| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iJiBbu_n8t4tweu_56-h0hY8CQHUDPHnsm6q0eUfMs8hw@mail.gmail.com>
Date: Tue, 14 Mar 2023 09:16:46 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: mingkun bian <bianmingkun@...il.com>
Cc: Kuniyuki Iwashima <kuniyu@...zon.com>, kerneljasonxing@...il.com,
netdev@...r.kernel.org
Subject: Re: [ISSUE]soft lockup in __inet_lookup_established() function which
one sock exist in two hash buckets(tcp_hashinfo.ehash)
On Tue, Mar 14, 2023 at 9:03 AM mingkun bian <bianmingkun@...il.com> wrote:
>
> Hi,
> I find a patch about tw sock, and we encountered a similar
> problem(my problem maybe the same "sock reuse" issue).
>
> https://patchwork.ozlabs.org/project/netdev/patch/20181220232856.1496-1-edumazet@google.com/
>
> I have some doubts about this patch, why does a freed tw sock(I
> think "sk refcnts is 0" indicate that the tw sock have deleted the
> twsk timer) can fires twsk timer after a minute later?
>
> 1. First something iterating over sockets finds already freed tw socket:
> refcount_t: increment on 0; use-after-free.
> WARNING: CPU: 2 PID: 2738 at lib/refcount.c:153 refcount_inc+0x26/0x30
>
> 2. then a minute later twsk timer fires and hits two bad refcnts
> for this freed socket:
> refcount_t: decrement hit 0; leaking memory.
> WARNING: CPU: 31 PID: 0 at lib/refcount.c:228 refcount_dec+0x2e/0x40
>
I would advise you to contact your vendor.
This list is for upstream/stable kernels only.
We do not want to investigate bugs that were fixed years ago.
Powered by blists - more mailing lists