All of lore.kernel.org
 help / color / mirror / Atom feed
* [Patch net] smc: move unhash as early as possible in smc_release()
@ 2019-01-06  7:45 Cong Wang
  2019-01-07 15:12 ` David Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Cong Wang @ 2019-01-06  7:45 UTC (permalink / raw)
  To: netdev; +Cc: Cong Wang, syzbot+fbd1e5476e4c94c7b34e, Ursula Braun

In smc_release() we release smc->clcsock before unhash the smc
sock, but a parallel smc_diag_dump() may be still reading
smc->clcsock, therefore this could cause a use-after-free as
reported by syzbot.

Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
Cc: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/smc/af_smc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index c4da4a78d369..c4e56602e0c6 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -146,6 +146,9 @@ static int smc_release(struct socket *sock)
 		sock_set_flag(sk, SOCK_DEAD);
 		sk->sk_shutdown |= SHUTDOWN_MASK;
 	}
+
+	sk->sk_prot->unhash(sk);
+
 	if (smc->clcsock) {
 		if (smc->use_fallback && sk->sk_state == SMC_LISTEN) {
 			/* wake up clcsock accept */
@@ -170,7 +173,6 @@ static int smc_release(struct socket *sock)
 		smc_conn_free(&smc->conn);
 	release_sock(sk);
 
-	sk->sk_prot->unhash(sk);
 	sock_put(sk); /* final sock_put */
 out:
 	return rc;
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
  2019-01-06  7:45 [Patch net] smc: move unhash as early as possible in smc_release() Cong Wang
@ 2019-01-07 15:12 ` David Miller
  2019-01-07 16:45   ` Ursula Braun
  2019-01-07 19:25   ` Cong Wang
  0 siblings, 2 replies; 5+ messages in thread
From: David Miller @ 2019-01-07 15:12 UTC (permalink / raw)
  To: xiyou.wangcong; +Cc: netdev, mhjungk, syzbot+fbd1e5476e4c94c7b34e, ubraun

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Sat,  5 Jan 2019 23:45:26 -0800

> In smc_release() we release smc->clcsock before unhash the smc
> sock, but a parallel smc_diag_dump() may be still reading
> smc->clcsock, therefore this could cause a use-after-free as
> reported by syzbot.
> 
> Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
> Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
> Cc: Ursula Braun <ubraun@linux.ibm.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

We have two patches messing around in here, seeming to deal with release
visibility and ordering problems in two different ways.

https://patchwork.ozlabs.org/patch/1020608/
https://patchwork.ozlabs.org/patch/1021044/

Reported-by: syzbot+0bf2e01269f1274b4b03@syzkaller.appspotmail.com
Reported-by: syzbot+e3132895630f957306bc@syzkaller.appspotmail.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
  2019-01-07 15:12 ` David Miller
@ 2019-01-07 16:45   ` Ursula Braun
  2019-01-07 19:25   ` Cong Wang
  1 sibling, 0 replies; 5+ messages in thread
From: Ursula Braun @ 2019-01-07 16:45 UTC (permalink / raw)
  To: David Miller, xiyou.wangcong; +Cc: netdev, mhjungk, syzbot+fbd1e5476e4c94c7b34e



On 01/07/2019 04:12 PM, David Miller wrote:
> From: Cong Wang <xiyou.wangcong@gmail.com>
> Date: Sat,  5 Jan 2019 23:45:26 -0800
> 
>> In smc_release() we release smc->clcsock before unhash the smc
>> sock, but a parallel smc_diag_dump() may be still reading
>> smc->clcsock, therefore this could cause a use-after-free as
>> reported by syzbot.
>>
>> Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
>> Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
>> Cc: Ursula Braun <ubraun@linux.ibm.com>
>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> 
> We have two patches messing around in here, seeming to deal with release
> visibility and ordering problems in two different ways.
> 
> https://patchwork.ozlabs.org/patch/1020608/
> https://patchwork.ozlabs.org/patch/1021044/
> 
> Reported-by: syzbot+0bf2e01269f1274b4b03@syzkaller.appspotmail.com
> Reported-by: syzbot+e3132895630f957306bc@syzkaller.appspotmail.com
> 

The patches from Myungho Jung fix a closing problem for listening SMC-sockets.
The patch by Cong Wang fixes a closing problem for SMC-sockets when smc_diag_dump()
is running in parallel. Both are valuable in my eyes.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
  2019-01-07 15:12 ` David Miller
  2019-01-07 16:45   ` Ursula Braun
@ 2019-01-07 19:25   ` Cong Wang
  2019-01-07 19:40     ` David Miller
  1 sibling, 1 reply; 5+ messages in thread
From: Cong Wang @ 2019-01-07 19:25 UTC (permalink / raw)
  To: David Miller
  Cc: Linux Kernel Network Developers, mhjungk, syzbot, Ursula Braun

On Mon, Jan 7, 2019 at 7:12 AM David Miller <davem@davemloft.net> wrote:
>
> From: Cong Wang <xiyou.wangcong@gmail.com>
> Date: Sat,  5 Jan 2019 23:45:26 -0800
>
> > In smc_release() we release smc->clcsock before unhash the smc
> > sock, but a parallel smc_diag_dump() may be still reading
> > smc->clcsock, therefore this could cause a use-after-free as
> > reported by syzbot.
> >
> > Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
> > Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
> > Cc: Ursula Braun <ubraun@linux.ibm.com>
> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>
> We have two patches messing around in here, seeming to deal with release
> visibility and ordering problems in two different ways.
>
> https://patchwork.ozlabs.org/patch/1020608/
> https://patchwork.ozlabs.org/patch/1021044/
>
> Reported-by: syzbot+0bf2e01269f1274b4b03@syzkaller.appspotmail.com
> Reported-by: syzbot+e3132895630f957306bc@syzkaller.appspotmail.com

Isn't Myungho's patch already merged as commit 78abe3d0dfad? :)

So I believe the syzbot reported this bug on top of that commit.

Thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
  2019-01-07 19:25   ` Cong Wang
@ 2019-01-07 19:40     ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2019-01-07 19:40 UTC (permalink / raw)
  To: xiyou.wangcong; +Cc: netdev, mhjungk, syzbot+fbd1e5476e4c94c7b34e, ubraun

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Mon, 7 Jan 2019 11:25:12 -0800

> Isn't Myungho's patch already merged as commit 78abe3d0dfad? :)
> 
> So I believe the syzbot reported this bug on top of that commit.

Aha, now it makes sense.

Yeah I'll apply your patch Cong.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-01-07 19:40 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-06  7:45 [Patch net] smc: move unhash as early as possible in smc_release() Cong Wang
2019-01-07 15:12 ` David Miller
2019-01-07 16:45   ` Ursula Braun
2019-01-07 19:25   ` Cong Wang
2019-01-07 19:40     ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.