From: Cong Wang <[email protected]>
Date: Sun, 28 Aug 2016 21:28:26 -0700
> Dmitry reported a double free on kcm socket, which could
> be easily reproduced by:
>
> #include <unistd.h>
> #include <sys/syscall.h>
>
> int main()
> {
> int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
> syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
> return 0;
> }
>
> This is because on the error path, after we install
> the new socket file, we call sock_release() to clean
> up the socket, which leaves the fd pointing to a freed
> socket. Fix this by calling sys_close() on that fd
> directly.
>
> Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
> Reported-by: Dmitry Vyukov <[email protected]>
> Cc: Tom Herbert <[email protected]>
> Signed-off-by: Cong Wang <[email protected]>
Applied and queued up for -stable, thanks.
