lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <fe675ba1-4711-4c79-8929-f7cc90aea4ad@app.fastmail.com>
Date: Wed, 03 Dec 2025 09:55:58 -0500
From: "Chuck Lever" <cel@...nel.org>
To: caoping <caoping@...s.chinamobile.com>,
 "Chuck Lever" <chuck.lever@...cle.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, horms@...nel.org, kernel-tls-handshake@...ts.linux.dev,
 netdev@...r.kernel.org
Subject: Re: [PATCH] net/handshake: restore destructor on submit failure



On Tue, Dec 2, 2025, at 11:12 PM, caoping wrote:
> handshake_req_submit() replaces sk->sk_destruct but never restores it when
> submission fails before the request is hashed. handshake_sk_destruct() then
> returns early and the original destructor never runs, leaking the socket.
> Restore sk_destruct on the error path.
>
> Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for 
> handling handshake requests")
>
> Signed-off-by: caoping <caoping@...s.chinamobile.com>
> ---
>  net/handshake/request.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/net/handshake/request.c b/net/handshake/request.c
> index 274d2c89b6b2..89435ed755cd 100644
> --- a/net/handshake/request.c
> +++ b/net/handshake/request.c
> @@ -276,6 +276,8 @@ int handshake_req_submit(struct socket *sock, 
> struct handshake_req *req,
>  out_unlock:
>  	spin_unlock(&hn->hn_lock);
>  out_err:
> +	/* Restore original destructor so socket teardown still runs on 
> failure */
> +	req->hr_sk->sk_destruct = req->hr_odestruct;
>  	trace_handshake_submit_err(net, req, req->hr_sk, ret);
>  	handshake_req_destroy(req);
>  	return ret;
>
> base-commit: 4a26e7032d7d57c998598c08a034872d6f0d3945
> -- 
> 2.47.3

Reviewed-by: Chuck Lever <chuck.lever@...cle.com>

Consider adding a Cc: stable@...r.kernel.org when applying.


-- 
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ