Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()

Next message: Rik van Riel: "Re: PROBLEM: Probabilistic segfault on AMD hardware with INVLPGB"
Previous message: Lyude Paul: "Re: [PATCH v4 11/16] rust: drm: Wrap ioctl dispatch in RegistrationGuard"
In reply to: Stephen Smalley: "Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()"
Next in thread: Stephen Smalley: "Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Mon Jun 22 2026 - 15:02:09 EST

On 2026/06/22 10:12, Stephen Smalley wrote:
> Is this sufficient, or can the sk_socket be freed under us after the
> assignment?

The assignment is safe. sock_orphan() only NULLs sk->sk_socket -- the
struct socket is freed later in __sock_release(), after inet_release()
returns. That path goes through sctp_close() -> lock_sock(), which
serializes with the ASCONF softirq path (bh_lock_sock). So once we
read a non-NULL pointer into the local variable, the socket is
guaranteed to remain alive for the duration of the function.

> Do different callers of this hook provide different guarantees
> regarding sk_socket or are they all the same?

They differ. The setsockopt callers (bindx, connectx, set_primary,
sendmsg connect) run in process context with a file reference, so
sk_socket is guaranteed non-NULL. The ASCONF softirq path
(sctp_process_asconf) has no file reference and can race with socket
close -- that is the only caller that can hit the NULL.

Tristan