From patchwork Sat Dec 30 19:36:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Santosh Shilimkar X-Patchwork-Id: 854150 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="m//nvrq9"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3z8DHY0cTWz9s7s for ; Sun, 31 Dec 2017 06:37:12 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750977AbdL3ThA (ORCPT ); Sat, 30 Dec 2017 14:37:00 -0500 Received: from userp2120.oracle.com ([156.151.31.85]:37306 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750895AbdL3Tg7 (ORCPT ); Sat, 30 Dec 2017 14:36:59 -0500 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.21/8.16.0.21) with SMTP id vBUJasBs002314; Sat, 30 Dec 2017 19:36:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2017-10-26; bh=uSN5F6sPN1tmJGEIb1TnmJWaxIN5mGYbnj3mpLkfE7U=; b=m//nvrq9CzODhTA7kNCqKal0f6eUxcmk3Ev+nXaKozJpp94KDPdPyepP1222U/WfKT8K sPo/oFHicaa4oO8hqhTbBlgwaWMsIxWg4V/VyaPVLUgV7ZjMtYPBH+FHBd6Fy6SqX7cr pG+bA3IEbulutbrroJUnFY8de1Z+SkZN4/Kr6/vuWolg6hNLTZsoW04hAax33yGSdDVz d7e2PKyLZvdEwG6ZOvTVuauS0dP2Mh7hzXORmhoNSamwudZI33zQRdsbEwFObzqsI8Ah I5U/vcfMUcpDPMasExw8OIHMkF4If+zzghAgunSqaw8UHZZ671X05A+MAGHpLNDHimqk aw== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2f63ewgsf6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 30 Dec 2017 19:36:54 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id vBUJaqRj003067 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sat, 30 Dec 2017 19:36:52 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id vBUJaq39003093; Sat, 30 Dec 2017 19:36:52 GMT Received: from localhost.localdomain (/10.159.154.184) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 30 Dec 2017 11:36:52 -0800 From: Santosh Shilimkar To: netdev@vger.kernel.org, davem@davemloft.net Cc: linux-kernel@vger.kernel.org, Santosh Shilimkar Subject: [PATCH] rds: fix use-after-free read in rds_find_bound Date: Sat, 30 Dec 2017 11:36:39 -0800 Message-Id: <1514662599-14491-1-git-send-email-santosh.shilimkar@oracle.com> X-Mailer: git-send-email 1.9.1 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8760 signatures=668650 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=522 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1712300291 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org socket buffer can get freed as part of sock_close callback so before adding reference check underneath socket validity. Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com Signed-off-by: Santosh Shilimkar --- net/rds/bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rds/bind.c b/net/rds/bind.c index 75d43dc..8dec06e 100644 --- a/net/rds/bind.c +++ b/net/rds/bind.c @@ -61,7 +61,7 @@ struct rds_sock *rds_find_bound(__be32 addr, __be16 port) struct rds_sock *rs; rs = rhashtable_lookup_fast(&bind_hash_table, &key, ht_parms); - if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD)) + if (rs && rds_rs_to_sk(rs) && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD)) rds_sock_addref(rs); else rs = NULL;