lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240627113120.2142-1-hdanton@sina.com>
Date: Thu, 27 Jun 2024 19:31:20 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+c041b4ce3a6dfd1e63e2@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Write in l2tp_session_delete

On 25/06/2024 14:25, syzbot wrote:
> syzbot found the following issue on:
> 
> HEAD commit:    185d72112b95 net: xilinx: axienet: Enable multicast by def..
> git tree:       net-next
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1062bd46980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git  185d72112b95

--- x/net/l2tp/l2tp_core.c
+++ y/net/l2tp/l2tp_core.c
@@ -1298,8 +1298,10 @@ static void l2tp_tunnel_closeall(struct
 	list_for_each_safe(pos, tmp, &tunnel->session_list) {
 		session = list_entry(pos, struct l2tp_session, list);
 		list_del_init(&session->list);
+		l2tp_session_inc_refcount(session);
 		spin_unlock_bh(&tunnel->list_lock);
 		l2tp_session_delete(session);
+		l2tp_session_dec_refcount(session);
 		spin_lock_bh(&tunnel->list_lock);
 	}
 	spin_unlock_bh(&tunnel->list_lock);
--- x/net/l2tp/l2tp_ppp.c
+++ y/net/l2tp/l2tp_ppp.c
@@ -393,14 +393,6 @@ abort:
  * Session (and tunnel control) socket create/destroy.
  *****************************************************************************/
 
-static void pppol2tp_put_sk(struct rcu_head *head)
-{
-	struct pppol2tp_session *ps;
-
-	ps = container_of(head, typeof(*ps), rcu);
-	sock_put(ps->__sk);
-}
-
 /* Really kill the session socket. (Called from sock_put() if
  * refcnt == 0.)
  */
@@ -444,22 +436,8 @@ static int pppol2tp_release(struct socke
 
 	session = pppol2tp_sock_to_session(sk);
 	if (session) {
-		struct pppol2tp_session *ps;
-
 		l2tp_session_delete(session);
-
-		ps = l2tp_session_priv(session);
-		mutex_lock(&ps->sk_lock);
-		ps->__sk = rcu_dereference_protected(ps->sk,
-						     lockdep_is_held(&ps->sk_lock));
-		RCU_INIT_POINTER(ps->sk, NULL);
-		mutex_unlock(&ps->sk_lock);
-		call_rcu(&ps->rcu, pppol2tp_put_sk);
-
-		/* Rely on the sock_put() call at the end of the function for
-		 * dropping the reference held by pppol2tp_sock_to_session().
-		 * The last reference will be dropped by pppol2tp_put_sk().
-		 */
+		l2tp_session_dec_refcount(session);
 	}
 
 	release_sock(sk);
@@ -469,6 +447,7 @@ static int pppol2tp_release(struct socke
 	 * zero.
 	 */
 	sock_put(sk);
+	sock_put(sk);
 
 	return 0;
 
@@ -831,6 +810,7 @@ static int pppol2tp_connect(struct socke
 out_no_ppp:
 	/* This is how we get the session context from the socket. */
 	sk->sk_user_data = session;
+	l2tp_session_inc_refcount(session);
 	rcu_assign_pointer(ps->sk, sk);
 	mutex_unlock(&ps->sk_lock);
 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ