Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect

From: Vlad Efanov
Date: Mon May 29 2023 - 10:13:15 EST

Thank you for detail information.

The patch is reworked and being tested now.


On 26.05.2023 21:13, Paolo Abeni wrote:
On Fri, 2023-05-26 at 18:58 +0300, Ефанов Владислав Александрович
I don't think that we can just move sk_dst_set() call.

I think we can destroy dst of sendmsg task in this case.
AFAICS ip6_sk_dst_lookup_flow tries to acquire a reference to the
cached dst. If the connect() clears the cache, decreasing the refcnt,
the counter of the dst in use by sendmsg() must still be non zero.

IMHO the problem you see is that sk_setup_caps() keeps using the dst
after transferring the ownership to the dst cache, which is illegal.
The suggested patch addressed that.

If I'm wrong your syzkaller repro will keep splatting. Please have just
have a spin, thanks.