korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 00:04:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
daf462ff3c
linux/net
History
Ignat Korchagin daf462ff3c net: explicitly clear the sk pointer, when pf->create fails 
commit 6310831433 upstream.

We have recently noticed the exact same KASAN splat as in commit
6cd4a78d96 ("net: do not leave a dangling sk pointer, when socket
creation fails"). The problem is that commit did not fully address the
problem, as some pf->create implementations do not use sk_common_release
in their error paths.

For example, we can use the same reproducer as in the above commit, but
changing ping to arping. arping uses AF_PACKET socket and if packet_create
fails, it will just sk_free the allocated sk object.

While we could chase all the pf->create implementations and make sure they
NULL the freed sk object on error from the socket, we can't guarantee
future protocols will not make the same mistake.

So it is easier to just explicitly NULL the sk pointer upon return from
pf->create in __sock_create. We do know that pf->create always releases the
allocated sk object on error, so if the pointer is not NULL, it is
definitely dangling.

Fixes: 6cd4a78d96 ("net: do not leave a dangling sk pointer, when socket creation fails")
Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
Cc: stable@vger.kernel.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241003170151.69445-1-ignat@cloudflare.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-17 15:12:00 +02:00
..
6lowpan
9p net/9p: fix uninit-value in p9_client_rpc() 2024-06-16 13:39:58 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:14:42 +01:00
8021q gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers 2024-09-12 11:07:47 +02:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-20 15:17:37 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2023-12-20 15:17:35 +01:00
ax25 net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg 2022-06-22 14:22:01 +02:00
batman-adv batman-adv: Don't accept TT entries for out-of-spec VIDs 2024-07-05 09:14:49 +02:00
bluetooth Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change 2024-10-17 15:11:54 +02:00
bpf bpf: Set run context for rawtp test_run callback 2024-07-05 09:14:06 +02:00
bpfilter
bridge netfilter: br_netfilter: fix panic with metadata_dst skb 2024-10-17 15:11:54 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:48:54 +01:00
can can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). 2024-10-17 15:10:46 +02:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-07-18 13:07:42 +02:00
core rtnetlink: Add bulk registration helpers for rtnetlink message handlers. 2024-10-17 15:11:57 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-11 15:13:53 +02:00
dccp Fix race for duplicate reqsk on identical SYN 2024-07-05 09:14:41 +02:00
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-01-25 14:52:46 -08:00
dsa net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT 2024-06-16 13:39:54 +02:00
ethernet gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers 2024-09-12 11:07:47 +02:00
ethtool ethtool: check device is present when getting link settings 2024-09-04 13:23:40 +02:00
hsr hsr: Handle failures in module init 2024-03-26 18:21:36 -04:00
ieee802154 net: drop nopreempt requirement on sock_prot_inuse_add() 2024-07-05 09:14:08 +02:00
ife net: sched: ife: fix potential use-after-free 2024-01-05 15:13:29 +01:00
ipv4 netfilter: fib: check correct rtable in vrf setups 2024-10-17 15:11:57 +02:00
ipv6 netfilter: fib: check correct rtable in vrf setups 2024-10-17 15:11:57 +02:00
iucv s390/iucv: fix receive buffer virtual vs physical address confusion 2024-09-04 13:23:27 +02:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-09-04 13:23:32 +02:00
key net: af_key: fix sadb_x_filter validation 2023-08-26 14:23:32 +02:00
l2tp l2tp: fix lockdep splat 2024-08-19 05:45:36 +02:00
l3mdev net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-10-17 15:11:57 +02:00
lapb
llc llc: call sock_orphan() at release time 2024-02-23 08:54:54 +01:00
mac80211 wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() 2024-10-17 15:10:46 +02:00
mac802154 net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() 2024-07-27 10:46:13 +02:00
mctp mctp: Handle error of rtnl_register_module(). 2024-10-17 15:11:57 +02:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:57:09 +01:00
mptcp mptcp: pm: Fix uaf in __timer_delete_sync 2024-10-17 15:10:34 +02:00
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-07-05 09:14:06 +02:00
netfilter netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:11:56 +02:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-01-25 14:52:33 -08:00
netlink netlink: hold nlk->cb_mutex longer in __netlink_dump_start() 2024-09-04 13:23:25 +02:00
netrom netrom: Fix a memory leak in nr_heartbeat_expiry() 2024-07-05 09:14:29 +02:00
nfc nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 2024-06-16 13:39:48 +02:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-05-17 11:50:48 +02:00
openvswitch openvswitch: Set the skbuff pkt_type for proper pmtud support. 2024-06-16 13:39:47 +02:00
packet af_packet: Handle outgoing VLAN packets without hardware offloading 2024-08-19 05:45:11 +02:00
phonet phonet: fix rtm_phonet_notify() skb allocation 2024-05-17 11:50:58 +02:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-13 18:36:37 +01:00
qrtr net: qrtr: Update packets cloning when broadcasting 2024-10-17 15:11:08 +02:00
rds net:rds: Fix possible deadlock in rds_message_put 2024-09-04 13:23:39 +02:00
rfkill net: rfkill: gpio: set GPIO direction 2024-01-05 15:13:34 +01:00
rose net/rose: fix races in rose_kill_by_device() 2024-01-05 15:13:29 +01:00
rxrpc rxrpc: Fix response to PING RESPONSE ACKs to a dead call 2024-02-23 08:54:58 +01:00
sched net/sched: accept TCA_STAB only for root qdisc 2024-10-17 15:11:56 +02:00
sctp sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start 2024-10-17 15:11:56 +02:00
smc net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined 2024-08-19 05:44:56 +02:00
strparser
sunrpc net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket 2024-09-12 11:07:53 +02:00
switchdev
tipc tipc: guard against string buffer overrun 2024-10-17 15:11:26 +02:00
tls tls: fix race between tx work scheduling and socket close 2024-08-19 05:45:49 +02:00
unix af_unix: Remove put_pid()/put_cred() in copy_peercred(). 2024-09-12 11:07:45 +02:00
vmw_vsock virtio/vsock: fix logic which reduces credit update messages 2024-01-25 14:52:38 -08:00
wireless wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors 2024-10-17 15:10:45 +02:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-03-26 18:21:23 -04:00
xdp net: drop nopreempt requirement on sock_prot_inuse_add() 2024-07-05 09:14:08 +02:00
xfrm net: fix __dst_negative_advice() race 2024-06-16 13:39:59 +02:00
compat.c
devres.c
Kconfig Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
Makefile Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
socket.c net: explicitly clear the sk pointer, when pf->create fails 2024-10-17 15:12:00 +02:00
sysctl_net.c