diff options
| author | Eric Dumazet <edumazet@google.com> | 2016-10-20 09:39:40 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-10-20 14:45:52 -0400 |
| commit | 286c72deabaa240b7eebbd99496ed3324d69f3c0 (patch) | |
| tree | 00a0b07bfc20b08a025720c4c1b3c724ed4eaf67 /include/net/udp.h | |
| parent | 2399d6143f85b155ae84ccd94237befd36b8f6c7 (diff) | |
| download | linux-286c72deabaa240b7eebbd99496ed3324d69f3c0.tar.gz | |
udp: must lock the socket in udp_disconnect()
Baozeng Ding reported KASAN traces showing uses after free in
udp_lib_get_port() and other related UDP functions.
A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
I could write a reproducer with two threads doing :
static int sock_fd;
static void *thr1(void *arg)
{
for (;;) {
connect(sock_fd, (const struct sockaddr *)arg,
sizeof(struct sockaddr_in));
}
}
static void *thr2(void *arg)
{
struct sockaddr_in unspec;
for (;;) {
memset(&unspec, 0, sizeof(unspec));
connect(sock_fd, (const struct sockaddr *)&unspec,
sizeof(unspec));
}
}
Problem is that udp_disconnect() could run without holding socket lock,
and this was causing list corruptions.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net/udp.h')
| -rw-r--r-- | include/net/udp.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/udp.h b/include/net/udp.h index ea53a87d880f..4948790d393d 100644 --- a/include/net/udp.h +++ b/include/net/udp.h @@ -258,6 +258,7 @@ void udp_flush_pending_frames(struct sock *sk); void udp4_hwcsum(struct sk_buff *skb, __be32 src, __be32 dst); int udp_rcv(struct sk_buff *skb); int udp_ioctl(struct sock *sk, int cmd, unsigned long arg); +int __udp_disconnect(struct sock *sk, int flags); int udp_disconnect(struct sock *sk, int flags); unsigned int udp_poll(struct file *file, struct socket *sock, poll_table *wait); struct sk_buff *skb_udp_tunnel_segment(struct sk_buff *skb, |