| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250709164704.4b0fcfff@kernel.org> Date: Wed, 9 Jul 2025 16:47:04 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Neill Kapron <nkapron@...gle.com> Cc: netdev@...r.kernel.org, kernel-team@...roid.com, cmllamas@...gle.com, jstultz@...gle.com, Nick Hawkins <nick.hawkins@....com>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, Kuniyuki Iwashima <kuniyu@...gle.com>, Al Viro <viro@...iv.linux.org.uk>, Dmitry Safonov <0x7f454c46@...il.com>, Anastasia Kovaleva <a.kovaleva@...ro.com>, Jinjie Ruan <ruanjinjie@...wei.com>, Siddh Raman Pant <siddh.raman.pant@...cle.com>, linux-kernel@...r.kernel.org Subject: Re: [RFC net] netlink: lock nl_cb_mutex in netlink_release On Tue, 8 Jul 2025 23:04:52 +0000 Neill Kapron wrote: > It is at this point after the netlink_dump() checks for cb_running that > netlink_release() is called, which tears everything down. While the change > in [2] clears cb_running, it does so without holding the lock. This causes > the NULL pointer dereference in netlink_dump(). Closing a socket while it's being read is pretty unlikely for real life processes. I don't think its even possible, but I'm not a VFS expert. AFAICT the crash is on: if (dev->dev.parent && nla_put_string(skb, IFLA_PARENT_DEV_NAME, dev_name(dev->dev.parent))) goto nla_put_failure; So my first suspicion would be dev.parent getting broken under our feet for the "special" device you're dealing with..
Powered by blists - more mailing lists