| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20221023023044.149357-1-xiyou.wangcong@gmail.com>
Date: Sat, 22 Oct 2022 19:30:44 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: netdev@...r.kernel.org
Cc: Cong Wang <cong.wang@...edance.com>,
shaozhengchao <shaozhengchao@...wei.com>,
Paolo Abeni <pabeni@...hat.com>,
Tom Herbert <tom@...bertland.com>
Subject: [Patch net] kcm: fix a race condition in kcm_recvmsg()
From: Cong Wang <cong.wang@...edance.com>
sk->sk_receive_queue is protected by skb queue lock, but for KCM
sockets its RX path takes mux->rx_lock to protect more than just
skb queue, so grabbing skb queue lock is not necessary when
mux->rx_lock is already held. But kcm_recvmsg() still only grabs
the skb queue lock, so race conditions still exist.
Close this race condition by taking mux->rx_lock in kcm_recvmsg()
too. This way is much simpler than enforcing skb queue lock
everywhere.
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Tested-by: shaozhengchao <shaozhengchao@...wei.com>
Cc: Paolo Abeni <pabeni@...hat.com>
Cc: Tom Herbert <tom@...bertland.com>
Signed-off-by: Cong Wang <cong.wang@...edance.com>
---
net/kcm/kcmsock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index 27725464ec08..8b4e5d0ab2b6 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1116,6 +1116,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
{
struct sock *sk = sock->sk;
struct kcm_sock *kcm = kcm_sk(sk);
+ struct kcm_mux *mux = kcm->mux;
int err = 0;
long timeo;
struct strp_msg *stm;
@@ -1156,8 +1157,10 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg,
msg_finished:
/* Finished with message */
msg->msg_flags |= MSG_EOR;
+ spin_lock_bh(&mux->rx_lock);
KCM_STATS_INCR(kcm->stats.rx_msgs);
skb_unlink(skb, &sk->sk_receive_queue);
+ spin_unlock_bh(&mux->rx_lock);
kfree_skb(skb);
}
}
--
2.34.1
Powered by blists - more mailing lists