udp: must lock the socket in udp_disconnect()
Baozeng Ding reported KASAN traces showing uses after free in udp_lib_get_port() and other related UDP functions. A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash. I could write a reproducer with two threads doing : static int sock_fd; static void *thr1(void *arg) { for (;;) { connect(sock_fd, (const struct sockaddr *)arg, sizeof(struct sockaddr_in)); } } static void *thr2(void *arg) { struct sockaddr_in unspec; for (;;) { memset(&unspec, 0, sizeof(unspec)); connect(sock_fd, (const struct sockaddr *)&unspec, sizeof(unspec)); } } Problem is that udp_disconnect() could run without holding socket lock, and this was causing list corruptions. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Baozeng Ding <sploving1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
committed by
David S. Miller
parent
2399d6143f
commit
286c72deab
@ -1241,7 +1241,7 @@ struct proto rawv6_prot = {
|
||||
.close = rawv6_close,
|
||||
.destroy = raw6_destroy,
|
||||
.connect = ip6_datagram_connect_v6_only,
|
||||
.disconnect = udp_disconnect,
|
||||
.disconnect = __udp_disconnect,
|
||||
.ioctl = rawv6_ioctl,
|
||||
.init = rawv6_init_sk,
|
||||
.setsockopt = rawv6_setsockopt,
|
||||
|
Reference in New Issue
Block a user