Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753228AbbKMWRi (ORCPT ); Fri, 13 Nov 2015 17:17:38 -0500 Received: from prod-mail-xrelay05.akamai.com ([23.79.238.179]:31110 "EHLO prod-mail-xrelay05.akamai.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752466AbbKMWRe (ORCPT ); Fri, 13 Nov 2015 17:17:34 -0500 Subject: Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue To: Rainer Weikusat References: <20151012120249.GB16370@unicorn.suse.cz> <1444652071.27760.156.camel@edumazet-glaptop2.roam.corp.google.com> <563CC002.5050307@akamai.com> <87ziyrcg67.fsf@doppelsaurus.mobileactivedefense.com> <87fv0fnslr.fsf_-_@doppelsaurus.mobileactivedefense.com> <877flp34fl.fsf@doppelsaurus.mobileactivedefense.com> <87a8qhspfm.fsf@doppelsaurus.mobileactivedefense.com> Cc: Dmitry Vyukov , syzkaller , Michal Kubecek , Al Viro , "linux-fsdevel@vger.kernel.org" , LKML , David Miller , Hannes Frederic Sowa , David Howells , Paul Moore , salyzyn@android.com, sds@tycho.nsa.gov, ying.xue@windriver.com, netdev , Kostya Serebryany , Alexander Potapenko , Andrey Konovalov , Sasha Levin , Julien Tinnes , Kees Cook , Mathias Krause From: Jason Baron X-Enigmail-Draft-Status: N1110 Message-ID: <5646617C.9080506@akamai.com> Date: Fri, 13 Nov 2015 17:17:32 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <87a8qhspfm.fsf@doppelsaurus.mobileactivedefense.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2400 Lines: 70 On 11/13/2015 01:51 PM, Rainer Weikusat wrote: [...] > > - if (unix_peer(other) != sk && unix_recvq_full(other)) { > - if (!timeo) { > - err = -EAGAIN; > - goto out_unlock; > - } > + if (unix_peer(sk) == other && !unix_dgram_peer_recv_ready(sk, other)) { Remind me why the 'unix_peer(sk) == other' is added here? If the remote is not connected we still want to make sure that we don't overflow the the remote rcv queue, right? In terms of this added 'double' lock for both sk and other, where previously we just held the 'other' lock. I think we could continue to just hold the 'other' lock unless the remote queue is full, so something like: if (unix_peer(other) != sk && unix_recvq_full(other)) { bool need_wakeup = false; ....skipping the blocking case... err = -EAGAIN; if (!other_connected) goto out_unlock; unix_state_unlock(other); unix_state_lock(sk); /* if remote peer has changed under us, the connect() will wake up any pending waiter, just return -EAGAIN if (unix_peer(sk) == other) { /* In case we see there is space available queue the wakeup and we will try again. This this should be an unlikely condition */ if (!unix_dgram_peer_wake_me(sk, other)) need_wakeup = true; } unix_state_unlock(sk); if (need_wakeup) wake_up_interruptible_poll(sk_sleep(sk),POLLOUT | POLLWRNORM | POLLWRBAND); goto out_free; } So I'm not sure if the 'double' lock really affects any workload, but the above might be away to avoid it. Also - it might be helpful to add a 'Fixes:' tag referencing where this issue started, in the changelog. Worth mentioning too is that this patch should improve the polling case here dramatically, as we currently wake the entire queue on every remote read even when we have room in the rcv buffer. So this patch will cut down on ctxt switching rate dramatically from what we currently have. Thanks, -Jason -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/