From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH net-next 1/3] net: fix possible user-after-free in
 skb_ext_add()
Date: Thu, 20 Dec 2018 20:32:42 +0100
Message-ID: <20181220193242.fjtjhh5awp5zu7dy@breakpoint.cc>
References: <cover.1545330068.git.pabeni@redhat.com>
 <54ab0a574e1d79a21463a2af2defc70d07157107.1545330068.git.pabeni@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: netdev@vger.kernel.org, Florian Westphal <fw@strlen.de>,
        "David S. Miller" <davem@davemloft.net>
To: Paolo Abeni <pabeni@redhat.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:44628 "EHLO
        Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1729825AbeLTTcp (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 20 Dec 2018 14:32:45 -0500
Content-Disposition: inline
In-Reply-To: <54ab0a574e1d79a21463a2af2defc70d07157107.1545330068.git.pabeni@redhat.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Paolo Abeni <pabeni@redhat.com> wrote:
> On cow we can free the old extension: we must avoid dereferencing
> such extension after skb_ext_maybe_cow(). Since 'new' contents
> are always equal to 'old' after the copy, we can fix the above
> accessing the relevant data using 'new'.

Yep, this is indeed possible when two clones of same skb
have skb_ext_add() invoked at the same time from two different
context.

Thanks for spotting this.

Acked-by: Florian Westphal <fw@strlen.de>