On 2017-09-08 10:10, Cong Wang wrote:
On Thu, Sep 7, 2017 at 5:52 PM, Subash Abhinov Kasiviswanathan
<subas...@codeaurora.org> wrote:
We are seeing a possible use after free in ip6_dst_destroy.
It appears as if memory of the __DST_METRICS_PTR(old) was freed in
some path
and allocated
to ion driver. ion driver has also freed it. Finally the memory is
freed by
the
fib gc and crashes since it is already deallocated.
Does the attach (compile-only) patch help anything?
From my _quick_ glance, it seems we miss the refcnt'ing
right in __dst_destroy_metrics_generic().
Thanks!
Hi Cong
Thanks for patch. I'll try this out.
--
Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a
Linux Foundation Collaborative Project
