korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 00:04:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
24a9981ee9
linux/net/rxrpc
History
Tim Smith 24a9981ee9 af_rxrpc: Avoid setting up double-free on checksum error 
skb_kill_datagram() does not dequeue the skb when MSG_PEEK is unset.
This leaves a free'd skb on the queue, resulting a double-free later.

Without this, the following oops can occur:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff8154fcf7>] skb_dequeue+0x47/0x70
PGD 0
Oops: 0002 [#1] SMP
Modules linked in: af_rxrpc ...
CPU: 0 PID: 1191 Comm: listen Not tainted 3.12.0+ #4
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff8801183536b0 ti: ffff880035c92000 task.ti: ffff880035c92000
RIP: 0010:[<ffffffff8154fcf7>] skb_dequeue+0x47/0x70
RSP: 0018:ffff880035c93db8  EFLAGS: 00010097
RAX: 0000000000000246 RBX: ffff8800d2754b00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8800d254c084
RBP: ffff880035c93dd0 R08: ffff880035c93cf0 R09: ffff8800d968f270
R10: 0000000000000000 R11: 0000000000000293 R12: ffff8800d254c070
R13: ffff8800d254c084 R14: ffff8800cd861240 R15: ffff880119b39720
FS:  00007f37a969d740(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000008 CR3: 00000000d4413000 CR4: 00000000000006f0
Stack:
 ffff8800d254c000 ffff8800d254c070 ffff8800d254c2c0 ffff880035c93df8
 ffffffffa041a5b8 ffff8800cd844c80 ffffffffa04385a0 ffff8800cd844cb0
 ffff880035c93e18 ffffffff81546cef ffff8800d45fea00 0000000000000008
Call Trace:
 [<ffffffffa041a5b8>] rxrpc_release+0x128/0x2e0 [af_rxrpc]
 [<ffffffff81546cef>] sock_release+0x1f/0x80
 [<ffffffff81546d62>] sock_close+0x12/0x20
 [<ffffffff811aaba1>] __fput+0xe1/0x230
 [<ffffffff811aad3e>] ____fput+0xe/0x10
 [<ffffffff810862cc>] task_work_run+0xbc/0xe0
 [<ffffffff8106a3be>] do_exit+0x2be/0xa10
 [<ffffffff8116dc47>] ? do_munmap+0x297/0x3b0
 [<ffffffff8106ab8f>] do_group_exit+0x3f/0xa0
 [<ffffffff8106ac04>] SyS_exit_group+0x14/0x20
 [<ffffffff8166b069>] system_call_fastpath+0x16/0x1b


Signed-off-by: Tim Smith <tim@electronghost.co.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
2014-01-26 11:45:04 +00:00
..
af_rxrpc.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
ar-accept.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ar-ack.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
ar-call.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
ar-connection.c RxRPC: do not unlock unheld spinlock in rxrpc_connect_exclusive() 2014-01-26 11:39:51 +00:00
ar-connevent.c rxrpc: Kill set but unused variable 'sp' in rxrpc_process_connection() 2011-05-19 18:35:58 -04:00
ar-error.c ipv4: Kill ip_rt_frag_needed(). 2012-06-11 02:08:59 -07:00
ar-input.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
ar-internal.h net: misc: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
ar-key.c Merge branch 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux 2012-10-14 13:39:34 -07:00
ar-local.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ar-output.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
ar-peer.c net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable 2012-07-09 15:24:33 -07:00
ar-proc.c net: replace NIPQUAD() in net/*/ 2008-10-31 00:54:56 -07:00
ar-recvmsg.c af_rxrpc: Avoid setting up double-free on checksum error 2014-01-26 11:45:04 +00:00
ar-security.c RxRPC: Allow key payloads to be passed in XDR form 2009-09-15 02:44:23 -07:00
ar-skbuff.c [AF_RXRPC]: Add an interface to the AF_RXRPC module for the AFS filesystem to use 2007-04-26 15:50:17 -07:00
ar-transport.c rxrpc: Fix set but unused variable 'usage' in rxrpc_get_transport() 2011-05-19 18:51:50 -04:00
Kconfig net/rxrpc: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:40:02 -08:00
Makefile Net: rxrpc: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:15 -08:00
rxkad.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00