From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752933AbdK3NSl (ORCPT <rfc822;w@1wt.eu>);
        Thu, 30 Nov 2017 08:18:41 -0500
Received: from bombadil.infradead.org ([65.50.211.133]:39239 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752054AbdK3NSj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Nov 2017 08:18:39 -0500
Date: Thu, 30 Nov 2017 05:18:33 -0800
From: Christoph Hellwig <hch@infradead.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Cong Wang <xiyou.wangcong@gmail.com>,
        syzbot 
        <bot+9abea25706ae35022385a41f61e579ed66e88a3f@syzkaller.appspotmail.com>,
        David Miller <davem@davemloft.net>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Kernel Network Developers <netdev@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: KASAN: use-after-free Read in sock_release
Message-ID: <20171130131833.GA28908@infradead.org>
References: <94eb2c19e756c0119b055f1afbd0@google.com>
 <CAM_iQpUuW=34pxJtkfw_sHTzmm3mUfrg-Fs3++kU+PktBfDJNg@mail.gmail.com>
 <CA+55aFzBAvNOsPzcf=9dO__of-jh4z7_a8BNFXzU7YHkmzYgkw@mail.gmail.com>
 <20171130020719.GE21978@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171130020719.GE21978@ZenIV.linux.org.uk>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-SRS-Rewrite: SMTP reverse-path rewritten from <hch@infradead.org> by bombadil.infradead.org. See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Nov 30, 2017 at 02:07:19AM +0000, Al Viro wrote:
> Incidentally, grepping for sys_close() shows another piece of fun in
> net/netfilter/xt_bpf.c.  Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S
> IT; THERE'S NO REMOVING IT ON FAILURE EXITS.  sys_close() should
> never, ever be used that way.  Sigh...

Would be great do unexport the thing.  Except that we also have
binfmt_misc (which looks legit) and autofs4, which on crack decided
that close() isn't a fun syscall, they'd much rather have an ioctl
that does exactly the same..