Skip to content
Commit 6709ad14 authored by Subash Abhinov Kasiviswanathan's avatar Subash Abhinov Kasiviswanathan
Browse files

dst: Use after free in __dst_destroy_metrics_generic 



It appears as if memory of the __DST_METRICS_PTR(old) was freed in
some path and allocated to ion driver. ion driver has also freed it.
Finally the memory is freed by the fib gc and crashes since it is
already deallocated. Call stack for reference below -

[<ffffff83c0a289c0>] object_err+0x4c/0x5c
[<ffffff83c0a2b284>] free_debug_processing+0x2e0/0x398
[<ffffff83c0a2b63c>] __slab_free+0x300/0x3e0
[<ffffff83c0a2bfc8>] kfree+0x28c/0x290
[<ffffff83c16b9580>] __dst_destroy_metrics_generic+0x6c/0x78
[<ffffff83c17d3408>] ip6_dst_destroy+0xb0/0xb4
[<ffffff83c16b9714>] dst_destroy+0x88/0x174
[<ffffff83c17d7f64>] icmp6_dst_gc+0x90/0xc0
[<ffffff83c17db52c>] fib6_gc_timer_cb+0x40/0xc0
[<ffffff83c093aef4>] call_timer_fn+0x58/0x1d0
[<ffffff83c093b198>] expire_timers+0x100/0x18c
[<ffffff83c093b2bc>] run_timer_softirq+0x98/0x270
[<ffffff83c0881a00>] __do_softirq+0x150/0x438
[<ffffff83c08af59c>] irq_exit+0xe0/0x138

=====================================================
BUG kmalloc-128 (Tainted: G W  O   ): Object already free
------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in alloc_largest_available+0x58/0x1f0 age=17 cpu=4 pid=649
alloc_debug_processing+0x114/0x1a0
___slab_alloc.constprop.72+0x654/0x690
__slab_alloc.isra.68.constprop.71+0x48/0x80
kmem_cache_alloc_trace+0x198/0x2c4
alloc_largest_available+0x58/0x1f0
ion_system_heap_allocate+0x1b0/0x6e8
__ion_alloc+0x180/0x988
ion_ioctl+0x26c/0x590
do_vfs_ioctl+0xcc/0x888
SyS_ioctl+0x90/0xa4
el0_svc_naked+0x24/0x28
INFO: Freed in process_info+0x188/0x1bc age=21 cpu=4 pid=649
free_debug_processing+0x180/0x398
__slab_free+0x300/0x3e0
kfree+0x28c/0x290
process_info+0x188/0x1bc
ion_system_heap_allocate+0x4b4/0x6e8
__ion_alloc+0x180/0x988
ion_ioctl+0x26c/0x590
do_vfs_ioctl+0xcc/0x888
SyS_ioctl+0x90/0xa4
el0_svc_naked+0x24/0x28

Fix the dst_metrics refcounting logic.

CRs-fixed: 2102892
Change-Id: Ia4472d082e6d89c50d2cf5074709f172d5715d86
Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
parent 9e700121
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment