>From 7efa9d087be20a67c5c3953f7bf26ae5bafaa061 Mon Sep 17 00:00:00 2001 From: Andrei Vagin Date: Wed, 16 May 2018 00:03:39 -0700 Subject: [PATCH] tun: hold a tun socket during ptr_ring_cleanup Otherwise a socket will be destroyed together with a tun_file structure, which is used in ptr_ring_cleanup. This issue was reported by kasan: BUG: KASAN: use-after-free in __lock_acquire.isra.30+0x1ad4/0x1bb0 Read of size 8 at addr ffff88018e1728f8 by task criu/1819 CPU: 0 PID: 1819 Comm: criu Not tainted 4.17.0-rc5-next-20180515+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: dump_stack+0x71/0xab print_address_description+0x6a/0x270 kasan_report+0x237/0x360 __lock_acquire.isra.30+0x1ad4/0x1bb0 lock_acquire+0x10b/0x2a0 _raw_spin_lock+0x25/0x30 tun_chr_close+0x1d7/0x4c0 __fput+0x251/0x770 task_work_run+0x10e/0x180 exit_to_usermode_loop+0xcb/0xf0 do_syscall_64+0x21d/0x280 ? prepare_exit_to_usermode+0x88/0x130 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 1819: __kasan_slab_free+0x130/0x180 kfree+0xd6/0x1f0 __sk_destruct+0x46f/0x580 tun_chr_close+0x330/0x4c0 __fput+0x251/0x770 task_work_run+0x10e/0x180 exit_to_usermode_loop+0xcb/0xf0 do_syscall_64+0x21d/0x280 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Signed-off-by: Andrei Vagin --- drivers/net/tun.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 8b0f0a0baab4..f3eae203cc58 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -3246,8 +3246,10 @@ static int tun_chr_close(struct inode *inode, struct file *file) { struct tun_file *tfile = file->private_data; + sock_hold(&tfile->sk); tun_detach(tfile, true); ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free); + sock_put(&tfile->sk); return 0; } -- 2.17.0