From: Eric Dumazet <edumazet@google.com>
To: Hillf Danton <hdanton@sina.com>
Cc: Shigeru Yoshida <syoshida@redhat.com>,
kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com
Subject: Re: [PATCH v2] net: tun: Fix use-after-free in tun_detach()
Date: Sun, 20 Nov 2022 16:53:38 -0800 [thread overview]
Message-ID: <CANn89i+cmAAH8om3ET-478ZxPV4=t5nF0Ei+DCZOxND5=EqBLw@mail.gmail.com> (raw)
In-Reply-To: <20221121003404.4875-1-hdanton@sina.com>
On Sun, Nov 20, 2022 at 4:34 PM Hillf Danton <hdanton@sina.com> wrote:
>
> On 20 Nov 2022 08:04:13 -0800 Eric Dumazet <edumazet@google.com>
> > On Sun, Nov 20, 2022 at 2:49 AM Hillf Danton <hdanton@sina.com> wrote:
> > > On 20 Nov 2022 18:02:13 +0900 Shigeru Yoshida <syoshida@redhat.com>
> > > >
> > > > This patch fixes the issue by calling sock_put() from tun_detach()
> > > > after all necessary accesses for the struct net has done.
> > >
> > > Thanks for your fix.
> > >
> > > But tun is not special wrt netdev_run_todo() and call_netdevice_notifiers(),
> > > so the correct fix should be making netdev grab another hold on net and
> > > invoking put_net() in the path of netdev_run_todo().
> >
> > Well, this is not going to work. Unless I am missing something.
>
> Thanks for taking a look.
>
> I mean bump up refcount for net when updating netdev->nd_net in a bid to
> make dev_net() safe throught netdev's life span.
This would prevent netns deletion, as the following sequence would
then no longer work as intended.
ip netns add foo
ip netns add ip link set lo up
ip netns del foo
When a netns is deleted ("ip netns del" and no more refcounted sockets),
we have callbacks to unregister all devices tied to it.
next prev parent reply other threads:[~2022-11-21 0:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-20 9:02 [PATCH v2] net: tun: Fix use-after-free in tun_detach() Shigeru Yoshida
[not found] ` <20221120104907.4795-1-hdanton@sina.com>
2022-11-20 16:04 ` Eric Dumazet
[not found] ` <20221121003404.4875-1-hdanton@sina.com>
2022-11-21 0:53 ` Eric Dumazet [this message]
2022-11-21 16:47 ` Eric Dumazet
2022-11-22 18:10 ` Shigeru Yoshida
2022-11-22 18:47 ` Eric Dumazet
2022-11-23 4:20 ` Jason Wang
2022-11-23 16:08 ` Shigeru Yoshida
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANn89i+cmAAH8om3ET-478ZxPV4=t5nF0Ei+DCZOxND5=EqBLw@mail.gmail.com' \
--to=edumazet@google.com \
--cc=hdanton@sina.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syoshida@redhat.com \
--cc=syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).