Re: [PATCH] sock: Fix sk_sleep return invalid pointer

From: Paolo Abeni
Date: Tue Aug 22 2023 - 11:31:54 EST

Next message: kernel test robot: "[tip:x86/shstk 10/24] arch/x86/kernel/shstk.c:244:29: sparse: sparse: incorrect type in argument 1 (different address spaces)"
Previous message: Bryan O'Donoghue: "Re: [PATCH v5 2/2] usb: typec: qcom-pmic-typec: register drm_bridge"
In reply to: syzbot: "[syzbot] [hams?] general protection fault in prepare_to_wait (2)"
Next in thread: syzbot: "Re: [syzbot] [hams?] general protection fault in prepare_to_wait (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2023-08-22 at 20:44 +0800, eadavis@xxxxxxxx wrote:
> From: Edward AD <eadavis@xxxxxxxx>
>
> The parameter sk_sleep(sk) passed in when calling prepare_to_wait may
> return an invalid pointer due to nr-release reclaiming the sock.
> Here, schedule_timeout_interruptible is used to replace the combination
> of 'prepare_to_wait, schedule, finish_wait' to solve the problem.
>
> Reported-and-tested-by: syzbot+666c97e4686410e79649@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Edward AD <eadavis@xxxxxxxx>

This looks wrong. No syscall should race with sock_release(). It looks
like you are papering over the real issue.

As the reproducer shows a disconnect on an connected socket, I'm wild
guessing something alike 4faeee0cf8a5d88d63cdbc3bab124fb0e6aed08c
should be more appropriate.

Cheers,

Paolo

Next message: kernel test robot: "[tip:x86/shstk 10/24] arch/x86/kernel/shstk.c:244:29: sparse: sparse: incorrect type in argument 1 (different address spaces)"
Previous message: Bryan O'Donoghue: "Re: [PATCH v5 2/2] usb: typec: qcom-pmic-typec: register drm_bridge"
In reply to: syzbot: "[syzbot] [hams?] general protection fault in prepare_to_wait (2)"
Next in thread: syzbot: "Re: [syzbot] [hams?] general protection fault in prepare_to_wait (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]