Re: KASAN: use-after-free Read in rxrpc_send_data_packet

From: David Howells
Date: Mon Feb 01 2021 - 05:14:44 EST

Next message: Vlastimil Babka: "Re: [PATCH] mm/page_owner: Record the timestamp of all pages during free"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH 3/5] drm/msm/dsi_pll_10nm: Fix bad VCO rate calculation and prescaler"
In reply to: syzbot: "KASAN: use-after-free Read in rxrpc_send_data_packet"
Next in thread: David Howells: "Re: KASAN: use-after-free Read in rxrpc_send_data_packet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hillf Danton <hdanton@xxxxxxxx> wrote:

> --- a/net/rxrpc/call_object.c
> +++ b/net/rxrpc/call_object.c
> @@ -549,6 +549,7 @@ void rxrpc_release_call(struct rxrpc_soc
> if (call->security)
> call->security->free_call_crypto(call);
>
> + cancel_work_sync(&call->processor);
> rxrpc_cleanup_ring(call);
> _leave("");
> }

It's probably better to do the cancellation before we call
->free_call_crypto().

Two other alternatives would be to lock in rxrpc_cleanup_ring() or just remove
that call of rxrpc_cleanup_ring() and leave it to rxrpc_cleanup_call() (which
calls it anyway). The latter might be the best option as the work function
holds a ref on the call.

Clearing the ring in rxrpc_release_call() is more of an optimisation, meant to
recycle skbuffs sooner, but I would hope that the call would be destroyed
quickly after this point anyway.

David

Next message: Vlastimil Babka: "Re: [PATCH] mm/page_owner: Record the timestamp of all pages during free"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH 3/5] drm/msm/dsi_pll_10nm: Fix bad VCO rate calculation and prescaler"
In reply to: syzbot: "KASAN: use-after-free Read in rxrpc_send_data_packet"
Next in thread: David Howells: "Re: KASAN: use-after-free Read in rxrpc_send_data_packet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]