lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <815ce4d97f6d673799ee7a94d90eeda58b1e51e4.camel@redhat.com> Date: Fri, 26 May 2023 20:13:25 +0200 From: Paolo Abeni <pabeni@...hat.com> To: Ефанов Владислав Александрович <vefanov@...ras.ru>, Willem de Bruijn <willemdebruijn.kernel@...il.com> Cc: "David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org Subject: Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect On Fri, 2023-05-26 at 18:58 +0300, Ефанов Владислав Александрович wrote: > I don't think that we can just move sk_dst_set() call. > > I think we can destroy dst of sendmsg task in this case. AFAICS ip6_sk_dst_lookup_flow tries to acquire a reference to the cached dst. If the connect() clears the cache, decreasing the refcnt, the counter of the dst in use by sendmsg() must still be non zero. IMHO the problem you see is that sk_setup_caps() keeps using the dst after transferring the ownership to the dst cache, which is illegal. The suggested patch addressed that. If I'm wrong your syzkaller repro will keep splatting. Please have just have a spin, thanks. Paolo
Powered by blists - more mailing lists