Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()

Next message: yahia: "[PATCH v3] wmi/core: fix use-after-free in wmi_add_device()"
Previous message: Mike Rapoport: "Re: [RESEND PATCH v3 1/2] kho: add KHOSER_COPY_TYPE(UN)SAFE for phys copy"
In reply to: Tristan Madani: "Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()"
Next in thread: Stephen Smalley: "Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stephen Smalley

Date: Mon Jun 22 2026 - 15:16:08 EST

On Mon, Jun 22, 2026 at 2:59 PM Tristan Madani <tristmd@xxxxxxxxx> wrote:
>
> On 2026/06/22 10:12, Stephen Smalley wrote:
> > Is this sufficient, or can the sk_socket be freed under us after the
> > assignment?
>
> The assignment is safe. sock_orphan() only NULLs sk->sk_socket -- the
> struct socket is freed later in __sock_release(), after inet_release()
> returns. That path goes through sctp_close() -> lock_sock(), which
> serializes with the ASCONF softirq path (bh_lock_sock). So once we
> read a non-NULL pointer into the local variable, the socket is
> guaranteed to remain alive for the duration of the function.
>
> > Do different callers of this hook provide different guarantees
> > regarding sk_socket or are they all the same?
>
> They differ. The setsockopt callers (bindx, connectx, set_primary,
> sendmsg connect) run in process context with a file reference, so
> sk_socket is guaranteed non-NULL. The ASCONF softirq path
> (sctp_process_asconf) has no file reference and can race with socket
> close -- that is the only caller that can hit the NULL.

Thank you for clarifying. It might be good to add some or all of the
above to the patch description and/or
a comment in the code to make it clear going forward.