| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070418090720.GA25070@2ka.mipt.ru> Date: Wed, 18 Apr 2007 13:07:20 +0400 From: Evgeniy Polyakov <johnpol@....mipt.ru> To: Patrick McHardy <kaber@...sh.net> Cc: Pavel Emelianov <xemul@...ru>, David Miller <davem@...emloft.net>, Linux Netdev List <netdev@...r.kernel.org>, Andrew Morton <akpm@...l.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, devel@...nvz.org, Kirill Korotaev <dev@...nvz.org> Subject: Re: [NETLINK] Don't attach callback to a going-away netlink socket On Wed, Apr 18, 2007 at 10:50:42AM +0200, Patrick McHardy (kaber@...sh.net) wrote: > >>It already does (netlink_destroy_callback), but that doesn't help > >>with this race though since without this patch we don't enter the > >>error path. > > > > I thought that with releasing a socket, which will have a callback > > attached only results in a leak of the callback? In that case we can > > just free it in dump() just like it is done in no-error path already. > > Or do I miss something additional? > > That would only work if there is nothing to dump (cb->dump returns 0). > Otherwise it is not freed. That is what I referred to as error path. Btw, with positive return value we end up in subsequent call to input which will free callback under lock as expected. I do not object against the patch, just want to make a clear vision about dumps - if callback is allocated to be used in dump only, then we could just free it there without passing to next round. > >>The problem is asynchronous processing of the dump request in the > >>context of a different process. Process requests a dump, message > >>is queued and process returns from sendmsg since some other process > >>is already processing the queue. Then the process closes the socket, > >>resulting in netlink_release being called. When the dump request > >>is finally processed the race Pavel described might happen. This > >>can only happen for netlink families that use mutex_try_lock for > >>queue processing of course. > > > > > > Doesn't it called from ->sk_data_ready() which is synchronous with > > respect to sendmsg, not sure about conntrack though, but it looks so? > > > Yes, but for kernel sockets we end up calling the input function, > which when mutex_trylock is used returns immediately when some > other process is already processing the queue, so the requesting > process might close the socket before the request is processed. So far it is only netfilter and gennetlink, we would see huge dump from netlink_sock_destruct. Anyway, that is possible situation, thanks for clearing this up. -- Evgeniy Polyakov - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists