diff options
author | David Howells <dhowells@redhat.com> | 2019-10-10 15:52:34 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-01-09 10:19:08 +0100 |
commit | d9f4d60a233607aa148e7414173fbed21a0eaa8f (patch) | |
tree | 80bfd26a83d7e9325ceb8271276c79b507f85d9e /net/rxrpc | |
parent | a2118e6e0dc0e7401eb8b5739a78301d1a63523b (diff) | |
download | linux-stable-d9f4d60a233607aa148e7414173fbed21a0eaa8f.tar.gz linux-stable-d9f4d60a233607aa148e7414173fbed21a0eaa8f.tar.bz2 linux-stable-d9f4d60a233607aa148e7414173fbed21a0eaa8f.zip |
rxrpc: Fix possible NULL pointer access in ICMP handling
[ Upstream commit f0308fb0708078d6c1d8a4d533941a7a191af634 ]
If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as
the UDP socket is being shut down, rxrpc_error_report() may get called to
deal with it after sk_user_data on the UDP socket has been cleared, leading
to a NULL pointer access when this local endpoint record gets accessed.
Fix this by just returning immediately if sk_user_data was NULL.
The oops looks like the following:
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
...
RIP: 0010:rxrpc_error_report+0x1bd/0x6a9
...
Call Trace:
? sock_queue_err_skb+0xbd/0xde
? __udp4_lib_err+0x313/0x34d
__udp4_lib_err+0x313/0x34d
icmp_unreach+0x1ee/0x207
icmp_rcv+0x25b/0x28f
ip_protocol_deliver_rcu+0x95/0x10e
ip_local_deliver+0xe9/0x148
__netif_receive_skb_one_core+0x52/0x6e
process_backlog+0xdc/0x177
net_rx_action+0xf9/0x270
__do_softirq+0x1b6/0x39a
? smpboot_register_percpu_thread+0xce/0xce
run_ksoftirqd+0x1d/0x42
smpboot_thread_fn+0x19e/0x1b3
kthread+0xf1/0xf6
? kthread_delayed_work_timer_fn+0x83/0x83
ret_from_fork+0x24/0x30
Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: syzbot+611164843bd48cc2190c@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/rxrpc')
-rw-r--r-- | net/rxrpc/peer_event.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c index dc7fdaf20445..42582a9ff81d 100644 --- a/net/rxrpc/peer_event.c +++ b/net/rxrpc/peer_event.c @@ -153,6 +153,9 @@ void rxrpc_error_report(struct sock *sk) struct rxrpc_peer *peer; struct sk_buff *skb; + if (unlikely(!local)) + return; + _enter("%p{%d}", sk, local->debug_id); skb = sock_dequeue_err_skb(sk); |