evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net
History
Sharath Chandra Vurukala 4d2f6ab9a8 net: sockev: avoid races between sockev and socket_close 
Use-after-free is seen when sending a sockev netlink message
since socket is not held which can race with sk_free.

KASAN: use-after-free in sockev_client_cb+0x41c/0x4b8
	in net/core/sockev_nlmcast.c:104
Read of size 2 at addr ffffffc08420c550
Call trace:
dump_backtrace+0x0/0x388 arch/arm64/kernel/time.c:55
show_stack+0x24/0x30 arch/arm64/kernel/traps.c:152
__dump_stack+0x24/0x2c lib/dump_stack.c:17
dump_stack+0x8c/0xd0 lib/dump_stack.c:53
print_address_description+0x74/0x234 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x240/0x264 mm/kasan/report.c:412
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report.c:431
sockev_client_cb+0x41c/0x4b8 net/core/sockev_nlmcast.c:104
notifier_call_chain+0x104/0x158 kernel/notifier.c:93
__blocking_notifier_call_chain+0x80/0xb0 kernel/notifier.c:317
blocking_notifier_call_chain+0x3c/0x4c kernel/notifier.c:328
sockev_notify+0x30/0x3c net/socket.c:181
SYSC_bind net/socket.c:1509 [inline]
SyS_bind+0x1ec/0x30c net/socket.c:1489
el0_svc_naked+0x34/0x38
Freed by task 19460:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x134/0x20c mm/kasan/kasan.c:520
kasan_slab_free+0x10/0x1c mm/kasan/kasan.c:527
slab_free_hook mm/slub.c:1401 [inline]
slab_free_freelist_hook mm/slub.c:1422 [inline]
slab_free mm/slub.c:2979 [inline]
kmem_cache_free+0x114/0x664 mm/slub.c:3001
sk_prot_free net/core/sock.c:1504 [inline]
__sk_destruct+0x324/0x3c0 net/core/sock.c:1585
__sk_free+0x180/0x200 net/core/sock.c:1601
sk_free+0x44/0x50 net/core/sock.c:1612
sock_put include/net/sock.h:1643 [inline]
sk_common_release+0x198/0x20c net/core/sock.c:3014
raw_close+0x38/0x44 net/ipv4/raw.c:703
inet_release+0x128/0x15c net/ipv4/af_inet.c:446
__sock_release+0xb8/0x258 net/socket.c:614
sock_close+0x24/0x34 net/socket.c:1150
__fput+0x1f4/0x4e4 fs/file_table.c:345
____fput+0x20/0x2c fs/file_table.c:380
task_work_run+0x9c/0x174 kernel/task_work.c:113

Change-Id: Idb4335889b6e4228f36d76ca5b6156cc5e5838da
Signed-off-by: Sharath Chandra Vurukala <sharathv@codeaurora.org>
2019-05-20 15:51:25 +05:30
..
6lowpan
9p
802
8021q
appletalk
atm
ax25
batman-adv
bluetooth Merge android-4.4.153 (5e24b4e) into msm-4.4 2018-08-28 17:28:39 +05:30
bridge This is the 4.4.152 stable release 2018-08-24 13:37:12 +02:00
caif
can
ceph
core net: sockev: avoid races between sockev and socket_close 2019-05-20 15:51:25 +05:30
dcb
dccp dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() 2018-08-22 07:48:35 +02:00
decnet
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:25:54 +02:00
dsa net: dsa: Do not suspend/resume closed slave_dev 2018-08-06 16:24:41 +02:00
ethernet
hsr
ieee802154
ipc_router net: ipc_router: Initialize the sockaddr in recvmsg() handler 2018-07-25 22:57:06 -07:00
ipv4 Merge android-4.4.153 (5e24b4e) into msm-4.4 2018-08-28 17:28:39 +05:30
ipv6 Merge android-4.4.153 (5e24b4e) into msm-4.4 2018-08-28 17:28:39 +05:30
ipx
irda
iucv
key af_key: unconditionally clone on broadcast 2018-11-25 22:58:27 -08:00
l2tp This is the 4.4.151 stable release 2018-08-22 08:08:40 +02:00
l3mdev
lapb
llc llc: use refcount_inc_not_zero() for llc_sap_find() 2018-08-22 07:48:35 +02:00
mac80211
mac802154
mpls
netfilter Merge android-4.4.153 (5e24b4e) into msm-4.4 2018-08-28 17:28:39 +05:30
netlabel
netlink Merge android-4.4.148 (f057ff9) into msm-4.4 2018-08-24 00:07:01 +05:30
netrom
nfc This is the 4.4.143 stable release 2018-07-31 20:11:21 +02:00
openvswitch
packet packet: refine ring v3 block size test to hold one frame 2018-08-24 13:27:01 +02:00
phonet
rds rds: avoid unenecessary cong_update in loop transport 2018-07-22 14:25:54 +02:00
rfkill
rmnet_data
rose
rxrpc
sched Merge android-4.4.153 (5e24b4e) into msm-4.4 2018-08-28 17:28:39 +05:30
sctp
sunrpc
switchdev
tipc
unix
vmw_vsock vsock: split dwork to avoid reinitializations 2018-08-22 07:48:35 +02:00
wimax
wireless Merge "msm: wlan: Update regulatory database" 2019-04-29 23:25:24 -07:00
x25
xfrm xfrm: validate template mode 2018-10-29 09:15:20 -07:00
compat.c
Kconfig
Makefile
socket.c Merge android-4.4.153 (5e24b4e) into msm-4.4 2018-08-28 17:28:39 +05:30
sysctl_net.c