subject:"kcm\: use\-after\-free in fput of kcm socket"

Re: kcm: use-after-free in fput of kcm socket

2016-08-28 Thread Cong Wang

On Sun, Aug 28, 2016 at 3:10 AM, Dmitry Vyukov  wrote:
> Hello,
>
> The following program triggers use-after-free:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include 
> #include 
>
> int main()
> {
>   int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
>   syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
>   return 0;
> }
>
>
> [  367.240184] 
> ==
> [  367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at
> addr 880069bc4b30
> [  367.241034] Read of size 2 by task a.out/4045
> [  367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34
> [  367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Bochs 01/01/2011
> [  367.241034]  884b8280 880038fb7bc0 82d1b1d9
> 00622e00
> [  367.241034]  fbfff1097050 88003e198900 880069bc4b00
> 880069bc4ec0
> [  367.241034]  880069bc4b30 859e90a0 880038fb7be8
> 817da1fc
> [  367.241034] Call Trace:
> [  367.241034]  [] dump_stack+0x12e/0x185
> [  367.241034]  [] ? sock_release+0x1d0/0x1d0
> [  367.241034]  [] kasan_object_err+0x1c/0x70
> [  367.241034]  [] kasan_report_error+0x1ae/0x490
> [  367.241034]  [] ? sock_release+0x1d0/0x1d0
> [  367.241034]  [] __asan_report_load2_noabort+0x3e/0x40
> [  367.241034]  [] ? __fput+0x65a/0x780
> [  367.241034]  [] __fput+0x65a/0x780
> [  367.241034]  [] fput+0x15/0x20
> [  367.241034]  [] task_work_run+0xf3/0x170
> [  367.241034]  [] do_exit+0x868/0x2c10
> [  367.241034]  [] ? sock_ioctl+0x1db/0x3d0
> [  367.241034]  [] ? sock_do_ioctl+0xb0/0xb0
> [  367.241034]  [] ? do_vfs_ioctl+0x430/0x1080
> [  367.241034]  [] ? mm_update_next_owner+0x640/0x640
> [  367.241034]  [] ? ioctl_preallocate+0x210/0x210
> [  367.241034]  [] ? bad_area+0x69/0x80
> [  367.241034]  [] ? exit_to_usermode_loop+0x3e/0x210
> [  367.241034]  [] ? entry_SYSCALL_64_fastpath+0x5/0xc1
> [  367.241034]  [] do_group_exit+0x108/0x330
> [  367.241034]  [] SyS_exit_group+0x1d/0x20
> [  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1


Hmm, we have a double free here. I have a patch to fix it, will send it out
very soon.

Thanks!


> [  367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960
> [  367.241034] Allocated:
> [  367.241034] PID = 4045
> [  367.241034]  [] save_stack_trace+0x26/0x50
> [  367.241034]  [] save_stack+0x46/0xd0
> [  367.241034]  [] kasan_kmalloc+0xad/0xe0
> [  367.241034]  [] kasan_slab_alloc+0x12/0x20
> [  367.241034]  [] kmem_cache_alloc+0x12b/0x710
> [  367.241034]  [] sock_alloc_inode+0x1d/0x250
> [  367.241034]  [] alloc_inode+0x61/0x180
> [  367.241034]  [] new_inode_pseudo+0x17/0xe0
> [  367.241034]  [] sock_alloc+0x41/0x280
> [  367.241034]  [] kcm_ioctl+0x9b3/0x13e0
> [  367.241034]  [] sock_do_ioctl+0x65/0xb0
> [  367.241034]  [] sock_ioctl+0x2d2/0x3d0
> [  367.241034]  [] do_vfs_ioctl+0x18c/0x1080
> [  367.241034]  [] SyS_ioctl+0x8f/0xc0
> [  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
> [  367.241034] Freed:
> [  367.241034] PID = 4045
> [  367.241034]  [] save_stack_trace+0x26/0x50
> [  367.241034]  [] save_stack+0x46/0xd0
> [  367.241034]  [] kasan_slab_free+0x72/0xc0
> [  367.241034]  [] kmem_cache_free+0x76/0x300
> [  367.241034]  [] sock_destroy_inode+0x56/0x70
> [  367.241034]  [] destroy_inode+0xc7/0x130
> [  367.241034]  [] evict+0x329/0x500
> [  367.241034]  [] iput+0x495/0x930
> [  367.241034]  [] sock_release+0x164/0x1d0
> [  367.241034]  [] sock_close+0x16/0x20
> [  367.241034]  [] __fput+0x236/0x780
> [  367.241034]  [] fput+0x15/0x20
> [  367.241034]  [] task_work_run+0xf3/0x170
> [  367.241034]  [] do_exit+0x868/0x2c10
> [  367.241034]  [] do_group_exit+0x108/0x330
> [  367.241034]  [] SyS_exit_group+0x1d/0x20
> [  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
> [  367.241034] Memory state around the buggy address:
> [  367.241034]  880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [  367.241034]  880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [  367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034]  ^
> [  367.241034]  880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034]  880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034] 
> ==
>
>
> It is then followed by a bunch of other bugs, full log is here:
> https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt
>
>
> On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).

Re: kcm: use-after-free in fput of kcm socket

2016-08-28 Thread Cong Wang

On Sun, Aug 28, 2016 at 3:10 AM, Dmitry Vyukov  wrote:
> Hello,
>
> The following program triggers use-after-free:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include 
> #include 
>
> int main()
> {
>   int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
>   syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
>   return 0;
> }
>
>
> [  367.240184] 
> ==
> [  367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at
> addr 880069bc4b30
> [  367.241034] Read of size 2 by task a.out/4045
> [  367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34
> [  367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Bochs 01/01/2011
> [  367.241034]  884b8280 880038fb7bc0 82d1b1d9
> 00622e00
> [  367.241034]  fbfff1097050 88003e198900 880069bc4b00
> 880069bc4ec0
> [  367.241034]  880069bc4b30 859e90a0 880038fb7be8
> 817da1fc
> [  367.241034] Call Trace:
> [  367.241034]  [] dump_stack+0x12e/0x185
> [  367.241034]  [] ? sock_release+0x1d0/0x1d0
> [  367.241034]  [] kasan_object_err+0x1c/0x70
> [  367.241034]  [] kasan_report_error+0x1ae/0x490
> [  367.241034]  [] ? sock_release+0x1d0/0x1d0
> [  367.241034]  [] __asan_report_load2_noabort+0x3e/0x40
> [  367.241034]  [] ? __fput+0x65a/0x780
> [  367.241034]  [] __fput+0x65a/0x780
> [  367.241034]  [] fput+0x15/0x20
> [  367.241034]  [] task_work_run+0xf3/0x170
> [  367.241034]  [] do_exit+0x868/0x2c10
> [  367.241034]  [] ? sock_ioctl+0x1db/0x3d0
> [  367.241034]  [] ? sock_do_ioctl+0xb0/0xb0
> [  367.241034]  [] ? do_vfs_ioctl+0x430/0x1080
> [  367.241034]  [] ? mm_update_next_owner+0x640/0x640
> [  367.241034]  [] ? ioctl_preallocate+0x210/0x210
> [  367.241034]  [] ? bad_area+0x69/0x80
> [  367.241034]  [] ? exit_to_usermode_loop+0x3e/0x210
> [  367.241034]  [] ? entry_SYSCALL_64_fastpath+0x5/0xc1
> [  367.241034]  [] do_group_exit+0x108/0x330
> [  367.241034]  [] SyS_exit_group+0x1d/0x20
> [  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1


Hmm, we have a double free here. I have a patch to fix it, will send it out
very soon.

Thanks!


> [  367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960
> [  367.241034] Allocated:
> [  367.241034] PID = 4045
> [  367.241034]  [] save_stack_trace+0x26/0x50
> [  367.241034]  [] save_stack+0x46/0xd0
> [  367.241034]  [] kasan_kmalloc+0xad/0xe0
> [  367.241034]  [] kasan_slab_alloc+0x12/0x20
> [  367.241034]  [] kmem_cache_alloc+0x12b/0x710
> [  367.241034]  [] sock_alloc_inode+0x1d/0x250
> [  367.241034]  [] alloc_inode+0x61/0x180
> [  367.241034]  [] new_inode_pseudo+0x17/0xe0
> [  367.241034]  [] sock_alloc+0x41/0x280
> [  367.241034]  [] kcm_ioctl+0x9b3/0x13e0
> [  367.241034]  [] sock_do_ioctl+0x65/0xb0
> [  367.241034]  [] sock_ioctl+0x2d2/0x3d0
> [  367.241034]  [] do_vfs_ioctl+0x18c/0x1080
> [  367.241034]  [] SyS_ioctl+0x8f/0xc0
> [  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
> [  367.241034] Freed:
> [  367.241034] PID = 4045
> [  367.241034]  [] save_stack_trace+0x26/0x50
> [  367.241034]  [] save_stack+0x46/0xd0
> [  367.241034]  [] kasan_slab_free+0x72/0xc0
> [  367.241034]  [] kmem_cache_free+0x76/0x300
> [  367.241034]  [] sock_destroy_inode+0x56/0x70
> [  367.241034]  [] destroy_inode+0xc7/0x130
> [  367.241034]  [] evict+0x329/0x500
> [  367.241034]  [] iput+0x495/0x930
> [  367.241034]  [] sock_release+0x164/0x1d0
> [  367.241034]  [] sock_close+0x16/0x20
> [  367.241034]  [] __fput+0x236/0x780
> [  367.241034]  [] fput+0x15/0x20
> [  367.241034]  [] task_work_run+0xf3/0x170
> [  367.241034]  [] do_exit+0x868/0x2c10
> [  367.241034]  [] do_group_exit+0x108/0x330
> [  367.241034]  [] SyS_exit_group+0x1d/0x20
> [  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
> [  367.241034] Memory state around the buggy address:
> [  367.241034]  880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [  367.241034]  880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [  367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034]  ^
> [  367.241034]  880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034]  880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb fb
> [  367.241034] 
> ==
>
>
> It is then followed by a bunch of other bugs, full log is here:
> https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt
>
>
> On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).

kcm: use-after-free in fput of kcm socket

2016-08-28 Thread Dmitry Vyukov

Hello,

The following program triggers use-after-free:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include 
#include 

int main()
{
  int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
  syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
  return 0;
}


[  367.240184] 
==
[  367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at
addr 880069bc4b30
[  367.241034] Read of size 2 by task a.out/4045
[  367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34
[  367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[  367.241034]  884b8280 880038fb7bc0 82d1b1d9
00622e00
[  367.241034]  fbfff1097050 88003e198900 880069bc4b00
880069bc4ec0
[  367.241034]  880069bc4b30 859e90a0 880038fb7be8
817da1fc
[  367.241034] Call Trace:
[  367.241034]  [] dump_stack+0x12e/0x185
[  367.241034]  [] ? sock_release+0x1d0/0x1d0
[  367.241034]  [] kasan_object_err+0x1c/0x70
[  367.241034]  [] kasan_report_error+0x1ae/0x490
[  367.241034]  [] ? sock_release+0x1d0/0x1d0
[  367.241034]  [] __asan_report_load2_noabort+0x3e/0x40
[  367.241034]  [] ? __fput+0x65a/0x780
[  367.241034]  [] __fput+0x65a/0x780
[  367.241034]  [] fput+0x15/0x20
[  367.241034]  [] task_work_run+0xf3/0x170
[  367.241034]  [] do_exit+0x868/0x2c10
[  367.241034]  [] ? sock_ioctl+0x1db/0x3d0
[  367.241034]  [] ? sock_do_ioctl+0xb0/0xb0
[  367.241034]  [] ? do_vfs_ioctl+0x430/0x1080
[  367.241034]  [] ? mm_update_next_owner+0x640/0x640
[  367.241034]  [] ? ioctl_preallocate+0x210/0x210
[  367.241034]  [] ? bad_area+0x69/0x80
[  367.241034]  [] ? exit_to_usermode_loop+0x3e/0x210
[  367.241034]  [] ? entry_SYSCALL_64_fastpath+0x5/0xc1
[  367.241034]  [] do_group_exit+0x108/0x330
[  367.241034]  [] SyS_exit_group+0x1d/0x20
[  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
[  367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960
[  367.241034] Allocated:
[  367.241034] PID = 4045
[  367.241034]  [] save_stack_trace+0x26/0x50
[  367.241034]  [] save_stack+0x46/0xd0
[  367.241034]  [] kasan_kmalloc+0xad/0xe0
[  367.241034]  [] kasan_slab_alloc+0x12/0x20
[  367.241034]  [] kmem_cache_alloc+0x12b/0x710
[  367.241034]  [] sock_alloc_inode+0x1d/0x250
[  367.241034]  [] alloc_inode+0x61/0x180
[  367.241034]  [] new_inode_pseudo+0x17/0xe0
[  367.241034]  [] sock_alloc+0x41/0x280
[  367.241034]  [] kcm_ioctl+0x9b3/0x13e0
[  367.241034]  [] sock_do_ioctl+0x65/0xb0
[  367.241034]  [] sock_ioctl+0x2d2/0x3d0
[  367.241034]  [] do_vfs_ioctl+0x18c/0x1080
[  367.241034]  [] SyS_ioctl+0x8f/0xc0
[  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
[  367.241034] Freed:
[  367.241034] PID = 4045
[  367.241034]  [] save_stack_trace+0x26/0x50
[  367.241034]  [] save_stack+0x46/0xd0
[  367.241034]  [] kasan_slab_free+0x72/0xc0
[  367.241034]  [] kmem_cache_free+0x76/0x300
[  367.241034]  [] sock_destroy_inode+0x56/0x70
[  367.241034]  [] destroy_inode+0xc7/0x130
[  367.241034]  [] evict+0x329/0x500
[  367.241034]  [] iput+0x495/0x930
[  367.241034]  [] sock_release+0x164/0x1d0
[  367.241034]  [] sock_close+0x16/0x20
[  367.241034]  [] __fput+0x236/0x780
[  367.241034]  [] fput+0x15/0x20
[  367.241034]  [] task_work_run+0xf3/0x170
[  367.241034]  [] do_exit+0x868/0x2c10
[  367.241034]  [] do_group_exit+0x108/0x330
[  367.241034]  [] SyS_exit_group+0x1d/0x20
[  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
[  367.241034] Memory state around the buggy address:
[  367.241034]  880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[  367.241034]  880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[  367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  367.241034]  ^
[  367.241034]  880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  367.241034]  880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  367.241034] 
==


It is then followed by a bunch of other bugs, full log is here:
https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt


On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).

kcm: use-after-free in fput of kcm socket

2016-08-28 Thread Dmitry Vyukov

Hello,

The following program triggers use-after-free:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include 
#include 

int main()
{
  int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
  syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
  return 0;
}


[  367.240184] 
==
[  367.240784] BUG: KASAN: use-after-free in __fput+0x65a/0x780 at
addr 880069bc4b30
[  367.241034] Read of size 2 by task a.out/4045
[  367.241034] CPU: 3 PID: 4045 Comm: a.out Not tainted 4.8.0-rc3+ #34
[  367.241034] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[  367.241034]  884b8280 880038fb7bc0 82d1b1d9
00622e00
[  367.241034]  fbfff1097050 88003e198900 880069bc4b00
880069bc4ec0
[  367.241034]  880069bc4b30 859e90a0 880038fb7be8
817da1fc
[  367.241034] Call Trace:
[  367.241034]  [] dump_stack+0x12e/0x185
[  367.241034]  [] ? sock_release+0x1d0/0x1d0
[  367.241034]  [] kasan_object_err+0x1c/0x70
[  367.241034]  [] kasan_report_error+0x1ae/0x490
[  367.241034]  [] ? sock_release+0x1d0/0x1d0
[  367.241034]  [] __asan_report_load2_noabort+0x3e/0x40
[  367.241034]  [] ? __fput+0x65a/0x780
[  367.241034]  [] __fput+0x65a/0x780
[  367.241034]  [] fput+0x15/0x20
[  367.241034]  [] task_work_run+0xf3/0x170
[  367.241034]  [] do_exit+0x868/0x2c10
[  367.241034]  [] ? sock_ioctl+0x1db/0x3d0
[  367.241034]  [] ? sock_do_ioctl+0xb0/0xb0
[  367.241034]  [] ? do_vfs_ioctl+0x430/0x1080
[  367.241034]  [] ? mm_update_next_owner+0x640/0x640
[  367.241034]  [] ? ioctl_preallocate+0x210/0x210
[  367.241034]  [] ? bad_area+0x69/0x80
[  367.241034]  [] ? exit_to_usermode_loop+0x3e/0x210
[  367.241034]  [] ? entry_SYSCALL_64_fastpath+0x5/0xc1
[  367.241034]  [] do_group_exit+0x108/0x330
[  367.241034]  [] SyS_exit_group+0x1d/0x20
[  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
[  367.241034] Object at 880069bc4b00, in cache sock_inode_cache size: 960
[  367.241034] Allocated:
[  367.241034] PID = 4045
[  367.241034]  [] save_stack_trace+0x26/0x50
[  367.241034]  [] save_stack+0x46/0xd0
[  367.241034]  [] kasan_kmalloc+0xad/0xe0
[  367.241034]  [] kasan_slab_alloc+0x12/0x20
[  367.241034]  [] kmem_cache_alloc+0x12b/0x710
[  367.241034]  [] sock_alloc_inode+0x1d/0x250
[  367.241034]  [] alloc_inode+0x61/0x180
[  367.241034]  [] new_inode_pseudo+0x17/0xe0
[  367.241034]  [] sock_alloc+0x41/0x280
[  367.241034]  [] kcm_ioctl+0x9b3/0x13e0
[  367.241034]  [] sock_do_ioctl+0x65/0xb0
[  367.241034]  [] sock_ioctl+0x2d2/0x3d0
[  367.241034]  [] do_vfs_ioctl+0x18c/0x1080
[  367.241034]  [] SyS_ioctl+0x8f/0xc0
[  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
[  367.241034] Freed:
[  367.241034] PID = 4045
[  367.241034]  [] save_stack_trace+0x26/0x50
[  367.241034]  [] save_stack+0x46/0xd0
[  367.241034]  [] kasan_slab_free+0x72/0xc0
[  367.241034]  [] kmem_cache_free+0x76/0x300
[  367.241034]  [] sock_destroy_inode+0x56/0x70
[  367.241034]  [] destroy_inode+0xc7/0x130
[  367.241034]  [] evict+0x329/0x500
[  367.241034]  [] iput+0x495/0x930
[  367.241034]  [] sock_release+0x164/0x1d0
[  367.241034]  [] sock_close+0x16/0x20
[  367.241034]  [] __fput+0x236/0x780
[  367.241034]  [] fput+0x15/0x20
[  367.241034]  [] task_work_run+0xf3/0x170
[  367.241034]  [] do_exit+0x868/0x2c10
[  367.241034]  [] do_group_exit+0x108/0x330
[  367.241034]  [] SyS_exit_group+0x1d/0x20
[  367.241034]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
[  367.241034] Memory state around the buggy address:
[  367.241034]  880069bc4a00: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[  367.241034]  880069bc4a80: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[  367.241034] >880069bc4b00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  367.241034]  ^
[  367.241034]  880069bc4b80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  367.241034]  880069bc4c00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[  367.241034] 
==


It is then followed by a bunch of other bugs, full log is here:
https://gist.githubusercontent.com/dvyukov/b9884388bee40b792ae7900928358484/raw/ace2fa242468d584fa61bf753a5891faa71b0932/gistfile1.txt


On commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).

Re: kcm: use-after-free in fput of kcm socket

Re: kcm: use-after-free in fput of kcm socket

kcm: use-after-free in fput of kcm socket

kcm: use-after-free in fput of kcm socket

4 matches

Site Navigation

Mail list logo

Footer information