From patchwork Thu Oct 11 18:15:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 982639 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="PpLrGK+K"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42WJzf73k4z9s8J for ; Fri, 12 Oct 2018 05:15:26 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728752AbeJLBnq (ORCPT ); Thu, 11 Oct 2018 21:43:46 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:36124 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726066AbeJLBnp (ORCPT ); Thu, 11 Oct 2018 21:43:45 -0400 Received: by mail-pg1-f196.google.com with SMTP id f18-v6so4565421pgv.3 for ; Thu, 11 Oct 2018 11:15:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Wyd/W/nDnpsVQrnohECiF7TaE9ra2tn51CyOhms9Y3Q=; b=PpLrGK+KjSWP65bHqvhBcsBB9HeHTmPq0p2FCm/DhkvSDjgGLczvSPgy/2eQHPj23V avp7Dgxh6s/2KE0lBczWCT1qmLhhQ6TyLRlKsZqYByWJWsUSjIrkaTnVRM+WZnuZ08ZM jeFUmui8lKpDmHDS5iJPqIP9uWptIumEXvDbLQCrB3AUflkIvqG75iJFxLKcs/ZXK7rp Ibwa3xklGUjCfvJ87p/rhlSVL+zJ+x00xxI+d24qDtMU3PcXZYQfo6FnS9oW2MazdOtu 4+whG0Opsn9Io07NyBSnSoqCZiUczmVpp717+Q1Acfy/pFHmlY4lkP4ksoxlYFO+W60u 8Imw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Wyd/W/nDnpsVQrnohECiF7TaE9ra2tn51CyOhms9Y3Q=; b=GMjh/siIIpkQNJ872mlgRP+x4KsP8UKwYbRa8niI5VDVrvFRB6Y54kUgemi5vU9tHq b9PG4ZxlaJVAfbqNgFrEdP5X8CXunQ+Dcy2GIRUiAv2bgbQ9sdjWnYk7ytRLGT7QSIJD xKrinGxIk19VuVU7HJ3QLYYPgn8iUSa93Fzd6ZqcnZpXBvcXxqIGzvG9jQ2ncZ0tG9eW 9GZUrTlOA7NsA5vijNc9h5iobxmSFdFD/pKPp8ML8anqW9au4iEIeapjYQ233r/Yv46+ b8ltZxluZBVXJFdwveEG6RxsCtuLmAoQvqglKukPWrQqQJH6MZ0bolJjX5yIIKvYeRTY +rTg== X-Gm-Message-State: ABuFfoj7fUVBUzlhq4bULgDumIix8Q/kpACnsOqvNx7trU57HXvTwUX9 IbUMb+svmCb8z679BX0mw7usHSq+ X-Google-Smtp-Source: ACcGV6080bRn48uoWKx0K61oRg9KN1GCxDB83jsksQJtFoMhIrkQKZGn/g6lnow4EX61iMqdaz/GxQ== X-Received: by 2002:a62:c42:: with SMTP id u63-v6mr2619719pfi.43.1539281724342; Thu, 11 Oct 2018 11:15:24 -0700 (PDT) Received: from tw-172-25-29-37.office.twttr.net ([8.25.197.25]) by smtp.gmail.com with ESMTPSA id v83-v6sm55261027pfa.103.2018.10.11.11.15.23 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 11 Oct 2018 11:15:23 -0700 (PDT) From: Cong Wang To: netdev@vger.kernel.org Cc: Cong Wang Subject: [Patch net] llc: set SOCK_RCU_FREE in llc_sap_add_socket() Date: Thu, 11 Oct 2018 11:15:13 -0700 Message-Id: <20181011181513.20203-1-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.14.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org WHen an llc sock is added into the sk_laddr_hash of an llc_sap, it is not marked with SOCK_RCU_FREE. This causes that the sock could be freed while it is still being read by __llc_lookup_established() with RCU read lock. sock is refcounted, but with RCU read lock, nothing prevents the readers getting a zero refcnt. Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket(). Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com Signed-off-by: Cong Wang --- net/llc/llc_conn.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c index c0ac522b48a1..4ff89cb7c86f 100644 --- a/net/llc/llc_conn.c +++ b/net/llc/llc_conn.c @@ -734,6 +734,7 @@ void llc_sap_add_socket(struct llc_sap *sap, struct sock *sk) llc_sk(sk)->sap = sap; spin_lock_bh(&sap->sk_lock); + sock_set_flag(sk, SOCK_RCU_FREE); sap->sk_count++; sk_nulls_add_node_rcu(sk, laddr_hb); hlist_add_head(&llc->dev_hash_node, dev_hb);