summaryrefslogtreecommitdiffstats
path: root/net/rxrpc
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2019-10-10 15:52:34 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-01-09 10:19:08 +0100
commitd9f4d60a233607aa148e7414173fbed21a0eaa8f (patch)
tree80bfd26a83d7e9325ceb8271276c79b507f85d9e /net/rxrpc
parenta2118e6e0dc0e7401eb8b5739a78301d1a63523b (diff)
downloadlinux-stable-d9f4d60a233607aa148e7414173fbed21a0eaa8f.tar.gz
linux-stable-d9f4d60a233607aa148e7414173fbed21a0eaa8f.tar.bz2
linux-stable-d9f4d60a233607aa148e7414173fbed21a0eaa8f.zip
rxrpc: Fix possible NULL pointer access in ICMP handling
[ Upstream commit f0308fb0708078d6c1d8a4d533941a7a191af634 ] If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as the UDP socket is being shut down, rxrpc_error_report() may get called to deal with it after sk_user_data on the UDP socket has been cleared, leading to a NULL pointer access when this local endpoint record gets accessed. Fix this by just returning immediately if sk_user_data was NULL. The oops looks like the following: #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page ... RIP: 0010:rxrpc_error_report+0x1bd/0x6a9 ... Call Trace: ? sock_queue_err_skb+0xbd/0xde ? __udp4_lib_err+0x313/0x34d __udp4_lib_err+0x313/0x34d icmp_unreach+0x1ee/0x207 icmp_rcv+0x25b/0x28f ip_protocol_deliver_rcu+0x95/0x10e ip_local_deliver+0xe9/0x148 __netif_receive_skb_one_core+0x52/0x6e process_backlog+0xdc/0x177 net_rx_action+0xf9/0x270 __do_softirq+0x1b6/0x39a ? smpboot_register_percpu_thread+0xce/0xce run_ksoftirqd+0x1d/0x42 smpboot_thread_fn+0x19e/0x1b3 kthread+0xf1/0xf6 ? kthread_delayed_work_timer_fn+0x83/0x83 ret_from_fork+0x24/0x30 Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") Reported-by: syzbot+611164843bd48cc2190c@syzkaller.appspotmail.com Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/rxrpc')
-rw-r--r--net/rxrpc/peer_event.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
index dc7fdaf20445..42582a9ff81d 100644
--- a/net/rxrpc/peer_event.c
+++ b/net/rxrpc/peer_event.c
@@ -153,6 +153,9 @@ void rxrpc_error_report(struct sock *sk)
struct rxrpc_peer *peer;
struct sk_buff *skb;
+ if (unlikely(!local))
+ return;
+
_enter("%p{%d}", sk, local->debug_id);
skb = sock_dequeue_err_skb(sk);