• Eric Dumazet's avatar
    rds: fix refcount bug in rds_sock_addref · 94f70056
    Eric Dumazet authored
    [ Upstream commit 6fa19f56 ]
    
    syzbot was able to catch a bug in rds [1]
    
    The issue here is that the socket might be found in a hash table
    but that its refcount has already be set to 0 by another cpu.
    
    We need to use refcount_inc_not_zero() to be safe here.
    
    [1]
    
    refcount_t: increment on 0; use-after-free.
    WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked lib/refcount.c:153 [inline]
    WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked+0x61/0x70 lib/refcount.c:151
    Kernel panic - not syncing: panic_on_warn set ...
    CPU: 1 PID: 23129 Comm: syz-executor3 Not tainted 5.0.0-rc4+ #53
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
     panic+0x2cb/0x65c kernel/panic.c:214
     __warn.cold+0x20/0x48 kernel/panic.c:571
     report_bug+0x263/0x2b0 lib/bug.c:186
     fixup_bug arch/x86/kernel/traps.c:178 [inline]
     fixup_bug arch/x86/kernel/traps.c:173 [inline]
     do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
     do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
     invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
    RIP: 0010:refcount_inc_checked lib/refcount.c:153 [inline]
    RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:151
    Code: 1d 51 63 c8 06 31 ff 89 de e8 eb 1b f2 fd 84 db 75 dd e8 a2 1a f2 fd 48 c7 c7 60 9f 81 88 c6 05 31 63 c8 06 01 e8 af 65 bb fd <0f> 0b eb c1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49
    RSP: 0018:ffff8880a0cbf1e8 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90006113000
    RDX: 000000000001047d RSI: ffffffff81685776 RDI: 0000000000000005
    RBP: ffff8880a0cbf1f8 R08: ffff888097c9e100 R09: ffffed1015ce5021
    R10: ffffed1015ce5020 R11: ffff8880ae728107 R12: ffff8880723c20c0
    R13: ffff8880723c24b0 R14: dffffc0000000000 R15: ffffed1014197e64
     sock_hold include/net/sock.h:647 [inline]
     rds_sock_addref+0x19/0x20 net/rds/af_rds.c:675
     rds_find_bound+0x97c/0x1080 net/rds/bind.c:82
     rds_recv_incoming+0x3be/0x1430 net/rds/recv.c:362
     rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96
     rds_send_xmit+0x1355/0x2a10 net/rds/send.c:355
     rds_sendmsg+0x323c/0x44e0 net/rds/send.c:1368
     sock_sendmsg_nosec net/socket.c:621 [inline]
     sock_sendmsg+0xdd/0x130 net/socket.c:631
     __sys_sendto+0x387/0x5f0 net/socket.c:1788
     __do_sys_sendto net/socket.c:1800 [inline]
     __se_sys_sendto net/socket.c:1796 [inline]
     __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
     do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    RIP: 0033:0x458089
    Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007fc266df8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000458089
    RDX: 0000000000000000 RSI: 00000000204b3fff RDI: 0000000000000005
    RBP: 000000000073bf00 R08: 00000000202b4000 R09: 0000000000000010
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc266df96d4
    R13: 00000000004c56e4 R14: 00000000004d94a8 R15: 00000000ffffffff
    
    Fixes: cc4dfb7f ("rds: fix two RCU related problems")
    Signed-off-by: 's avatarEric Dumazet <edumazet@google.com>
    Reported-by: 's avatarsyzbot <syzkaller@googlegroups.com>
    Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
    Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
    Cc: rds-devel@oss.oracle.com
    Cc: Cong Wang <xiyou.wangcong@gmail.com>
    Acked-by: 's avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    94f70056
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
af_rds.c Loading commit data...
bind.c Loading commit data...
cong.c Loading commit data...
connection.c Loading commit data...
ib.c Loading commit data...
ib.h Loading commit data...
ib_cm.c Loading commit data...
ib_fmr.c Loading commit data...
ib_frmr.c Loading commit data...
ib_mr.h Loading commit data...
ib_rdma.c Loading commit data...
ib_recv.c Loading commit data...
ib_ring.c Loading commit data...
ib_send.c Loading commit data...
ib_stats.c Loading commit data...
ib_sysctl.c Loading commit data...
info.c Loading commit data...
info.h Loading commit data...
loop.c Loading commit data...
loop.h Loading commit data...
message.c Loading commit data...
page.c Loading commit data...
rdma.c Loading commit data...
rdma_transport.c Loading commit data...
rdma_transport.h Loading commit data...
rds.h Loading commit data...
rds_single_path.h Loading commit data...
recv.c Loading commit data...
send.c Loading commit data...
stats.c Loading commit data...
sysctl.c Loading commit data...
tcp.c Loading commit data...
tcp.h Loading commit data...
tcp_connect.c Loading commit data...
tcp_listen.c Loading commit data...
tcp_recv.c Loading commit data...
tcp_send.c Loading commit data...
tcp_stats.c Loading commit data...
threads.c Loading commit data...
transport.c Loading commit data...