| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3bffa44a-b98c-85d9-9d5f-1b52943a7f2f@ispras.ru> Date: Mon, 29 May 2023 17:13:05 +0300 From: Vlad Efanov <vefanov@...ras.ru> To: Paolo Abeni <pabeni@...hat.com>, Willem de Bruijn <willemdebruijn.kernel@...il.com> Cc: "David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org Subject: Re: [PATCH] udp6: Fix race condition in udp6_sendmsg & connect Thank you for detail information. The patch is reworked and being tested now. Vlad. On 26.05.2023 21:13, Paolo Abeni wrote: > On Fri, 2023-05-26 at 18:58 +0300, Ефанов Владислав Александрович > wrote: >> I don't think that we can just move sk_dst_set() call. >> >> I think we can destroy dst of sendmsg task in this case. > AFAICS ip6_sk_dst_lookup_flow tries to acquire a reference to the > cached dst. If the connect() clears the cache, decreasing the refcnt, > the counter of the dst in use by sendmsg() must still be non zero. > > IMHO the problem you see is that sk_setup_caps() keeps using the dst > after transferring the ownership to the dst cache, which is illegal. > The suggested patch addressed that. > > If I'm wrong your syzkaller repro will keep splatting. Please have just > have a spin, thanks. > > Paolo >
Powered by blists - more mailing lists