| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.2.00.1208191647340.1893@ja.ssi.bg>
Date: Sun, 19 Aug 2012 19:51:41 +0300 (EEST)
From: Julian Anastasov <ja@....bg>
To: Eric Dumazet <eric.dumazet@...il.com>
cc: Fengguang Wu <fengguang.wu@...el.com>,
David Miller <davem@...emloft.net>,
networking <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: IPv4 BUG: held lock freed!
Hello,
On Sun, 19 Aug 2012, Eric Dumazet wrote:
> Hmm, this looks like sk_reset_timer() is called on a socket, and timer
> triggers _before_ the sock_hold()
>
> So the timer handler decrements sk_refcnt to 0 and calls sk_free()
>
> Its probably a bug introduced (or uncovered) by commit 6f458dfb40 (tcp:
> improve latencies of timer triggered events)
>
> I always found sk_reset_timer() a bit racy...
>
> void sk_reset_timer(struct sock *sk, struct timer_list* timer,
> unsigned long expires)
> {
> if (!mod_timer(timer, expires))
> sock_hold(sk); // MIGHT BE TOO LATE
> }
>
> Following should be safer...
Above code is fine as long as caller holds reference.
Your change for tcp_release_cb looks correct.
Also, may be tcp_v4_mtu_reduced is missing a check
for TCP_CLOSE state? tcp_v6_mtu_reduced already has such
check.
> void sk_reset_timer(struct sock *sk, struct timer_list* timer,
> unsigned long expires)
> {
This should not be needed:
> sock_hold(sk);
> if (mod_timer(timer, expires))
> sock_put(sk);
> }
Regards
--
Julian Anastasov <ja@....bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists