[LTP] [PATCH] syscalls/setsockopt09: Test use-after-free in socket timer

[Martin Doucha]

setsockopt09 may also trigger kernel crash in socket timer. Add git hash
for the timer fix and add taint check to detect this failure variant.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---

Hello Xu, try whether these two patches properly detect the kernel crash
in timer. The patches are mutually exclusive and the second one includes
all the changes from the first one. Merging only the first patch is preferred
if it works.

 .../kernel/syscalls/setsockopt/setsockopt09.c      | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt09.c b/testcases/kernel/syscalls/setsockopt/setsockopt09.c
index 4b1ce2e92..f715bbc91 100644
--- a/testcases/kernel/syscalls/setsockopt/setsockopt09.c
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt09.c
@@ -19,6 +19,11 @@
  *
  *  net/packet: rx_owner_map depends on pg_vec
  *
+ *  commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042
+ *  Author: WANG Cong <xiyou.wangcong@gmail.com>
+ *  Date:   Mon Jul 24 10:07:32 2017 -0700
+ *
+ *  packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
  */
 
 #define _GNU_SOURCE
@@ -85,6 +90,14 @@ static void run(void)
 	SAFE_SETSOCKOPT(sock, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));
 	SAFE_CLOSE(sock);
 
+	/* Wait for socket timer to expire just in case */
+	usleep(req.tp_retire_blk_tov * 3000);
+
+	if (tst_taint_check()) {
+		tst_res(TFAIL, "Kernel is vulnerable");
+		return;
+	}
+
 	tst_res(TPASS, "Nothing bad happened, probably");
 }
 
@@ -111,6 +124,7 @@ static struct tst_test test = {
 	},
 	.tags = (const struct tst_tag[]) {
 		{"linux-git", "ec6af094ea28"},
+		{"linux-git", "c800aaf8d869"},
 		{"CVE", "2021-22600"},
 		{}
 	}
-- 
2.35.1