* [Patch net] smc: move unhash as early as possible in smc_release()
@ 2019-01-06 7:45 Cong Wang
2019-01-07 15:12 ` David Miller
0 siblings, 1 reply; 5+ messages in thread
From: Cong Wang @ 2019-01-06 7:45 UTC (permalink / raw)
To: netdev; +Cc: Cong Wang, syzbot+fbd1e5476e4c94c7b34e, Ursula Braun
In smc_release() we release smc->clcsock before unhash the smc
sock, but a parallel smc_diag_dump() may be still reading
smc->clcsock, therefore this could cause a use-after-free as
reported by syzbot.
Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
Cc: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
net/smc/af_smc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index c4da4a78d369..c4e56602e0c6 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -146,6 +146,9 @@ static int smc_release(struct socket *sock)
sock_set_flag(sk, SOCK_DEAD);
sk->sk_shutdown |= SHUTDOWN_MASK;
}
+
+ sk->sk_prot->unhash(sk);
+
if (smc->clcsock) {
if (smc->use_fallback && sk->sk_state == SMC_LISTEN) {
/* wake up clcsock accept */
@@ -170,7 +173,6 @@ static int smc_release(struct socket *sock)
smc_conn_free(&smc->conn);
release_sock(sk);
- sk->sk_prot->unhash(sk);
sock_put(sk); /* final sock_put */
out:
return rc;
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
2019-01-06 7:45 [Patch net] smc: move unhash as early as possible in smc_release() Cong Wang
@ 2019-01-07 15:12 ` David Miller
2019-01-07 16:45 ` Ursula Braun
2019-01-07 19:25 ` Cong Wang
0 siblings, 2 replies; 5+ messages in thread
From: David Miller @ 2019-01-07 15:12 UTC (permalink / raw)
To: xiyou.wangcong; +Cc: netdev, mhjungk, syzbot+fbd1e5476e4c94c7b34e, ubraun
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Sat, 5 Jan 2019 23:45:26 -0800
> In smc_release() we release smc->clcsock before unhash the smc
> sock, but a parallel smc_diag_dump() may be still reading
> smc->clcsock, therefore this could cause a use-after-free as
> reported by syzbot.
>
> Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
> Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
> Cc: Ursula Braun <ubraun@linux.ibm.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
We have two patches messing around in here, seeming to deal with release
visibility and ordering problems in two different ways.
https://patchwork.ozlabs.org/patch/1020608/
https://patchwork.ozlabs.org/patch/1021044/
Reported-by: syzbot+0bf2e01269f1274b4b03@syzkaller.appspotmail.com
Reported-by: syzbot+e3132895630f957306bc@syzkaller.appspotmail.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
2019-01-07 15:12 ` David Miller
@ 2019-01-07 16:45 ` Ursula Braun
2019-01-07 19:25 ` Cong Wang
1 sibling, 0 replies; 5+ messages in thread
From: Ursula Braun @ 2019-01-07 16:45 UTC (permalink / raw)
To: David Miller, xiyou.wangcong; +Cc: netdev, mhjungk, syzbot+fbd1e5476e4c94c7b34e
On 01/07/2019 04:12 PM, David Miller wrote:
> From: Cong Wang <xiyou.wangcong@gmail.com>
> Date: Sat, 5 Jan 2019 23:45:26 -0800
>
>> In smc_release() we release smc->clcsock before unhash the smc
>> sock, but a parallel smc_diag_dump() may be still reading
>> smc->clcsock, therefore this could cause a use-after-free as
>> reported by syzbot.
>>
>> Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
>> Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
>> Cc: Ursula Braun <ubraun@linux.ibm.com>
>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>
> We have two patches messing around in here, seeming to deal with release
> visibility and ordering problems in two different ways.
>
> https://patchwork.ozlabs.org/patch/1020608/
> https://patchwork.ozlabs.org/patch/1021044/
>
> Reported-by: syzbot+0bf2e01269f1274b4b03@syzkaller.appspotmail.com
> Reported-by: syzbot+e3132895630f957306bc@syzkaller.appspotmail.com
>
The patches from Myungho Jung fix a closing problem for listening SMC-sockets.
The patch by Cong Wang fixes a closing problem for SMC-sockets when smc_diag_dump()
is running in parallel. Both are valuable in my eyes.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
2019-01-07 15:12 ` David Miller
2019-01-07 16:45 ` Ursula Braun
@ 2019-01-07 19:25 ` Cong Wang
2019-01-07 19:40 ` David Miller
1 sibling, 1 reply; 5+ messages in thread
From: Cong Wang @ 2019-01-07 19:25 UTC (permalink / raw)
To: David Miller
Cc: Linux Kernel Network Developers, mhjungk, syzbot, Ursula Braun
On Mon, Jan 7, 2019 at 7:12 AM David Miller <davem@davemloft.net> wrote:
>
> From: Cong Wang <xiyou.wangcong@gmail.com>
> Date: Sat, 5 Jan 2019 23:45:26 -0800
>
> > In smc_release() we release smc->clcsock before unhash the smc
> > sock, but a parallel smc_diag_dump() may be still reading
> > smc->clcsock, therefore this could cause a use-after-free as
> > reported by syzbot.
> >
> > Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
> > Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
> > Cc: Ursula Braun <ubraun@linux.ibm.com>
> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>
> We have two patches messing around in here, seeming to deal with release
> visibility and ordering problems in two different ways.
>
> https://patchwork.ozlabs.org/patch/1020608/
> https://patchwork.ozlabs.org/patch/1021044/
>
> Reported-by: syzbot+0bf2e01269f1274b4b03@syzkaller.appspotmail.com
> Reported-by: syzbot+e3132895630f957306bc@syzkaller.appspotmail.com
Isn't Myungho's patch already merged as commit 78abe3d0dfad? :)
So I believe the syzbot reported this bug on top of that commit.
Thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Patch net] smc: move unhash as early as possible in smc_release()
2019-01-07 19:25 ` Cong Wang
@ 2019-01-07 19:40 ` David Miller
0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2019-01-07 19:40 UTC (permalink / raw)
To: xiyou.wangcong; +Cc: netdev, mhjungk, syzbot+fbd1e5476e4c94c7b34e, ubraun
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Mon, 7 Jan 2019 11:25:12 -0800
> Isn't Myungho's patch already merged as commit 78abe3d0dfad? :)
>
> So I believe the syzbot reported this bug on top of that commit.
Aha, now it makes sense.
Yeah I'll apply your patch Cong.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-01-07 19:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-06 7:45 [Patch net] smc: move unhash as early as possible in smc_release() Cong Wang
2019-01-07 15:12 ` David Miller
2019-01-07 16:45 ` Ursula Braun
2019-01-07 19:25 ` Cong Wang
2019-01-07 19:40 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.