On Sat, Nov 12, 2022 at 08:04:23PM +0800, Wang Hai wrote:
In kcm_rcv_strparser(), the skb is queued to the kcm that is currentlyWe will hold skb queue lock after my patch, so this will not happen after
being reserved, and if the queue is full, unreserve_rx_kcm() will be
called. At this point, if KCM_RECV_DISABLE is set, then unreserve_rx_kcm()
will requeue received messages for the current kcm socket to other kcm
sockets. The kcm sock lock is not held during this time, and as long as
someone calls kcm_recvmsg, it will concurrently unlink the same skb, which
ill result in a null pointer reference.
cpu0 cpu1 cpu2
kcm_rcv_strparser
reserve_rx_kcm
kcm_setsockopt
kcm_recv_disable
kcm->rx_disabled = 1;
kcm_queue_rcv_skb
unreserve_rx_kcm
requeue_rx_msgs kcm_recvmsg
__skb_dequeue
__skb_unlink(skb) skb_unlink(skb)
//double unlink skb
applying my patch below?
https://lore.kernel.org/netdev/20221114005119.597905-1-xiyou.wangcong@xxxxxxxxx/
.