lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3eb282be85ab035e36c80d73949c33868e698d43.camel@redhat.com>
Date: Fri, 08 Mar 2024 12:10:54 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski
 <kuba@...nel.org>,  netdev@...r.kernel.org, eric.dumazet@...il.com, Martin
 KaFai Lau <kafai@...com>,  Joe Stringer <joe@...d.net.nz>, Alexei
 Starovoitov <ast@...nel.org>, Willem de Bruijn
 <willemdebruijn.kernel@...il.com>, Kuniyuki Iwashima <kuniyu@...zon.com>, 
 Florian Westphal <fw@...len.de>
Subject: Re: [PATCH net-next] udp: no longer touch sk->sk_refcnt in early
 demux

On Fri, 2024-03-08 at 10:21 +0100, Eric Dumazet wrote:
> > > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > > index a8acea17b4e5344d022ae8f8eb674d1a36f8035a..e43ad1d846bdc2ddf5767606b78bbd055f692aa8 100644
> > > --- a/net/ipv4/udp.c
> > > +++ b/net/ipv4/udp.c
> > > @@ -2570,11 +2570,12 @@ int udp_v4_early_demux(struct sk_buff *skb)
> > >                                            uh->source, iph->saddr, dif, sdif);
> > >       }
> > > 
> > > -     if (!sk || !refcount_inc_not_zero(&sk->sk_refcnt))
> > > +     if (!sk)
> > >               return 0;
> > > 
> > >       skb->sk = sk;
> > > -     skb->destructor = sock_efree;
> > > +     DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));
> > > +     skb->destructor = sock_pfree;
> > 
> > I *think* that the skb may escape the current rcu section if e.g. if
> > matches a nf dup target in the input tables.
> 
> You mean the netfilter queueing stuff perhaps ?
> 
> This is already safe, it uses a refcount_inc_not_zero(&sk->sk_refcnt):
> 
> if (skb_sk_is_prefetched(skb)) {
>     struct sock *sk = skb->sk;
> 
>     if (!sk_is_refcounted(sk)) {
>              if (!refcount_inc_not_zero(&sk->sk_refcnt))
>                    return -ENOTCONN;
> 
>         /* drop refcount on skb_orphan */
>         skb->destructor = sock_edemux;
>     }
> }
> 
> I would think a duplicate can not duplicate skb->sk in general, or must also
> attempt an refcount_inc_not_zero(&sk->sk_refcnt) and use a related destructor.

Right, looks safe.

Acked-by: Paolo Abeni <pabeni@...hat.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ