[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <815ce4d97f6d673799ee7a94d90eeda58b1e51e4.camel@redhat.com>
Date: Fri, 26 May 2023 20:13:25 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Ефанов Владислав Александрович <vefanov@...ras.ru>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect
On Fri, 2023-05-26 at 18:58 +0300, Ефанов Владислав Александрович
wrote:
> I don't think that we can just move sk_dst_set() call.
>
> I think we can destroy dst of sendmsg task in this case.
AFAICS ip6_sk_dst_lookup_flow tries to acquire a reference to the
cached dst. If the connect() clears the cache, decreasing the refcnt,
the counter of the dst in use by sendmsg() must still be non zero.
IMHO the problem you see is that sk_setup_caps() keeps using the dst
after transferring the ownership to the dst cache, which is illegal.
The suggested patch addressed that.
If I'm wrong your syzkaller repro will keep splatting. Please have just
have a spin, thanks.
Paolo
Powered by blists - more mailing lists