[PATCH] Fix kfree bug in sendmsg and recvmsg

From: Joe Korty
Date: Wed Feb 17 2016 - 11:38:12 EST

Next message: Tetsuo Handa: "Re: [PATCH 1/6] mm,oom: exclude TIF_MEMDIE processes from candidates."
Previous message: Peter Zijlstra: "Re: [Intel-gfx] [PATCH] [RFC] kernel/cpu: Use lockref for online CPU reference counting"
Next in thread: Al Viro: "Re: [PATCH] Fix kfree bug in sendmsg and recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix kfree bug in recvmsg and sendmsg.

We cannot kfree(iov) when iov points to an array on the
stack, as that has the potential of corrupting memory.

So re-introduce the if-stmt that used to protect kfree
from this condition, code that was removed as part of
a larger set of changes made by git commit da184284.

Signed-off-by: Joe Korty <joe.korty@xxxxxxxx>

Index: b/net/socket.c
===================================================================
--- a/net/socket.c
+++ b/net/socket.c
@@ -1960,7 +1960,8 @@ out_freectl:
if (ctl_buf != ctl)
sock_kfree_s(sock->sk, ctl_buf, ctl_len);
out_freeiov:
- kfree(iov);
+ if (iov != iovstack)
+ kfree(iov);
return err;
}

@@ -2125,7 +2126,8 @@ static int ___sys_recvmsg(struct socket
err = len;

out_freeiov:
- kfree(iov);
+ if (iov != iovstack)
+ kfree(iov);
return err;
}

Next message: Tetsuo Handa: "Re: [PATCH 1/6] mm,oom: exclude TIF_MEMDIE processes from candidates."
Previous message: Peter Zijlstra: "Re: [Intel-gfx] [PATCH] [RFC] kernel/cpu: Use lockref for online CPU reference counting"
Next in thread: Al Viro: "Re: [PATCH] Fix kfree bug in sendmsg and recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]