Re: [PATCH net] kcm: Fix kernel NULL pointer dereference in requeue_rx_msgs

From: wanghai (M)
Date: Sun Nov 13 2022 - 20:24:25 EST

Next message: Leizhen (ThunderTown): "Re: [PATCH v8 0/9] kallsyms: Optimizes the performance of lookup symbols"
Previous message: John Thomson: "[PATCH v2 1/1] PCI: mt7621: add sentinel to quirks table"
In reply to: Cong Wang: "Re: [PATCH net] kcm: Fix kernel NULL pointer dereference in requeue_rx_msgs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

在 2022/11/14 8:55, Cong Wang 写道:

On Sat, Nov 12, 2022 at 08:04:23PM +0800, Wang Hai wrote:

In kcm_rcv_strparser(), the skb is queued to the kcm that is currently
being reserved, and if the queue is full, unreserve_rx_kcm() will be
called. At this point, if KCM_RECV_DISABLE is set, then unreserve_rx_kcm()
will requeue received messages for the current kcm socket to other kcm
sockets. The kcm sock lock is not held during this time, and as long as
someone calls kcm_recvmsg, it will concurrently unlink the same skb, which
ill result in a null pointer reference.

cpu0 cpu1 cpu2
kcm_rcv_strparser
reserve_rx_kcm
kcm_setsockopt
kcm_recv_disable
kcm->rx_disabled = 1;
kcm_queue_rcv_skb
unreserve_rx_kcm
requeue_rx_msgs kcm_recvmsg
__skb_dequeue
__skb_unlink(skb) skb_unlink(skb)
//double unlink skb

We will hold skb queue lock after my patch, so this will not happen after
applying my patch below?
https://lore.kernel.org/netdev/20221114005119.597905-1-xiyou.wangcong@xxxxxxxxx/

Hi Cong,

I tested your patch and it fixed my problem, thanks.

.

--
Wang Hai

Next message: Leizhen (ThunderTown): "Re: [PATCH v8 0/9] kallsyms: Optimizes the performance of lookup symbols"
Previous message: John Thomson: "[PATCH v2 1/1] PCI: mt7621: add sentinel to quirks table"
In reply to: Cong Wang: "Re: [PATCH net] kcm: Fix kernel NULL pointer dereference in requeue_rx_msgs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]