On Thu, Nov 30, 2017 at 4:46 PM, Al Viro wrote:
> On Thu, Nov 30, 2017 at 05:18:33AM -0800, Christoph Hellwig wrote:
>> On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote:
>> > Incidentally, grepping for sys_close() shows another piece of fun in
>> > net/netfilter/xt_bpf.c. Folks, ONCE DESCR
On Thu, Nov 30, 2017 at 05:18:33AM -0800, Christoph Hellwig wrote:
> On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote:
> > Incidentally, grepping for sys_close() shows another piece of fun in
> > net/netfilter/xt_bpf.c. Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S
> > IT; THERE'S NO REMOVING
On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote:
> Incidentally, grepping for sys_close() shows another piece of fun in
> net/netfilter/xt_bpf.c. Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S
> IT; THERE'S NO REMOVING IT ON FAILURE EXITS. sys_close() should
> never, ever be used that way.
On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote:
> FWIW, looking through the callers of sock_alloc_file()... we might be
> better off if it did sock_release() on failure. Then the calling
> conventions become "sock_alloc_file() means not calling sock_release()
> directly - either it'll be
On Wed, Nov 29, 2017 at 11:37:04AM -0800, Cong Wang wrote:
> > Allocated by task 31066:
> > save_stack+0x43/0xd0 mm/kasan/kasan.c:447
> > set_track mm/kasan/kasan.c:459 [inline]
> > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
> > kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613
> > kmalloc
On Wed, Nov 29, 2017 at 12:24:55PM -0800, Linus Torvalds wrote:
> Ugh. The inode freeing really is confusing and fairly involved, but
> the last free *should* happen as part of the final dput() that is done
> at the end of __fput().
Note that struct socket is coallocated with its inode. _Normally
On Wed, 2017-11-29 at 11:37 -0800, Cong Wang wrote:
> (Cc'ing fs people...)
>
> On Wed, Nov 29, 2017 at 12:33 AM, syzbot
> om>
> wrote:
> > Hello,
> >
> > syzkaller hit the following crash on
> > 1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c
> > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
On Wed, Nov 29, 2017 at 11:37 AM, Cong Wang wrote:
> (Cc'ing fs people...)
>
> On Wed, Nov 29, 2017 at 12:33 AM, syzbot wrote:
>> BUG: KASAN: use-after-free in sock_release+0x1c6/0x1e0 net/socket.c:601
Lovely.
Yeah, that is:
601 if (rcu_dereference_protected(sock->wq, 1)->fasync_lis
(Cc'ing fs people...)
On Wed, Nov 29, 2017 at 12:33 AM, syzbot
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
>
