net · f0308fb0708078d6c1d8a4d533941a7a191af634 · Upstream / linux-stable

rxrpc: Fix possible NULL pointer access in ICMP handling

David Howells authored 5 years ago

If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as
the UDP socket is being shut down, rxrpc_error_report() may get called to
deal with it after sk_user_data on the UDP socket has been cleared, leading
to a NULL pointer access when this local endpoint record gets accessed.

Fix this by just returning immediately if sk_user_data was NULL.

The oops looks like the following:

#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
...
RIP: 0010:rxrpc_error_report+0x1bd/0x6a9
...
Call Trace:
 ? sock_queue_err_skb+0xbd/0xde
 ? __udp4_lib_err+0x313/0x34d
 __udp4_lib_err+0x313/0x34d
 icmp_unreach+0x1ee/0x207
 icmp_rcv+0x25b/0x28f
 ip_protocol_deliver_rcu+0x95/0x10e
 ip_local_deliver+0xe9/0x148
 __netif_receive_skb_one_core+0x52/0x6e
 process_backlog+0xdc/0x177
 net_rx_action+0xf9/0x270
 __do_softirq+0x1b6/0x39a
 ? smpboot_register_percpu_thread+0xce/0xce
 run_ksoftirqd+0x1d/0x42
 smpboot_thread_fn+0x19e/0x1b3
 kthread+0xf1/0xf6
 ? kthread_delayed_work_timer_fn+0x83/0x83
 ret_from_fork+0x24/0x30

Fixes: 17926a79

 ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: syzbot+611164843bd48cc2190c@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

f0308fb0

Name	Last commit	Last update
..
6lowpan	6lowpan: no need to check return value of debugfs_create functions	5 years ago
802	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	6 years ago
8021q	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	6 years ago
9p	Merge tag '9p-for-5.4' of git://github.com/martinetd/linux	5 years ago
appletalk	appletalk: enforce CAP_NET_RAW for raw sockets	5 years ago
atm	pppoatm: use %*ph to print small buffer	5 years ago
ax25	ax25: enforce CAP_NET_RAW for raw sockets	5 years ago
batman-adv	netfilter: drop bridge nf reset from nf_reset	5 years ago
bluetooth	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next	5 years ago
bpf	bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN	5 years ago
bpfilter	Merge tag 'kbuild-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild	5 years ago
bridge	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	5 years ago
caif	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 194	6 years ago
can	can: add support of SAE J1939 protocol	5 years ago
ceph	libceph: use ceph_kvmalloc() for osdmap arrays	5 years ago
core	net: silence KCSAN warnings about sk->sk_backlog.len reads	5 years ago
dcb	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201	6 years ago
dccp	netfilter: drop bridge nf reset from nf_reset	5 years ago
decnet	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 53	6 years ago
dns_resolver	Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"	5 years ago
dsa	net: dsa: sja1105: Fix sleeping while atomic in .port_hwtstamp_set	5 years ago
ethernet	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	6 years ago
hsr	hsr: switch ->dellink() to ->ndo_uninit()	5 years ago
ieee802154	ieee802154: enforce CAP_NET_RAW for raw sockets	5 years ago
ife	net: Fix Kconfig indentation	5 years ago
ipv4	net: annotate sk->sk_rcvlowat lockless reads	5 years ago
ipv6	ip6erspan: remove the incorrect mtu limit for ip6erspan	5 years ago
iucv	net/af_iucv: mark expected switch fall-throughs	5 years ago
kcm	kcm: disable preemption in kcm_parse_func_strparser()	5 years ago
key	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	5 years ago
l2tp	netfilter: drop bridge nf reset from nf_reset	5 years ago
l3mdev	ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF	5 years ago
lapb	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	6 years ago
llc	net: silence KCSAN warnings around sk_add_backlog() calls	5 years ago
mac80211	mac80211: fix scan when operating on DFS channels in ETSI domains	5 years ago
mac802154	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174	6 years ago
mpls	ipv4: mpls: fix mpls_xmit for iptunnel	5 years ago
ncsi	net/ncsi: Disable global multicast filter	5 years ago
netfilter	netfilter: conntrack: avoid possible false sharing	5 years ago
netlabel	netlabel: remove redundant assignment to pointer iter	5 years ago
netlink	net: remove empty netlink_tap_exit_net	6 years ago
netrom	netrom: hold sock when setting skb->destructor	5 years ago
nfc	nfc: fix memory leak in llcp_sock_bind()	5 years ago
nsh	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	6 years ago
openvswitch	netfilter: drop bridge nf reset from nf_reset	5 years ago
packet	netfilter: drop bridge nf reset from nf_reset	5 years ago
phonet	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336	6 years ago
psample	net: sched: take reference to psample group in flow_action infra	5 years ago
qrtr	net: qrtr: Stop rx_worker before freeing node	5 years ago
rds	net/rds: Fix error handling in rds_ib_add_one()	5 years ago
rfkill
rose
rxrpc
sched
sctp
smc
strparser
sunrpc
switchdev
tipc
tls
unix
vmw_vsock
wimax
wireless
x25
xdp
xfrm
Kconfig
Makefile
compat.c
socket.c
sysctl_net.c

GitLab

Menu

Download source code

Download this directory