summaryrefslogtreecommitdiffstats
path: root/net/ipv6/ping.c
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2016-10-20 18:39:40 +0200
committerDavid S. Miller <davem@davemloft.net>2016-10-20 20:45:52 +0200
commit286c72deabaa240b7eebbd99496ed3324d69f3c0 (patch)
tree00a0b07bfc20b08a025720c4c1b3c724ed4eaf67 /net/ipv6/ping.c
parentnet: dsa: bcm_sf2: Prevent GPHY shutdown for kexec'd kernels (diff)
downloadlinux-286c72deabaa240b7eebbd99496ed3324d69f3c0.tar.xz
linux-286c72deabaa240b7eebbd99496ed3324d69f3c0.zip
udp: must lock the socket in udp_disconnect()
Baozeng Ding reported KASAN traces showing uses after free in udp_lib_get_port() and other related UDP functions. A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash. I could write a reproducer with two threads doing : static int sock_fd; static void *thr1(void *arg) { for (;;) { connect(sock_fd, (const struct sockaddr *)arg, sizeof(struct sockaddr_in)); } } static void *thr2(void *arg) { struct sockaddr_in unspec; for (;;) { memset(&unspec, 0, sizeof(unspec)); connect(sock_fd, (const struct sockaddr *)&unspec, sizeof(unspec)); } } Problem is that udp_disconnect() could run without holding socket lock, and this was causing list corruptions. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Baozeng Ding <sploving1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ping.c')
-rw-r--r--net/ipv6/ping.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index 0e983b694ee8..66e2d9dfc43a 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -180,7 +180,7 @@ struct proto pingv6_prot = {
.init = ping_init_sock,
.close = ping_close,
.connect = ip6_datagram_connect_v6_only,
- .disconnect = udp_disconnect,
+ .disconnect = __udp_disconnect,
.setsockopt = ipv6_setsockopt,
.getsockopt = ipv6_getsockopt,
.sendmsg = ping_v6_sendmsg,