Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect

From: Vlad Efanov
Date: Mon May 29 2023 - 10:13:15 EST

Next message: Rafael J. Wysocki: "Re: [PATCH] ACPICA: Slightly simplify an error message in acpi_ds_result_push()"
Previous message: Jonathan Corbet: "Re: [net-next PATCH v3 03/13] Documentation: leds: leds-class: Document new Hardware driven LEDs APIs"
In reply to: Paolo Abeni: "Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect"
Next in thread: Vladislav Efanov: "[PATCH v2] udp6: Fix race condition in udp6_sendmsg & connect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank you for detail information.

The patch is reworked and being tested now.

Vlad.

On 26.05.2023 21:13, Paolo Abeni wrote:

On Fri, 2023-05-26 at 18:58 +0300, Ефанов Владислав Александрович
wrote:

I don't think that we can just move sk_dst_set() call.

I think we can destroy dst of sendmsg task in this case.

AFAICS ip6_sk_dst_lookup_flow tries to acquire a reference to the
cached dst. If the connect() clears the cache, decreasing the refcnt,
the counter of the dst in use by sendmsg() must still be non zero.

IMHO the problem you see is that sk_setup_caps() keeps using the dst
after transferring the ownership to the dst cache, which is illegal.
The suggested patch addressed that.

If I'm wrong your syzkaller repro will keep splatting. Please have just
have a spin, thanks.

Paolo

Next message: Rafael J. Wysocki: "Re: [PATCH] ACPICA: Slightly simplify an error message in acpi_ds_result_push()"
Previous message: Jonathan Corbet: "Re: [net-next PATCH v3 03/13] Documentation: leds: leds-class: Document new Hardware driven LEDs APIs"
In reply to: Paolo Abeni: "Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect"
Next in thread: Vladislav Efanov: "[PATCH v2] udp6: Fix race condition in udp6_sendmsg & connect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]