diff options
| author | Sharath Chandra Vurukala <sharathv@codeaurora.org> | 2019-04-24 11:35:26 +0530 |
|---|---|---|
| committer | Kaustubh Pandey <kapandey@codeaurora.org> | 2019-06-04 09:49:19 +0530 |
| commit | b924e5efad9c9e56633f3c3d2ddcce288070af27 (patch) | |
| tree | afecf9c65bd97fe46eaf0e2b1fe613bb6fcbdc35 /lib/mpi/mpi-inline.h | |
| parent | 547234bc39058092bd09dc38b11081cd357060e9 (diff) | |
net: sockev: avoid races between sockev and socket_close
Use-after-free is seen when sending a sockev netlink message
since socket is not held which can race with sk_free.
KASAN: use-after-free in sockev_client_cb+0x41c/0x4b8
in net/core/sockev_nlmcast.c:104
Read of size 2 at addr <ffffffc08420c550>
Call trace:
dump_backtrace+0x0/0x388 arch/arm64/kernel/time.c:55
show_stack+0x24/0x30 arch/arm64/kernel/traps.c:152
__dump_stack+0x24/0x2c lib/dump_stack.c:17
dump_stack+0x8c/0xd0 lib/dump_stack.c:53
print_address_description+0x74/0x234 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x240/0x264 mm/kasan/report.c:412
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report.c:431
sockev_client_cb+0x41c/0x4b8 net/core/sockev_nlmcast.c:104
notifier_call_chain+0x104/0x158 kernel/notifier.c:93
__blocking_notifier_call_chain+0x80/0xb0 kernel/notifier.c:317
blocking_notifier_call_chain+0x3c/0x4c kernel/notifier.c:328
sockev_notify+0x30/0x3c net/socket.c:181
SYSC_bind net/socket.c:1509 [inline]
SyS_bind+0x1ec/0x30c net/socket.c:1489
el0_svc_naked+0x34/0x38
Freed by task 19460:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x134/0x20c mm/kasan/kasan.c:520
kasan_slab_free+0x10/0x1c mm/kasan/kasan.c:527
slab_free_hook mm/slub.c:1401 [inline]
slab_free_freelist_hook mm/slub.c:1422 [inline]
slab_free mm/slub.c:2979 [inline]
kmem_cache_free+0x114/0x664 mm/slub.c:3001
sk_prot_free net/core/sock.c:1504 [inline]
__sk_destruct+0x324/0x3c0 net/core/sock.c:1585
__sk_free+0x180/0x200 net/core/sock.c:1601
sk_free+0x44/0x50 net/core/sock.c:1612
sock_put include/net/sock.h:1643 [inline]
sk_common_release+0x198/0x20c net/core/sock.c:3014
raw_close+0x38/0x44 net/ipv4/raw.c:703
inet_release+0x128/0x15c net/ipv4/af_inet.c:446
__sock_release+0xb8/0x258 net/socket.c:614
sock_close+0x24/0x34 net/socket.c:1150
__fput+0x1f4/0x4e4 fs/file_table.c:345
____fput+0x20/0x2c fs/file_table.c:380
task_work_run+0x9c/0x174 kernel/task_work.c:113
Change-Id: Idb4335889b6e4228f36d76ca5b6156cc5e5838da
Signed-off-by: Sharath Chandra Vurukala <sharathv@codeaurora.org>
Signed-off-by: Kaustubh Pandey <kapandey@codeaurora.org>
Diffstat (limited to 'lib/mpi/mpi-inline.h')
0 files changed, 0 insertions, 0 deletions