From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAB19C43381 for ; Mon, 25 Feb 2019 03:51:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 908742083D for ; Mon, 25 Feb 2019 03:51:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728500AbfBYDvX (ORCPT ); Sun, 24 Feb 2019 22:51:23 -0500 Received: from zeniv.linux.org.uk ([195.92.253.2]:39554 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728424AbfBYDvX (ORCPT ); Sun, 24 Feb 2019 22:51:23 -0500 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.91 #2 (Red Hat Linux)) id 1gy7IX-0005UJ-6o for netdev@vger.kernel.org; Mon, 25 Feb 2019 03:51:21 +0000 Date: Mon, 25 Feb 2019 03:51:21 +0000 From: Al Viro To: netdev@vger.kernel.org Subject: [RFC] nasty corner case in unix_dgram_sendmsg() Message-ID: <20190225035121.GH2217@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Consider the following scenario: sendmsg() with explicit ->msg_name on unconnected SOCK_DGRAM AF_UNIX socket finds the recepient just about to die. We go through sk_locked = 0; unix_state_lock(other); restart_locked: err = -EPERM; if (!unix_may_send(sk, other)) goto out_unlock; OK, since other->peer is already NULL if (unlikely(sock_flag(other, SOCK_DEAD))) { Yes, it is. /* * Check with 1003.1g - what should * datagram error */ unix_state_unlock(other); no locks held now... sock_put(other); ... and there goes the last reference to other. We get preempted (to make the window wider - the race would still exist without preempt, but it would be much harder to hit). Memory that used to hold *other gets reused for another AF_UNIX socket, which gets bound to the same address *and* another thread does connect() to that address on our socket. Now unix_peer(sk) is equal to other. Our thread gets to run again, and if (!sk_locked) unix_state_lock(sk); grabs sk->lock err = 0; if (unix_peer(sk) == other) { ... yes, it is. Not the same object, though unix_peer(sk) = NULL; ... and it gets disconnected unix_dgram_peer_wake_disconnect_wakeup(sk, other); unix_state_unlock(sk); unix_dgram_disconnected(sk, other); ... with receive queue purged. AFAICS, that's bogus. And easily prevented - all we need here is do the first sock_put() *after* the "have we just found the peer dead?" logics, avoiding the memory reuse. Objections? PS: unix_dgram_sendmsg() is really much too subtle for its own good - AFAICS, it *does* avoid blocking operations under sk->lock, but proof is considerably more complex than one would like it to be... And I'm still not convinced that no codepath in it could end up doing something unpleasant to SOCK_SEQPACKET sockets ;-/