Re: [syzbot] KASAN: use-after-free Read in rxrpc_lookup_local

From: David Howells
Date: Thu Dec 08 2022 - 06:21:46 EST

Next message: Perry Yuan: "[PATCH v7 06/13] cpufreq: amd-pstate: implement amd pstate cpu online and offline callback"
Previous message: Perry Yuan: "[PATCH v7 13/13] Documentation: amd-pstate: introduce new global sysfs attributes"
In reply to: David Howells: "Re: [syzbot] KASAN: use-after-free Read in rxrpc_lookup_local"
Next in thread: syzbot: "Re: [syzbot] KASAN: use-after-free Read in rxrpc_lookup_local"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git master

diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index e7dccab7b741..37f3aec784cc 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -287,6 +287,7 @@ struct rxrpc_local {
struct hlist_node link;
struct socket *socket; /* my UDP socket */
struct task_struct *io_thread;
+ struct completion io_thread_ready; /* Indication that the I/O thread started */
struct rxrpc_sock __rcu *service; /* Service(s) listening on this endpoint */
struct rw_semaphore defrag_sem; /* control re-enablement of IP DF bit */
struct sk_buff_head rx_queue; /* Received packets */
diff --git a/net/rxrpc/io_thread.c b/net/rxrpc/io_thread.c
index d83ae3193032..e460e4151c16 100644
--- a/net/rxrpc/io_thread.c
+++ b/net/rxrpc/io_thread.c
@@ -426,6 +426,8 @@ int rxrpc_io_thread(void *data)
struct rxrpc_call *call;
struct sk_buff *skb;

+ complete(&local->io_thread_ready);
+
skb_queue_head_init(&rx_queue);

set_user_nice(current, MIN_NICE);
diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
index 44222923c0d1..d8dfd5459f50 100644
--- a/net/rxrpc/local_object.c
+++ b/net/rxrpc/local_object.c
@@ -96,6 +96,7 @@ static struct rxrpc_local *rxrpc_alloc_local(struct rxrpc_net *rxnet,
atomic_set(&local->active_users, 1);
local->rxnet = rxnet;
INIT_HLIST_NODE(&local->link);
+ init_completion(&local->io_thread_ready);
init_rwsem(&local->defrag_sem);
skb_queue_head_init(&local->rx_queue);
INIT_LIST_HEAD(&local->call_attend_q);
@@ -189,6 +190,7 @@ static int rxrpc_open_socket(struct rxrpc_local *local, struct net *net)
goto error_sock;
}

+ wait_for_completion(&local->io_thread_ready);
local->io_thread = io_thread;
_leave(" = 0");
return 0;
@@ -357,10 +359,11 @@ struct rxrpc_local *rxrpc_use_local(struct rxrpc_local *local,
*/
void rxrpc_unuse_local(struct rxrpc_local *local, enum rxrpc_local_trace why)
{
- unsigned int debug_id = local->debug_id;
+ unsigned int debug_id;
int r, u;

if (local) {
+ debug_id = local->debug_id;
r = refcount_read(&local->ref);
u = atomic_dec_return(&local->active_users);
trace_rxrpc_local(debug_id, why, r, u);

Next message: Perry Yuan: "[PATCH v7 06/13] cpufreq: amd-pstate: implement amd pstate cpu online and offline callback"
Previous message: Perry Yuan: "[PATCH v7 13/13] Documentation: amd-pstate: introduce new global sysfs attributes"
In reply to: David Howells: "Re: [syzbot] KASAN: use-after-free Read in rxrpc_lookup_local"
Next in thread: syzbot: "Re: [syzbot] KASAN: use-after-free Read in rxrpc_lookup_local"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]