From: Herbert Xu
Date: Mon, 16 May 2016 17:28:16 +0800
> Subject: netlink: Fix dump skb leak/double free
>
> When we free cb->skb after a dump, we do it after releasing the
> lock. This means that a new dump could have started in the time
> being and we'll end up freeing their skb instead of ou
On Mon, May 16, 2016 at 2:28 AM, Herbert Xu wrote:
> On Sun, May 15, 2016 at 12:06:46PM -0700, Cong Wang wrote:
>>
>> Similar to what Richard reported, I think the problem is cb->skb,
>> which is exposed to other thread since cb is per netlink socket
>> (cb = &nlk->cb). IOW, the cb->skb is freed b
On Sun, May 15, 2016 at 12:06:46PM -0700, Cong Wang wrote:
>
> Similar to what Richard reported, I think the problem is cb->skb,
> which is exposed to other thread since cb is per netlink socket
> (cb = &nlk->cb). IOW, the cb->skb is freed by one thread at the
> end of netlink_dump() meanwhile the
On Sun, May 15, 2016 at 8:24 AM, Baozeng Ding wrote:
> Hi all,
> I've got the following report (use-after-free in netlink_dump) while running
> syzkaller.
> Unfortunately no reproducer.The kernel version is 4.6.0-rc2+.
...
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [
Hi all,
I've got the following report (use-after-free in netlink_dump) while
running syzkaller.
Unfortunately no reproducer.The kernel version is 4.6.0-rc2+.
==
BUG: KASAN: use-after-free in netlink_dump+0x4eb/0xa40 at addr
88
