| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Sep 2017 20:39:14 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: eric.dumazet@...il.com
Cc: sp3485@...umbia.edu, netdev@...r.kernel.org,
xiyou.wangcong@...il.com, andrew.aday@...umbia.edu
Subject: Re: [PATCH net] tcp/dccp: remove reqsk_put() from
inet_child_forget()
From: Eric Dumazet <eric.dumazet@...il.com>
Date: Mon, 11 Sep 2017 15:58:38 -0700
> From: Eric Dumazet <edumazet@...gle.com>
>
> Back in linux-4.4, I inadvertently put a call to reqsk_put() in
> inet_child_forget(), forgetting it could be called from two different
> points.
>
> In the case it is called from inet_csk_reqsk_queue_add(), we want to
> keep the reference on the request socket, since it is released later by
> the caller (tcp_v{4|6}_rcv())
>
> This bug never showed up because atomic_dec_and_test() was not signaling
> the underflow, and SLAB_DESTROY_BY RCU semantic for request sockets
> prevented the request to be put in quarantine.
>
> Recent conversion of socket refcount from atomic_t to refcount_t finally
> exposed the bug.
>
> So move the reqsk_put() to inet_csk_listen_stop() to fix this.
>
> Thanks to Shankara Pailoor for using syzkaller and providing
> a nice set of .config and C repro.
...
> Fixes: ebb516af60e1 ("tcp/dccp: fix race at listener dismantle phase")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: Shankara Pailoor <sp3485@...umbia.edu>
> Tested-by: Shankara Pailoor <sp3485@...umbia.edu>
Applied and queued up for -stable.
Thanks.
Powered by blists - more mailing lists