From: Cong Wang
Date: Mon, 12 Jun 2017 09:52:26 -0700
> Andrey reported a use-after-free in add_grec():
>
> for (psf = *psf_list; psf; psf = psf_next) {
> ...
> psf_next = psf->sf_next;
>
> where the struct ip_sf_list's were already freed by:
>
> kfree+0x
On Tue, Jun 13, 2017 at 2:35 AM, Cong Wang wrote:
> On Mon, Jun 12, 2017 at 11:30 AM, Xin Long wrote:
>> Hi, Cong.
>>
>> how about in ip_check_mc_rcu():
>> for (psf = im->sources; psf; psf = psf->sf_next) {
>>if (psf->sf_inaddr == src_addr)
>>br
On Mon, Jun 12, 2017 at 11:30 AM, Xin Long wrote:
> Hi, Cong.
>
> how about in ip_check_mc_rcu():
> for (psf = im->sources; psf; psf = psf->sf_next) {
>if (psf->sf_inaddr == src_addr)
>break;
> }
>
> I didn't see spinlock for it, is it s
On Tue, Jun 13, 2017 at 12:52 AM, Cong Wang wrote:
> Andrey reported a use-after-free in add_grec():
>
> for (psf = *psf_list; psf; psf = psf_next) {
> ...
> psf_next = psf->sf_next;
>
> where the struct ip_sf_list's were already freed by:
>
> kfree+0xe8/0x
Andrey reported a use-after-free in add_grec():
for (psf = *psf_list; psf; psf = psf_next) {
...
psf_next = psf->sf_next;
where the struct ip_sf_list's were already freed by:
kfree+0xe8/0x2b0 mm/slub.c:3882
ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078
