From: Eric Dumazet <eric.duma...@gmail.com>
Date: Thu, 20 Oct 2016 09:39:40 -0700
> From: Eric Dumazet <eduma...@google.com>
>
> Baozeng Ding reported KASAN traces showing uses after free in
> udp_lib_get_port() and other related UDP functions.
>
> A CONFIG_DEBUG_PAGEALLOC=y kernel would eventually crash.
>
> I could write a reproducer with two threads doing :
>
> static int sock_fd;
> static void *thr1(void *arg)
> {
> for (;;) {
> connect(sock_fd, (const struct sockaddr *)arg,
> sizeof(struct sockaddr_in));
> }
> }
>
> static void *thr2(void *arg)
> {
> struct sockaddr_in unspec;
>
> for (;;) {
> memset(&unspec, 0, sizeof(unspec));
> connect(sock_fd, (const struct sockaddr *)&unspec,
> sizeof(unspec));
> }
> }
>
> Problem is that udp_disconnect() could run without holding socket lock,
> and this was causing list corruptions.
>
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Baozeng Ding <splovi...@gmail.com>
Applied, sounds like I should queue this up for -stable too right?
