tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

net/handshake: Fix sock->file allocation

sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL);
^^^^ ^^^^

sock_alloc_file() calls release_sock() on error but the left hand
side of the assignment dereferences "sock". This isn't the bug and
I didn't report this earlier because there is an assert that it
doesn't fail.

net/handshake/handshake-test.c:221 handshake_req_submit_test4() error: dereferencing freed memory 'sock'
net/handshake/handshake-test.c:233 handshake_req_submit_test4() warn: 'req' was already freed.
net/handshake/handshake-test.c:254 handshake_req_submit_test5() error: dereferencing freed memory 'sock'
net/handshake/handshake-test.c:290 handshake_req_submit_test6() error: dereferencing freed memory 'sock'
net/handshake/handshake-test.c:321 handshake_req_cancel_test1() error: dereferencing freed memory 'sock'
net/handshake/handshake-test.c:355 handshake_req_cancel_test2() error: dereferencing freed memory 'sock'
net/handshake/handshake-test.c:367 handshake_req_cancel_test2() warn: 'req' was already freed.
net/handshake/handshake-test.c:395 handshake_req_cancel_test3() error: dereferencing freed memory 'sock'
net/handshake/handshake-test.c:407 handshake_req_cancel_test3() warn: 'req' was already freed.
net/handshake/handshake-test.c:451 handshake_req_destroy_test1() error: dereferencing freed memory 'sock'
net/handshake/handshake-test.c:463 handshake_req_destroy_test1() warn: 'req' was already freed.

Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Fixes: 88232ec1ec5e ("net/handshake: Add Kunit tests for the handshake consumer API")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Link: https://lore.kernel.org/r/168451609436.45209.15407022385441542980.stgit@oracle-102.nfsv4bat.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Chuck Lever and committed by
Jakub Kicinski 18c40a1c b21c7ba6

+28 -14
+28 -14
net/handshake/handshake-test.c
··· 209 209 { 210 210 struct handshake_req *req, *result; 211 211 struct socket *sock; 212 + struct file *filp; 212 213 int err; 213 214 214 215 /* Arrange */ ··· 219 218 err = __sock_create(&init_net, PF_INET, SOCK_STREAM, IPPROTO_TCP, 220 219 &sock, 1); 221 220 KUNIT_ASSERT_EQ(test, err, 0); 222 - sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL); 223 - KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sock->file); 221 + filp = sock_alloc_file(sock, O_NONBLOCK, NULL); 222 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, filp); 224 223 KUNIT_ASSERT_NOT_NULL(test, sock->sk); 224 + sock->file = filp; 225 225 226 226 err = handshake_req_submit(sock, req, GFP_KERNEL); 227 227 KUNIT_ASSERT_EQ(test, err, 0); ··· 243 241 struct handshake_req *req; 244 242 struct handshake_net *hn; 245 243 struct socket *sock; 244 + struct file *filp; 246 245 struct net *net; 247 246 int saved, err; 248 247 ··· 254 251 err = __sock_create(&init_net, PF_INET, SOCK_STREAM, IPPROTO_TCP, 255 252 &sock, 1); 256 253 KUNIT_ASSERT_EQ(test, err, 0); 257 - sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL); 258 - KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sock->file); 254 + filp = sock_alloc_file(sock, O_NONBLOCK, NULL); 255 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, filp); 259 256 KUNIT_ASSERT_NOT_NULL(test, sock->sk); 257 + sock->file = filp; 260 258 261 259 net = sock_net(sock->sk); 262 260 hn = handshake_pernet(net); ··· 280 276 { 281 277 struct handshake_req *req1, *req2; 282 278 struct socket *sock; 279 + struct file *filp; 283 280 int err; 284 281 285 282 /* Arrange */ ··· 292 287 err = __sock_create(&init_net, PF_INET, SOCK_STREAM, IPPROTO_TCP, 293 288 &sock, 1); 294 289 KUNIT_ASSERT_EQ(test, err, 0); 295 - sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL); 296 - KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sock->file); 290 + filp = sock_alloc_file(sock, O_NONBLOCK, NULL); 291 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, filp); 297 292 KUNIT_ASSERT_NOT_NULL(test, sock->sk); 293 + sock->file = filp; 298 294 299 295 /* Act */ 300 296 err = handshake_req_submit(sock, req1, GFP_KERNEL); ··· 313 307 { 314 308 struct handshake_req *req; 315 309 struct socket *sock; 310 + struct file *filp; 316 311 bool result; 317 312 int err; 318 313 ··· 325 318 &sock, 1); 326 319 KUNIT_ASSERT_EQ(test, err, 0); 327 320 328 - sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL); 329 - KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sock->file); 321 + filp = sock_alloc_file(sock, O_NONBLOCK, NULL); 322 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, filp); 323 + sock->file = filp; 330 324 331 325 err = handshake_req_submit(sock, req, GFP_KERNEL); 332 326 KUNIT_ASSERT_EQ(test, err, 0); ··· 348 340 struct handshake_req *req, *next; 349 341 struct handshake_net *hn; 350 342 struct socket *sock; 343 + struct file *filp; 351 344 struct net *net; 352 345 bool result; 353 346 int err; ··· 361 352 &sock, 1); 362 353 KUNIT_ASSERT_EQ(test, err, 0); 363 354 364 - sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL); 365 - KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sock->file); 355 + filp = sock_alloc_file(sock, O_NONBLOCK, NULL); 356 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, filp); 357 + sock->file = filp; 366 358 367 359 err = handshake_req_submit(sock, req, GFP_KERNEL); 368 360 KUNIT_ASSERT_EQ(test, err, 0); ··· 390 380 struct handshake_req *req, *next; 391 381 struct handshake_net *hn; 392 382 struct socket *sock; 383 + struct file *filp; 393 384 struct net *net; 394 385 bool result; 395 386 int err; ··· 403 392 &sock, 1); 404 393 KUNIT_ASSERT_EQ(test, err, 0); 405 394 406 - sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL); 407 - KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sock->file); 395 + filp = sock_alloc_file(sock, O_NONBLOCK, NULL); 396 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, filp); 397 + sock->file = filp; 408 398 409 399 err = handshake_req_submit(sock, req, GFP_KERNEL); 410 400 KUNIT_ASSERT_EQ(test, err, 0); ··· 448 436 { 449 437 struct handshake_req *req; 450 438 struct socket *sock; 439 + struct file *filp; 451 440 int err; 452 441 453 442 /* Arrange */ ··· 461 448 &sock, 1); 462 449 KUNIT_ASSERT_EQ(test, err, 0); 463 450 464 - sock->file = sock_alloc_file(sock, O_NONBLOCK, NULL); 465 - KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sock->file); 451 + filp = sock_alloc_file(sock, O_NONBLOCK, NULL); 452 + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, filp); 453 + sock->file = filp; 466 454 467 455 err = handshake_req_submit(sock, req, GFP_KERNEL); 468 456 KUNIT_ASSERT_EQ(test, err, 0);