| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 01 Feb 2021 10:12:36 +0000
From: David Howells <dhowells@...hat.com>
To: Hillf Danton <hdanton@...a.com>
Cc: dhowells@...hat.com,
syzbot <syzbot+174de899852504e4a74a@...kaller.appspotmail.com>,
linux-afs@...ts.infradead.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com,
syzbot+3d1c772efafd3c38d007@...kaller.appspotmail.com
Subject: Re: KASAN: use-after-free Read in rxrpc_send_data_packet
Hillf Danton <hdanton@...a.com> wrote:
> --- a/net/rxrpc/call_object.c
> +++ b/net/rxrpc/call_object.c
> @@ -549,6 +549,7 @@ void rxrpc_release_call(struct rxrpc_soc
> if (call->security)
> call->security->free_call_crypto(call);
>
> + cancel_work_sync(&call->processor);
> rxrpc_cleanup_ring(call);
> _leave("");
> }
It's probably better to do the cancellation before we call
->free_call_crypto().
Two other alternatives would be to lock in rxrpc_cleanup_ring() or just remove
that call of rxrpc_cleanup_ring() and leave it to rxrpc_cleanup_call() (which
calls it anyway). The latter might be the best option as the work function
holds a ref on the call.
Clearing the ring in rxrpc_release_call() is more of an optimisation, meant to
recycle skbuffs sooner, but I would hope that the call would be destroyed
quickly after this point anyway.
David
Powered by blists - more mailing lists