Bug 4229 - [ANCK 5.10] net/nfc/llcp_core.c 中存在指针未被释放
Summary: [ANCK 5.10] net/nfc/llcp_core.c 中存在指针未被释放
Status: NEW
Alias: None
Product: ANCK 5.10 Dev
Classification: ANCK
Component: net (show other bugs) net
Version: unspecified
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: XuanZhuo
QA Contact: shuming
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-27 07:52 UTC by songkai
Modified: 2023-02-27 07:52 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description songkai inspur_group 2023-02-27 07:52:07 UTC 
BUG: KASAN: use-after-free in kfree_skb()

    Call Trace:
    dump_stack_lvl (lib/dump_stack.c:106)
    print_address_description.constprop.0.cold (mm/kasan/report.c:306)
    kasan_check_range (mm/kasan/generic.c:189)
    kfree_skb (net/core/skbuff.c:955)
    local_cleanup (net/nfc/llcp_core.c:159)
    nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)
    nfc_llcp_local_put (net/nfc/llcp_core.c:181)
    llcp_sock_destruct (net/nfc/llcp_sock.c:959)
    __sk_destruct (net/core/sock.c:2133)
    sk_destruct (net/core/sock.c:2181)
    __sk_free (net/core/sock.c:2192)
    sk_free (net/core/sock.c:2203)
    llcp_sock_release (net/nfc/llcp_sock.c:646)
    __sock_release (net/socket.c:650)
    sock_close (net/socket.c:1365)
    __fput (fs/file_table.c:306)
    task_work_run (kernel/task_work.c:179)
    ptrace_notify (kernel/signal.c:2354)
    syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)
    syscall_exit_to_user_mode (kernel/entry/common.c:296)
    do_syscall_64 (arch/x86/entry/common.c:86)
    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)

    Allocated by task 4719:
    kasan_save_stack (mm/kasan/common.c:45)
    __kasan_slab_alloc (mm/kasan/common.c:325)
    slab_post_alloc_hook (mm/slab.h:766)
    kmem_cache_alloc_node (mm/slub.c:3497)
    __alloc_skb (net/core/skbuff.c:552)
    pn533_recv_response (drivers/nfc/pn533/usb.c:65)
    __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)
    usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)
    tasklet_action_common.isra.0 (kernel/softirq.c:797)
    __do_softirq (kernel/softirq.c:571)

    Freed by task 1901:
    kasan_save_stack (mm/kasan/common.c:45)
    kasan_set_track (mm/kasan/common.c:52)
    kasan_save_free_info (mm/kasan/genericdd.c:518)
    __kasan_slab_free (mm/kasan/common.c:236)
    kmem_cache_free (mm/slub.c:3809)
    kfree_skbmem (net/core/skbuff.c:874)
    kfree_skb (net/core/skbuff.c:931)
    local_cleanup (net/nfc/llcp_core.c:159)
    nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)
    nfc_unregister_device (net/nfc/core.c:1179)
    pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)
    pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)
    usb_unbind_interface (drivers/usb/core/driver.c:458)
    device_release_driver_internal (drivers/base/dd.c:1279)
    bus_remove_device (drivers/base/bus.c:529)
    device_del (drivers/base/core.c:3665)
    usb_disable_device (drivers/usb/core/message.c:1420)
    usb_disconnect (drivers/usb/core.c:2261)
    hub_event (drivers/usb/core/hub.c:5833)
    process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)
    worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)
    kthread (kernel/kthread.c:319)
    ret_from_fork (arch/x86/entry/entry_64.S:301)




upstream 54f7be61584b8ec4c6df405f479495b9397bae4a