Re: [PATCH net] net: socket: set sock->sk to NULL after calling proto_ops::release()

From: David Miller
Date: Mon Feb 25 2019 - 13:41:59 EST

Next message: Mike Rapoport: "Re: [PATCH v2 18/26] khugepaged: skip collapse if uffd-wp detected"
Previous message: Tony Krowiak: "Re: [PATCH v4 1/7] s390: ap: kvm: add PQAP interception for AQIC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Biggers <ebiggers@xxxxxxxxxx>
Date: Thu, 21 Feb 2019 14:13:56 -0800

> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.")
> fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
> closed concurrently with fchownat(). However, it ignored that many
> other proto_ops::release() methods don't set sock->sk to NULL and
> therefore allow the same use-after-free:
...
> Rather than fixing all these and relying on every socket type to get
> this right forever, just make __sock_release() set sock->sk to NULL
> itself after calling proto_ops::release().
>
> Reproducer that produces the KASAN splat when any of these socket types
> are configured into the kernel:
...
> Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>

Applied and queued up for -stable, thanks Eric.

Next message: Mike Rapoport: "Re: [PATCH v2 18/26] khugepaged: skip collapse if uffd-wp detected"
Previous message: Tony Krowiak: "Re: [PATCH v4 1/7] s390: ap: kvm: add PQAP interception for AQIC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]