• David Howells's avatar
    rxrpc: Fix call ref leak · c48fc11b
    David Howells authored
    When sendmsg() finds a call to continue on with, if the call is in an
    inappropriate state, it doesn't release the ref it just got on that call
    before returning an error.
    
    This causes the following symptom to show up with kasan:
    
    	BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
    	net/rxrpc/output.c:635
    	Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077
    
    where line 635 is:
    
    	whdr.epoch	= htonl(peer->local->rxnet->epoch);
    
    The local endpoint (which cannot be pinned by the call) has been released,
    but not the peer (which is pinned by the call).
    
    Fix this by releasing the call in the error path.
    
    Fixes: 37411cad ("rxrpc: Fix potential NULL-pointer exception")
    Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    c48fc11b
sendmsg.c 21.5 KB