There was an error fetching the commit references. Please try again later.
Merge branch 'do-not-leave-dangling-sk-pointers-in-pf-create-functions'
Ignat Korchagin says: ==================== do not leave dangling sk pointers in pf->create functions Some protocol family create() implementations have an error path after allocating the sk object and calling sock_init_data(). sock_init_data() attaches the allocated sk object to the sock object, provided by the caller. If the create() implementation errors out after calling sock_init_data(), it releases the allocated sk object, but the caller ends up having a dangling sk pointer in its sock object on return. Subsequent manipulations on this sock object may try to access the sk pointer, because it is not NULL thus creating a use-after-free scenario. We have implemented a stable hotfix in commit 63108314 ("net: explicitly clear the sk pointer, when pf->create fails"), but this series aims to fix it properly by going through each of the pf->create() implementations and making sure they all don't return a sock object with a dangling pointer on error. ==================== Link: https://patch.msgid.link/20241014153808.51894-1-ignat@cloudflare.com Signed-off-by:Jakub Kicinski <kuba@kernel.org>
Showing
- net/bluetooth/l2cap_sock.c 1 addition, 0 deletionsnet/bluetooth/l2cap_sock.c
- net/bluetooth/rfcomm/sock.c 5 additions, 5 deletionsnet/bluetooth/rfcomm/sock.c
- net/can/af_can.c 1 addition, 0 deletionsnet/can/af_can.c
- net/core/sock.c 0 additions, 3 deletionsnet/core/sock.c
- net/ieee802154/socket.c 7 additions, 5 deletionsnet/ieee802154/socket.c
- net/ipv4/af_inet.c 10 additions, 12 deletionsnet/ipv4/af_inet.c
- net/ipv6/af_inet6.c 10 additions, 12 deletionsnet/ipv6/af_inet6.c
- net/packet/af_packet.c 6 additions, 6 deletionsnet/packet/af_packet.c
- net/socket.c 2 additions, 2 deletionsnet/socket.c
Please register or sign in to comment