From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2EA6C388F9 for ; Tue, 27 Oct 2020 14:52:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A0DA822265 for ; Tue, 27 Oct 2020 14:52:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603810330; bh=07fMfKYU6c0o/gMbRmGlXpokkcNIDhS9nbF01ONF268=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=SjC/lxB4r2+UfByWgkruI3e49obCybiXhASknL+FUBR7WETZpjJPnz0K/PXhzVg1Q osaxWFpws4yA8nhCk75bgCaawb+zTHnh1S78sXPBze9iRZ0qVOTO8tAzb/C0wL2xo+ itK98t/GDizLTOubg3tv9HH21nY+2dAOKS9KZjGA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1768347AbgJ0Otk (ORCPT ); Tue, 27 Oct 2020 10:49:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:49574 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1766539AbgJ0Ot2 (ORCPT ); Tue, 27 Oct 2020 10:49:28 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4D4E9207DE; Tue, 27 Oct 2020 14:49:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603810168; bh=07fMfKYU6c0o/gMbRmGlXpokkcNIDhS9nbF01ONF268=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dwx5MZ/CwVR5XZ22TeddEXbmeNi+7m5l+gvJ7gG4UtBJCjJWKZRYQBeWbZKvVye8G rJYo3SaWGxmp46SgxfKIOnRTAfMbpQEeHMW4LqJIX+y8XO1O9kjZqeg33cV9ZTnPUS PmXnUymKKlOz+9qnrpPIhin+HiJ98X4KtbkJSS/k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Karsten Graul , Jakub Kicinski Subject: [PATCH 5.8 013/633] net/smc: fix use-after-free of delayed events Date: Tue, 27 Oct 2020 14:45:56 +0100 Message-Id: <20201027135523.308963994@linuxfoundation.org> X-Mailer: git-send-email 2.29.1 In-Reply-To: <20201027135522.655719020@linuxfoundation.org> References: <20201027135522.655719020@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Karsten Graul [ Upstream commit d535ca1367787ddc8bff22d679a11f864c8228bc ] When a delayed event is enqueued then the event worker will send this event the next time it is running and no other flow is currently active. The event handler is called for the delayed event, and the pointer to the event keeps set in lgr->delayed_event. This pointer is cleared later in the processing by smc_llc_flow_start(). This can lead to a use-after-free condition when the processing does not reach smc_llc_flow_start(), but frees the event because of an error situation. Then the delayed_event pointer is still set but the event is freed. Fix this by always clearing the delayed event pointer when the event is provided to the event handler for processing, and remove the code to clear it in smc_llc_flow_start(). Fixes: 555da9af827d ("net/smc: add event-based llc_flow framework") Signed-off-by: Karsten Graul Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/smc/smc_llc.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) --- a/net/smc/smc_llc.c +++ b/net/smc/smc_llc.c @@ -233,8 +233,6 @@ static bool smc_llc_flow_start(struct sm default: flow->type = SMC_LLC_FLOW_NONE; } - if (qentry == lgr->delayed_event) - lgr->delayed_event = NULL; smc_llc_flow_qentry_set(flow, qentry); spin_unlock_bh(&lgr->llc_flow_lock); return true; @@ -1590,13 +1588,12 @@ static void smc_llc_event_work(struct wo struct smc_llc_qentry *qentry; if (!lgr->llc_flow_lcl.type && lgr->delayed_event) { - if (smc_link_usable(lgr->delayed_event->link)) { - smc_llc_event_handler(lgr->delayed_event); - } else { - qentry = lgr->delayed_event; - lgr->delayed_event = NULL; + qentry = lgr->delayed_event; + lgr->delayed_event = NULL; + if (smc_link_usable(qentry->link)) + smc_llc_event_handler(qentry); + else kfree(qentry); - } } again: