kernel-fxtec-pro1x/net/rxrpc
David Howells 8d9c4a9b86 rxrpc: Fix trace-after-put looking at the put peer record
commit 55f6c98e3674ce16038a1949c3f9ca5a9a99f289 upstream.

rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
of the refcount - which looks at the debug_id in the peer record.  But
unless the refcount was reduced to zero, we no longer have the right to
look in the record and, indeed, it may be deleted by some other thread.

Fix this by getting the debug_id out before decrementing the refcount and
then passing that into the tracepoint.

This can cause the following symptoms:

    BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
    [inline]
    BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
    net/rxrpc/peer_object.c:435
    Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fixes: 1159d4b496 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-06 13:06:24 +01:00
..
af_rxrpc.c rxrpc: Fix local endpoint refcounting 2019-08-29 08:28:59 +02:00
ar-internal.h rxrpc: Fix local endpoint refcounting 2019-08-29 08:28:59 +02:00
call_accept.c rxrpc: Fix an uninitialised variable 2018-10-15 22:07:36 -07:00
call_event.c rxrpc: Fix lockup due to no error backoff after ack transmit error 2018-11-23 08:17:07 +01:00
call_object.c rxrpc: Fix net namespace cleanup 2019-05-05 14:42:38 +02:00
conn_client.c rxrpc: Fix client call connect/disconnect race 2019-04-20 09:16:05 +02:00
conn_event.c
conn_object.c
conn_service.c
input.c rxrpc: Fix local endpoint refcounting 2019-08-29 08:28:59 +02:00
insecure.c
Kconfig
key.c
local_event.c
local_object.c rxrpc: Fix local refcounting 2019-08-29 08:28:59 +02:00
Makefile
misc.c
net_ns.c
output.c rxrpc: Fix lockup due to no error backoff after ack transmit error 2018-11-23 08:17:07 +01:00
peer_event.c rxrpc: Fix potential deadlock 2019-08-29 08:28:35 +02:00
peer_object.c rxrpc: Fix trace-after-put looking at the put peer record 2019-11-06 13:06:24 +01:00
proc.c
protocol.h
recvmsg.c rxrpc: bad unlock balance in rxrpc_recvmsg 2019-02-12 19:47:22 +01:00
rxkad.c
security.c
sendmsg.c rxrpc: Fix call ref leak 2019-11-06 13:06:23 +01:00
skbuff.c
sysctl.c
utils.c