[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id:
<168680821979.19671.5148979786262319669.git-patchwork-notify@kernel.org>
Date: Thu, 15 Jun 2023 05:50:19 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Lin Ma <linma@....edu.cn>
Cc: kuba@...nel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] net/handshake: remove fput() that causes use-after-free
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@...nel.org>:
On Wed, 14 Jun 2023 09:52:49 +0800 you wrote:
> A reference underflow is found in TLS handshake subsystem that causes a
> direct use-after-free. Part of the crash log is like below:
>
> [ 2.022114] ------------[ cut here ]------------
> [ 2.022193] refcount_t: underflow; use-after-free.
> [ 2.022288] WARNING: CPU: 0 PID: 60 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
> [ 2.022432] Modules linked in:
> [ 2.022848] RIP: 0010:refcount_warn_saturate+0xbe/0x110
> [ 2.023231] RSP: 0018:ffffc900001bfe18 EFLAGS: 00000286
> [ 2.023325] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00000000ffffdfff
> [ 2.023438] RDX: 0000000000000000 RSI: 00000000ffffffea RDI: 0000000000000001
> [ 2.023555] RBP: ffff888004c20098 R08: ffffffff82b392c8 R09: 00000000ffffdfff
> [ 2.023693] R10: ffffffff82a592e0 R11: ffffffff82b092e0 R12: ffff888004c200d8
> [ 2.023813] R13: 0000000000000000 R14: ffff888004c20000 R15: ffffc90000013ca8
> [ 2.023930] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
> [ 2.024062] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2.024161] CR2: ffff888003601000 CR3: 0000000002a2e000 CR4: 00000000000006f0
> [ 2.024275] Call Trace:
> [ 2.024322] <TASK>
> [ 2.024367] ? __warn+0x7f/0x130
> [ 2.024430] ? refcount_warn_saturate+0xbe/0x110
> [ 2.024513] ? report_bug+0x199/0x1b0
> [ 2.024585] ? handle_bug+0x3c/0x70
> [ 2.024676] ? exc_invalid_op+0x18/0x70
> [ 2.024750] ? asm_exc_invalid_op+0x1a/0x20
> [ 2.024830] ? refcount_warn_saturate+0xbe/0x110
> [ 2.024916] ? refcount_warn_saturate+0xbe/0x110
> [ 2.024998] __tcp_close+0x2f4/0x3d0
> [ 2.025065] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
> [ 2.025168] tcp_close+0x1f/0x70
> [ 2.025231] inet_release+0x33/0x60
> [ 2.025297] sock_release+0x1f/0x80
> [ 2.025361] handshake_req_cancel_test2+0x100/0x2d0
> [ 2.025457] kunit_try_run_case+0x4c/0xa0
> [ 2.025532] kunit_generic_run_threadfn_adapter+0x15/0x20
> [ 2.025644] kthread+0xe1/0x110
> [ 2.025708] ? __pfx_kthread+0x10/0x10
> [ 2.025780] ret_from_fork+0x2c/0x50
>
> [...]
Here is the summary with links:
- [v1] net/handshake: remove fput() that causes use-after-free
https://git.kernel.org/netdev/net/c/361b6889ae63
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Powered by blists - more mailing lists