Patch "tipc: increment the tmp aead refcnt before attaching it" has been added to the 5.10-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    tipc: increment the tmp aead refcnt before attaching it

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tipc-increment-the-tmp-aead-refcnt-before-attaching-.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6654b6646a7144b5826ab2d09b3a79195032c29b
Author: Xin Long <lucien.xin@xxxxxxxxx>
Date:   Tue Apr 6 10:45:23 2021 +0800

    tipc: increment the tmp aead refcnt before attaching it
    
    [ Upstream commit 2a2403ca3add03f542f6b34bef9f74649969b06d ]
    
    Li Shuang found a NULL pointer dereference crash in her testing:
    
      [] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      [] RIP: 0010:tipc_crypto_rcv_complete+0xc8/0x7e0 [tipc]
      [] Call Trace:
      []  <IRQ>
      []  tipc_crypto_rcv+0x2d9/0x8f0 [tipc]
      []  tipc_rcv+0x2fc/0x1120 [tipc]
      []  tipc_udp_recv+0xc6/0x1e0 [tipc]
      []  udpv6_queue_rcv_one_skb+0x16a/0x460
      []  udp6_unicast_rcv_skb.isra.35+0x41/0xa0
      []  ip6_protocol_deliver_rcu+0x23b/0x4c0
      []  ip6_input+0x3d/0xb0
      []  ipv6_rcv+0x395/0x510
      []  __netif_receive_skb_core+0x5fc/0xc40
    
    This is caused by NULL returned by tipc_aead_get(), and then crashed when
    dereferencing it later in tipc_crypto_rcv_complete(). This might happen
    when tipc_crypto_rcv_complete() is called by two threads at the same time:
    the tmp attached by tipc_crypto_key_attach() in one thread may be released
    by the one attached by that in the other thread.
    
    This patch is to fix it by incrementing the tmp's refcnt before attaching
    it instead of calling tipc_aead_get() after attaching it.
    
    Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
    Reported-by: Li Shuang <shuali@xxxxxxxxxx>
    Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 740ab9ae41a6..86eb6d679225 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -1934,12 +1934,13 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead,
 			goto rcv;
 		if (tipc_aead_clone(&tmp, aead) < 0)
 			goto rcv;
+		WARN_ON(!refcount_inc_not_zero(&tmp->refcnt));
 		if (tipc_crypto_key_attach(rx, tmp, ehdr->tx_key, false) < 0) {
 			tipc_aead_free(&tmp->rcu);
 			goto rcv;
 		}
 		tipc_aead_put(aead);
-		aead = tipc_aead_get(tmp);
+		aead = tmp;
 	}
 
 	if (unlikely(err)) {