On Mon, Aug 22, 2016 at 09:58:18PM +0800, Liping Zhang wrote: > From: Liping Zhang <liping.zh...@spreadtrum.com> > > KASAN reported this bug: > BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at > addr ffff880002db08c8 > Read of size 4 by task lt-nf-queue/19041 > Call Trace: > <IRQ> [<ffffffff815eeebb>] dump_stack+0x63/0x88 > [<ffffffff813386f8>] kasan_report_error+0x528/0x560 > [<ffffffff81338cc8>] kasan_report+0x58/0x60 > [<ffffffffa07393f5>] ? icmp_packet+0x25/0x50 [nf_conntrack_ipv4] > [<ffffffff81337551>] __asan_load4+0x61/0x80 > [<ffffffffa07393f5>] icmp_packet+0x25/0x50 [nf_conntrack_ipv4] > [<ffffffffa06ecaa0>] nf_conntrack_in+0x550/0x980 [nf_conntrack] > [<ffffffffa06ec550>] ? __nf_conntrack_confirm+0xb10/0xb10 [nf_conntrack] > [ ... ] > > The main reason is that we missed to unlink the timeout objects in the > unconfirmed ct lists, so we will access the timeout objects that have > already been freed.
Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
