evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net
History
Mao Wenan 91573ae4ae net: rds: Fix NULL ptr use in rds_tcp_kill_sock 
After the commit c4e97b06cf ("net: rds: force to destroy
connection if t_sock is NULL in rds_tcp_kill_sock()."),
it introduced null-ptr-deref in rds_tcp_kill_sock as below:

BUG: KASAN: null-ptr-deref on address 0000000000000020
Read of size 8 by task kworker/u16:10/910
CPU: 3 PID: 910 Comm: kworker/u16:10 Not tainted 4.4.178+ #3
Hardware name: linux,dummy-virt (DT)
Workqueue: netns cleanup_net
Call trace:
[<ffffff90080abb50>] dump_backtrace+0x0/0x618
[<ffffff90080ac1a0>] show_stack+0x38/0x60
[<ffffff9008c42b78>] dump_stack+0x1a8/0x230
[<ffffff90085d469c>] kasan_report_error+0xc8c/0xfc0
[<ffffff90085d54a4>] kasan_report+0x94/0xd8
[<ffffff90085d1b28>] __asan_load8+0x88/0x150
[<ffffff9009c9cc2c>] rds_tcp_dev_event+0x734/0xb48
[<ffffff90081eacb0>] raw_notifier_call_chain+0x150/0x1e8
[<ffffff900973fec0>] call_netdevice_notifiers_info+0x90/0x110
[<ffffff9009764874>] netdev_run_todo+0x2f4/0xb08
[<ffffff9009796d34>] rtnl_unlock+0x2c/0x48
[<ffffff9009756484>] default_device_exit_batch+0x444/0x528
[<ffffff9009720498>] ops_exit_list+0x1c0/0x240
[<ffffff9009724a80>] cleanup_net+0x738/0xbf8
[<ffffff90081ca6cc>] process_one_work+0x96c/0x13e0
[<ffffff90081cf370>] worker_thread+0x7e0/0x1910
[<ffffff90081e7174>] kthread+0x304/0x390
[<ffffff9008094280>] ret_from_fork+0x10/0x50

If the first loop add the tc->t_sock = NULL to the tmp_list,
1). list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node)

then the second loop is to find connections to destroy, tc->t_sock
might equal NULL, and tc->t_sock->sk happens null-ptr-deref.
2). list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node)

Fixes: c4e97b06cf ("net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().")
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-10-05 12:27:38 +02:00
..
6lowpan 6lowpan: iphc: reset mac_header after decompress to fix panic 2018-10-10 08:52:04 +02:00
9p 9p/virtio: Add cleanup path in p9_virtio_init 2019-08-04 09:34:51 +02:00
802
8021q vlan: disable SIOCSHWTSTAMP in container 2019-05-16 19:45:17 +02:00
appletalk appletalk: Fix use-after-free in atalk_proc_exit 2019-04-27 09:33:59 +02:00
atm net: atm: Fix potential Spectre v1 vulnerabilities 2019-04-27 09:33:59 +02:00
ax25 ax25: fix inconsistent lock state in ax25_destroy_timer 2019-06-22 08:18:25 +02:00
batman-adv batman-adv: fix for leaked TVLV handler. 2019-08-04 09:34:39 +02:00
bluetooth Revert "Bluetooth: validate BLE connection interval updates" 2019-10-05 12:27:36 +02:00
bridge bridge/mdb: remove wrong use of NLM_F_MULTI 2019-09-21 07:12:37 +02:00
caif net: caif: Add a missing rcu_read_unlock() in caif_flow_cb 2018-09-05 09:18:34 +02:00
can can: purge socket error queue on sock destruct 2019-07-10 09:56:33 +02:00
ceph libceph: handle an empty authorize reply 2019-03-23 08:44:18 +01:00
core net: Fix null de-reference of device refcount 2019-09-21 07:12:39 +02:00
dcb net: dcb: For wild-card lookups, use priority -1, not 0 2018-09-19 22:48:58 +02:00
dccp dccp: do not use ipv6 header for ipv4 flow 2019-04-03 06:23:25 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:03:38 +01:00
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:25:54 +02:00
dsa net: dsa: slave: Don't propagate flag changes on down slave interfaces 2019-02-20 10:13:15 +01:00
ethernet net: introduce device min_header_len 2017-02-18 16:39:27 +01:00
hsr net/hsr: fix possible crash in add_timer() 2019-03-23 08:44:31 +01:00
ieee802154 inet: frags: fix ip6frag_low_thresh boundary 2019-02-08 11:25:32 +01:00
ipv4 tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR 2019-09-21 07:12:41 +02:00
ipv6 ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' 2019-09-21 07:12:38 +02:00
ipx ipx: call ipxitf_put() in ioctl error path 2017-05-25 14:30:13 +02:00
irda irda: Only insert new objects into the global database via setsockopt 2018-09-15 09:40:40 +02:00
iucv af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers 2018-11-10 07:41:35 -08:00
key xfrm: clean up xfrm protocol checks 2019-09-16 08:13:35 +02:00
l2tp compat_ioctl: pppoe: fix PPPOEIOCSFWD handling 2019-08-11 12:20:46 +02:00
l3mdev net: Add netif_is_l3_slave 2015-10-07 04:27:43 -07:00
lapb lapb: fixed leak of control-blocks. 2019-06-22 08:18:25 +02:00
llc llc: fix skb leak in llc_build_and_send_ui_pkt() 2019-06-11 12:24:06 +02:00
mac80211 mac80211: fix possible sta leak 2019-09-06 10:18:17 +02:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-09-09 20:04:32 +02:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-03-11 16:19:47 +01:00
netfilter netfilter: nf_conntrack_ftp: Fix debug output 2019-09-21 07:12:51 +02:00
netlabel netlabel: check for IPV4MASK in addrinfo_get 2018-10-20 09:52:36 +02:00
netlink netlink: Don't shift on 64 for ngroups 2018-08-09 12:19:28 +02:00
netrom netrom: hold sock when setting skb->destructor 2019-08-04 09:34:54 +02:00
nfc nfc: fix potential illegal memory access 2019-08-04 09:34:54 +02:00
openvswitch openvswitch: fix flow actions reallocation 2019-04-27 09:33:54 +02:00
packet af_packet: tone down the Tx-ring unsupported spew. 2019-09-16 08:13:36 +02:00
phonet phonet: fix building with clang 2019-03-23 08:44:34 +01:00
rds net: rds: Fix NULL ptr use in rds_tcp_kill_sock 2019-10-05 12:27:38 +02:00
rfkill rfkill: gpio: fix memory leak in probe error path 2018-05-16 10:06:51 +02:00
rose net: rose: fix a possible stack overflow 2019-04-03 06:23:25 +02:00
rxrpc rxrpc: check return value of skb_to_sgvec always 2018-04-13 19:50:23 +02:00
sched net_sched: let qdisc_put() accept NULL pointer 2019-09-21 07:12:54 +02:00
sctp sctp: use transport pf_retrans in sctp_do_8_2_transport_strike 2019-09-21 07:12:40 +02:00
sunrpc sunrpc: don't mark uninitialised items as VALID. 2019-05-16 19:44:44 +02:00
switchdev switchdev: pass pointer to fib_info instead of copy 2016-06-24 10:18:16 -07:00
tipc tipc: add NULL pointer check before calling kfree_rcu 2019-09-21 07:12:41 +02:00
unix missing barriers in some of unix_sock ->addr and ->path accesses 2019-03-23 08:44:31 +01:00
vmw_vsock vsock: cope with memory allocation failure at socket creation time 2019-02-23 09:05:13 +01:00
wimax net:wimax: Fix doucble word "the the" in networking.xml 2015-08-09 22:43:52 -07:00
wireless Revert "cfg80211: fix processing world regdomain when non modular" 2019-09-06 10:18:17 +02:00
x25 net/x25: fix a race in x25_bind() 2019-03-23 08:44:30 +01:00
xfrm xfrm: clean up xfrm protocol checks 2019-09-16 08:13:35 +02:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-13 10:05:28 +01:00
Kconfig Make DST_CACHE a silent config option 2018-02-25 11:03:37 +01:00
Makefile net: Introduce L3 Master device abstraction 2015-09-29 20:40:32 -07:00
socket.c sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names 2019-03-23 08:44:21 +01:00
sysctl_net.c net: Use ns_capable_noaudit() when determining net sysctl permissions 2016-09-15 08:27:50 +02:00