Re: use-after-free in sock_wake_async

From: Eric Dumazet
Date: Wed Nov 25 2015 - 12:51:44 EST

Next message: J. Bruce Fields: "Re: [RFC][PATCH 00/12] Enhanced file stat system call"
Previous message: Alexander Kuleshov: "[PATCH] crypto/cryptod: use crypto_skcipher_type() for getting skcipher type"
In reply to: Rainer Weikusat: "Re: use-after-free in sock_wake_async"
Next in thread: Rainer Weikusat: "Re: use-after-free in sock_wake_async"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2015-11-25 at 17:30 +0000, Rainer Weikusat wrote:

> In case this is wrong, it obviously implies that sk_sleep(sk) must not
> be used anywhere as it accesses the same struck sock, hence, when that
> can "suddenly" disappear despite locks are used in the way indicated
> above, there is now safe way to invoke that, either, as it just does a
> rcu_dereference_raw based on the assumption that the caller knows that
> the i-node (and the corresponding wait queue) still exist.
>

Oh well.

sk_sleep() is not used if the return is NULL

This is exactly why we have such code in critical functions :

wqueue = sk_sleep(sk);
if (wqueue && waitqueue_active(wqueue))
wake_up_interruptible_poll(wqueue,
POLLOUT | POLLWRNORM | POLLWRBAND);

We already took care of this problem years ago, but missed the ASYNC
case (that almost nobody really uses these days)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: J. Bruce Fields: "Re: [RFC][PATCH 00/12] Enhanced file stat system call"
Previous message: Alexander Kuleshov: "[PATCH] crypto/cryptod: use crypto_skcipher_type() for getting skcipher type"
In reply to: Rainer Weikusat: "Re: use-after-free in sock_wake_async"
Next in thread: Rainer Weikusat: "Re: use-after-free in sock_wake_async"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]