Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
447,341 Commits 1 Branch 0 Tags 1.5 GiB
Commit Graph

6 Commits

Author SHA1 Message Date
Sharath Chandra Vurukala a84417e849 net: sockev: avoid races between sockev and socket_close 
Use-after-free is seen when sending a sockev netlink message
since socket is not held which can race with sk_free.

KASAN: use-after-free in sockev_client_cb+0x41c/0x4b8
	in net/core/sockev_nlmcast.c:104
Read of size 2 at addr ffffffc08420c550
Call trace:
dump_backtrace+0x0/0x388 arch/arm64/kernel/time.c:55
show_stack+0x24/0x30 arch/arm64/kernel/traps.c:152
__dump_stack+0x24/0x2c lib/dump_stack.c:17
dump_stack+0x8c/0xd0 lib/dump_stack.c:53
print_address_description+0x74/0x234 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x240/0x264 mm/kasan/report.c:412
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report.c:431
sockev_client_cb+0x41c/0x4b8 net/core/sockev_nlmcast.c:104
notifier_call_chain+0x104/0x158 kernel/notifier.c:93
__blocking_notifier_call_chain+0x80/0xb0 kernel/notifier.c:317
blocking_notifier_call_chain+0x3c/0x4c kernel/notifier.c:328
sockev_notify+0x30/0x3c net/socket.c:181
SYSC_bind net/socket.c:1509 [inline]
SyS_bind+0x1ec/0x30c net/socket.c:1489
el0_svc_naked+0x34/0x38
Freed by task 19460:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x134/0x20c mm/kasan/kasan.c:520
kasan_slab_free+0x10/0x1c mm/kasan/kasan.c:527
slab_free_hook mm/slub.c:1401 [inline]
slab_free_freelist_hook mm/slub.c:1422 [inline]
slab_free mm/slub.c:2979 [inline]
kmem_cache_free+0x114/0x664 mm/slub.c:3001
sk_prot_free net/core/sock.c:1504 [inline]
__sk_destruct+0x324/0x3c0 net/core/sock.c:1585
__sk_free+0x180/0x200 net/core/sock.c:1601
sk_free+0x44/0x50 net/core/sock.c:1612
sock_put include/net/sock.h:1643 [inline]
sk_common_release+0x198/0x20c net/core/sock.c:3014
raw_close+0x38/0x44 net/ipv4/raw.c:703
inet_release+0x128/0x15c net/ipv4/af_inet.c:446
__sock_release+0xb8/0x258 net/socket.c:614
sock_close+0x24/0x34 net/socket.c:1150
__fput+0x1f4/0x4e4 fs/file_table.c:345
____fput+0x20/0x2c fs/file_table.c:380
task_work_run+0x9c/0x174 kernel/task_work.c:113

Change-Id: Idb4335889b6e4228f36d76ca5b6156cc5e5838da
Signed-off-by: Sharath Chandra Vurukala <sharathv@codeaurora.org>
 2020-10-11 20:40:04 +02:00
Kaustubh Pandey a607d76b50 net: core: null pointer derefernce in sockev_client_cb 
sockev_client_cb creates a netlink message and populates
the nlmsg_data using the socket->sock information.
If socket is closed, while the nlmsg_data is being
populated, a null pointer dereference occurs.

BUG: KASAN: null-ptr-deref in sockev_client_cb+0x1e4/0x310
Read of size 2 at addr 0000000000000010 by task syz-executor/9398
CPU: 6 PID: 9398 Comm: syz-executor Tainted: G W O 4.9.92+ #1

Call trace:
[<ffffff94e2bebec4>] sockev_client_cb+0x1e4/0x310
[<ffffff94e14fb20c>] notifier_call_chain+0x94/0xe0
[<ffffff94e14fb894>] __blocking_notifier_call_chain+0x6c/0xb8
[<ffffff94e14fb920>] blocking_notifier_call_chain+0x40/0x50
[<ffffff94e2b727f8>] sockev_notify net/socket.c:180 [inline]
[<ffffff94e2b727f8>] SYSC_listen net/socket.c:1446 [inline]
[<ffffff94e2b727f8>] SyS_listen+0x1e0/0x1f8
[<ffffff94e1483f70>] el0_svc_naked+0x24/0x28

CR's Fixed: 2251042
Change-Id: Iad9eb58cd05fcdc0b5cc1ed24de56b69abb532b4
Signed-off-by: Sharath Chandra Vurukala <sharathv@codeaurora.org>
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
Signed-off-by: Kaustubh Pandey <kapandey@codeaurora.org>
Acked-by: Chinmay Agarwal <chinagar@qti.qualcomm.com>
 2020-10-11 20:40:04 +02:00
Susheel Yadagiri 8f2bc9e0e0 Send only BIND and LISTEN events. 
DPM is interested in only BIND and LISTEN events.

Change-Id: Iae11027945b981538f9c16ae9d5cd1ecf88a3743
Signed-off-by: Susheel Yadagiri <syadagir@codeaurora.org>
 2015-12-09 23:39:38 -08:00
Harout Hedeshian edfaa82932 net: sockev: corrected sk_family filter logic 
Commit 43e0e31e2d6e ("net: sockev: filtering non INET socket events")
from Krishnan introduced incorrect conditional logic which caused
the socket address families to be incorrectly filtered. This
patch corrects the logic.

CRs-Fixed: 830947
Cc: Krishnan Ramachandran <kramacha@qti.qualcomm.com>
Acked-by: Devesh Bisht <dbisht@qti.qualcomm.com>
Change-Id: I40a001a69d5aab25f7f97a7378aceae301fd762a
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
 2015-06-05 07:21:05 -07:00
Harout Hedeshian 784cd745bd net: sockev: filtering non INET socket events 
Too many socket events are generated by netlink socket. Filtering out
unwanted socket events.

Change-Id: I3a4d7e14843cf72d6af2d948113b27928ed01adb
Acked-by: Krishnan Ramachandran <kramacha@qti.qualcomm.com>
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
 2015-03-11 01:49:47 -07:00
Harout Hedeshian c17bbe2703 net: sockev: Initial Commit 
Added module which subscribes to socket notifier events. Notifier events
are then converted to a multicast netlink message for user space
applications to consume.

CRs-Fixed:  626021
Change-Id: Id5c6808d972b69f5f065d7fba9094e75c6ad0b2c
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
 2014-06-06 17:01:51 -07:00