From: Eric Biggers <[email protected]> Date: Thu, 21 Feb 2019 14:13:56 -0800
> From: Eric Biggers <[email protected]> > > Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.") > fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is > closed concurrently with fchownat(). However, it ignored that many > other proto_ops::release() methods don't set sock->sk to NULL and > therefore allow the same use-after-free: ... > Rather than fixing all these and relying on every socket type to get > this right forever, just make __sock_release() set sock->sk to NULL > itself after calling proto_ops::release(). > > Reproducer that produces the KASAN splat when any of these socket types > are configured into the kernel: ... > Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") > Signed-off-by: Eric Biggers <[email protected]> Applied and queued up for -stable, thanks Eric.
