Linux-RDMA Archive on lore.kernel.org
 help / color / Atom feed
From: Al Viro <viro@zeniv.linux.org.uk>
To: Aditya Pakki <pakki001@umn.edu>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-rdma@vger.kernel.org,
	rds-devel@oss.oracle.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock
Date: Mon, 19 Apr 2021 22:12:59 +0000
Message-ID: <YH4Aa1zFAWkITsNK@zeniv-ca.linux.org.uk> (raw)
In-Reply-To: <20210407000913.2207831-1-pakki001@umn.edu>

On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:

> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
>  unlock_and_drop:
>  		spin_unlock_irqrestore(&rm->m_rs_lock, flags);
>  		rds_message_put(rm);
> -		if (was_on_sock)
> +		if (was_on_sock && rm)
>  			rds_message_put(rm);

	Look at the code immediately prior to the site of your "fix".
Think for a second what will happen if we *could* get there with rm
equal to NULL (with your patch applied, that is).  Now, try to construct
the sequence of events that would lead to that situation.  Either you
will arrive at a real bug (in which case your fix does not actually
fix anything) *OR* you will get closer to realization that "defensive
programming" tends to be worthless garbage.  In both case the result
would be useful...

	Incidentally, locate the place where that variable is
last modified and find the precondition required for rm == NULL
downstream of that.

	Plainly put, the patch demonstrates either complete lack of
understanding or somebody not acting in good faith.  If it's the latter[1],
may I suggest the esteemed sociologists to fuck off and stop
testing the reviewers with deliberately spewed excrements?

[1] https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

  parent reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-07  0:09 Aditya Pakki
2021-04-07 18:26 ` Santosh Shilimkar
2021-04-07 21:10 ` patchwork-bot+netdevbpf
2021-04-09 10:26 ` Eric Dumazet
2021-04-19 22:12 ` Al Viro [this message]
2021-04-20  9:09 ` Leon Romanovsky
2021-04-20  9:11   ` Leon Romanovsky
2021-04-21 14:19     ` Krzysztof Kozlowski
2021-04-21 15:36       ` Leon Romanovsky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YH4Aa1zFAWkITsNK@zeniv-ca.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pakki001@umn.edu \
    --cc=rds-devel@oss.oracle.com \
    --cc=santosh.shilimkar@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-RDMA Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-rdma/0 linux-rdma/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-rdma linux-rdma/ https://lore.kernel.org/linux-rdma \
		linux-rdma@vger.kernel.org
	public-inbox-index linux-rdma

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-rdma


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git