• Eric Dumazet's avatar
    udp: must lock the socket in udp_disconnect() · 286c72de
    Eric Dumazet authored
    Baozeng Ding reported KASAN traces showing uses after free in
    udp_lib_get_port() and other related UDP functions.
    
    A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
    
    I could write a reproducer with two threads doing :
    
    static int sock_fd;
    static void *thr1(void *arg)
    {
    	for (;;) {
    		connect(sock_fd, (const struct sockaddr *)arg,
    			sizeof(struct sockaddr_in));
    	}
    }
    
    static void *thr2(void *arg)
    {
    	struct sockaddr_in unspec;
    
    	for (;;) {
    		memset(&unspec, 0, sizeof(unspec));
    	        connect(sock_fd, (const struct sockaddr *)&unspec,
    			sizeof(unspec));
            }
    }
    
    Problem is that udp_disconnect() could run without holding socket lock,
    and this was causing list corruptions.
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    286c72de
ping.c 7.46 KB