could find a sap with zero refcnt
in this global list.

Close this race condition by checking if refcnt is zero
or not in llc_sap_find(), if it is zero then it is being
removed so we can just treat it as gone.

Reported-by: <syzbot+278893f3f7803871f7ce@syzkaller.appspotmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 include/net/llc.h  | 5 +++++
 net/llc/llc_core.c | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/include/net/llc.h b/include/net/llc.h
index dc35f25eb679..890a87318014 100644
--- a/include/net/llc.h
+++ b/include/net/llc.h
@@ -116,6 +116,11 @@ static inline void llc_sap_hold(struct llc_sap *sap)
 	refcount_inc(&sap->refcnt);
 }
 
+static inline bool llc_sap_hold_safe(struct llc_sap *sap)
+{
+	return refcount_inc_not_zero(&sap->refcnt);
+}
+
 void llc_sap_close(struct llc_sap *sap);
 
 static inline void llc_sap_put(struct llc_sap *sap)
diff --git a/net/llc/llc_core.c b/net/llc/llc_core.c
index 89041260784c..260b3dc1b4a2 100644
--- a/net/llc/llc_core.c
+++ b/net/llc/llc_core.c
@@ -73,8 +73,8 @@ struct llc_sap *llc_sap_find(unsigned char sap_value)
 
 	rcu_read_lock_bh();
 	sap = __llc_sap_find(sap_value);
-	if (sap)
-		llc_sap_hold(sap);
+	if (!sap || !llc_sap_hold_safe(sap))
+		sap = NULL;
 	rcu_read_unlock_bh();
 	return sap;
 }