From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA2C0C32792 for ; Thu, 3 Oct 2019 15:57:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8A1E921A4C for ; Thu, 3 Oct 2019 15:57:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570118263; bh=WWb1wYNljwQ/3KRsaERbjPT/UPBTlJ3xjkOLi37igHM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=C9QcafoEVOMkoDQdq5JMZyE945hsNzjOj8qTzLmdUQANGH4474khFKQKzszRu3Zcu Opes5cUJQUdGjL9aAKr7Wb77FaH0ofP6xPXvmoDXpAKgFzMX6gUMOn0VH9WGDFYvan 7dsBGmExfqnPaAMf/65RIX1NFNOqyUYOigVqZa0A= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731011AbfJCP5m (ORCPT ); Thu, 3 Oct 2019 11:57:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:40140 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730968AbfJCP5i (ORCPT ); Thu, 3 Oct 2019 11:57:38 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 09F6E21848; Thu, 3 Oct 2019 15:57:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570118257; bh=WWb1wYNljwQ/3KRsaERbjPT/UPBTlJ3xjkOLi37igHM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D8gOKu1wk/wCB6r+66Ie7kOrmXAqK1igSR83lB799IbhxD7/w83PG7rRKSjA3sNbR nMCwDfcPtxan4RZBElc4jLh7HhZDy/9sWxiFckBck5Zy0KPdRwdk+o9MMgPU3YFg/c xSX52jTLPBlRkDOO36zk6yCUYqo8mq27YdFdRTMk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mao Wenan Subject: [PATCH 4.4 08/99] [PATCH stable 4.4 net] net: rds: Fix NULL ptr use in rds_tcp_kill_sock Date: Thu, 3 Oct 2019 17:52:31 +0200 Message-Id: <20191003154256.590115314@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191003154252.297991283@linuxfoundation.org> References: <20191003154252.297991283@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mao Wenan After the commit c4e97b06cfdc ("net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock()."), it introduced null-ptr-deref in rds_tcp_kill_sock as below: BUG: KASAN: null-ptr-deref on address 0000000000000020 Read of size 8 by task kworker/u16:10/910 CPU: 3 PID: 910 Comm: kworker/u16:10 Not tainted 4.4.178+ #3 Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net Call trace: [] dump_backtrace+0x0/0x618 [] show_stack+0x38/0x60 [] dump_stack+0x1a8/0x230 [] kasan_report_error+0xc8c/0xfc0 [] kasan_report+0x94/0xd8 [] __asan_load8+0x88/0x150 [] rds_tcp_dev_event+0x734/0xb48 [] raw_notifier_call_chain+0x150/0x1e8 [] call_netdevice_notifiers_info+0x90/0x110 [] netdev_run_todo+0x2f4/0xb08 [] rtnl_unlock+0x2c/0x48 [] default_device_exit_batch+0x444/0x528 [] ops_exit_list+0x1c0/0x240 [] cleanup_net+0x738/0xbf8 [] process_one_work+0x96c/0x13e0 [] worker_thread+0x7e0/0x1910 [] kthread+0x304/0x390 [] ret_from_fork+0x10/0x50 If the first loop add the tc->t_sock = NULL to the tmp_list, 1). list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) then the second loop is to find connections to destroy, tc->t_sock might equal NULL, and tc->t_sock->sk happens null-ptr-deref. 2). list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node) Fixes: c4e97b06cfdc ("net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().") Signed-off-by: Mao Wenan Signed-off-by: Greg Kroah-Hartman --- net/rds/tcp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/net/rds/tcp.c +++ b/net/rds/tcp.c @@ -352,9 +352,11 @@ static void rds_tcp_kill_sock(struct net } spin_unlock_irq(&rds_tcp_conn_lock); list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node) { - sk = tc->t_sock->sk; - sk->sk_prot->disconnect(sk, 0); - tcp_done(sk); + if (tc->t_sock) { + sk = tc->t_sock->sk; + sk->sk_prot->disconnect(sk, 0); + tcp_done(sk); + } if (tc->conn->c_passive) rds_conn_destroy(tc->conn->c_passive); rds_conn_destroy(tc->conn);