Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4926830rwb;
        Sun, 13 Nov 2022 17:22:26 -0800 (PST)
X-Google-Smtp-Source: AA0mqf4iRdqFSai+0A2+Fu3A30p/UrtdJkeoyQeSZykvXGcpNWcGdU4Bhd4mhbKeUIfBI0jFSw+U
X-Received: by 2002:a17:902:ba8f:b0:179:c436:4528 with SMTP id k15-20020a170902ba8f00b00179c4364528mr11780240pls.102.1668388945898;
        Sun, 13 Nov 2022 17:22:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668388945; cv=none;
        d=google.com; s=arc-20160816;
        b=ymjPDdAB6RFrOtcbAGXuywCP7sBybfLuuq1oPJo/lGws1aFLj+uHNFgNcEx3FPQV2h
         NxmS8PHzCImJ0vxFIY0Xuk0sK5meTFurWGPl1eg1rpdVeuiy96hsF5MrTG/YQtMllvkR
         UiEZwln9OJ1M79GjowVB9PsuT7CVpbncgdLYuKG1vgudmANlNDWF3ctZdohjs3e26TWR
         MLGciWsvDA2uURTqgezEmZFQBmI7VuJgNyAkc9N9tsSwBBKbRvRDtOiSyD2nDp3sehts
         eeYGcrFoqnuCkP6UnYtPcXQPNTCPEfBhBI+nYAuo/I41mzGeYLayQj0Ip+HV36WGEoRf
         abXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=1eWmdrMuwMapU7AuwfWIBLQ5gu2VO9LXeJ1JQHUSa5M=;
        b=vDotXpDC07M+1Yi47S36Ro6g72L0Fzz1ted1h6EQj8bM/ouqSxFgsElIHmIpE6blpj
         kkVzXqPgQyUZ7Eac04VP3nepDZ8z7hKvIibJ5TXnORAX9K+Z8LISBTBsxQZ2XkYoDCxp
         i1jO6YoteKy22M5DQvfaeKHkBWVmkY7++yZTySBX367szqHjFob2p23zx+6Lrm3SzoUY
         /R7iCZH9sFw3YAgXna0PfuX9gFBlOemrjCqygTOo73nMho2s7nRx5EVFyn6lCr/C36di
         XxgT3QtpT1ZskmZwHKPknbHsBYHsTpbrgTwi0scGRpmwo38uQPwPpuTkgryb3J3Sf/+o
         HkTA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=jHt37U4d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lw14-20020a17090b180e00b0020d47757829si8008836pjb.144.2022.11.13.17.22.14;
        Sun, 13 Nov 2022 17:22:25 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=jHt37U4d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235635AbiKNAzT (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 89 others); Sun, 13 Nov 2022 19:55:19 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40052 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233069AbiKNAzR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 13 Nov 2022 19:55:17 -0500
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DB80C75C;
        Sun, 13 Nov 2022 16:55:17 -0800 (PST)
Received: by mail-oi1-x230.google.com with SMTP id q186so10051097oia.9;
        Sun, 13 Nov 2022 16:55:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=1eWmdrMuwMapU7AuwfWIBLQ5gu2VO9LXeJ1JQHUSa5M=;
        b=jHt37U4d8jNXsCEZDBNP9ic4j08D10mDXoZ6fXku34Z0l/o6Q8Zccryus5a1jbpq/7
         GQNEtEszyPRetKWerIMjfbcub5WrwHl/UljDLgXyjqrV/H+CCE2SaNfAD/+5TU5Fp+oo
         PB4ae29rRoL5oPx8vGJkSFCkG3Y7P/VetJi4gTAlvb+N6GmnQ9CYu5F11npG39s47bWH
         +DtncEopKarLmD1iUFPpVBnmAsPV39o2tJLuR1G5KkHhKWp3rcs6K1IZSTjo5s4co3V5
         AN6R3lCUFRVPpgih8Ne16BLIXCXyZJefIL8PhI/QIAHNXFWBZNkqt1kmaEx22z9d5PiX
         0FyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=1eWmdrMuwMapU7AuwfWIBLQ5gu2VO9LXeJ1JQHUSa5M=;
        b=tu0hoxLLZYUJbNutW/mAdQp82ul5CD75HvvxMxakR+jzQXy1e5n9YINdIhT0JszNAc
         xZMDaJcA9hEFhUXrBoNw36RmhLrIkILztrm7TTa3YNoQsOuPfcVahjP0WdAKnLfeTExA
         8ZNrM4+LZI3WRvpMQXcfcQpHObGUN9myU5dCTdk1sRWtHD+QMwMomWPZzYCJoDKrACAS
         7OUF2YS/Nk6Y5+RiqWzKypWWDtjsrjEjm+Ewx0XoH47cvmhmz/e1RbvwGC/tYwuAZHvj
         OAuAvMs6f1ikxoeKcXISz3WktFvvfzs6mmlT83TaHz4ssbTSDpqKqHX1UOsBRwv7Brgr
         Z3ag==
X-Gm-Message-State: ANoB5pnWrVvbeB72csE+YhxDurooAt9LBLJ7b8Bg5z/CsXMhom+zGd0g
        CM3XuWK/Ulg2rEtuhvxw/kI=
X-Received: by 2002:aca:f089:0:b0:35a:e78c:8515 with SMTP id o131-20020acaf089000000b0035ae78c8515mr1562205oih.130.1668387316451;
        Sun, 13 Nov 2022 16:55:16 -0800 (PST)
Received: from localhost ([2600:1700:65a0:ab60:6343:42bb:5d9b:dded])
        by smtp.gmail.com with ESMTPSA id q5-20020a056870328500b0012763819bcasm4262716oac.50.2022.11.13.16.55.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 13 Nov 2022 16:55:15 -0800 (PST)
Date:   Sun, 13 Nov 2022 16:55:15 -0800
From:   Cong Wang <xiyou.wangcong@gmail.com>
To:     Wang Hai <wanghai38@huawei.com>
Cc:     davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, cong.wang@bytedance.com, f.fainelli@gmail.com,
        tom@herbertland.com, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org
Subject: Re: [PATCH net] kcm: Fix kernel NULL pointer dereference in
 requeue_rx_msgs
Message-ID: <Y3GR89nyWvTwHulH@pop-os.localdomain>
References: <20221112120423.56132-1-wanghai38@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221112120423.56132-1-wanghai38@huawei.com>
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Nov 12, 2022 at 08:04:23PM +0800, Wang Hai wrote:
> In kcm_rcv_strparser(), the skb is queued to the kcm that is currently
> being reserved, and if the queue is full, unreserve_rx_kcm() will be
> called. At this point, if KCM_RECV_DISABLE is set, then unreserve_rx_kcm()
> will requeue received messages for the current kcm socket to other kcm
> sockets. The kcm sock lock is not held during this time, and as long as
> someone calls kcm_recvmsg, it will concurrently unlink the same skb, which
> ill result in a null pointer reference.
> 
> cpu0 			cpu1		        cpu2
> kcm_rcv_strparser
>  reserve_rx_kcm
>                         kcm_setsockopt
>                          kcm_recv_disable
>                           kcm->rx_disabled = 1;
>   kcm_queue_rcv_skb
>   unreserve_rx_kcm
>    requeue_rx_msgs                              kcm_recvmsg
>     __skb_dequeue
>      __skb_unlink(skb)				  skb_unlink(skb)
>                                                   //double unlink skb
> 

We will hold skb queue lock after my patch, so this will not happen after
applying my patch below?
https://lore.kernel.org/netdev/20221114005119.597905-1-xiyou.wangcong@gmail.com/

Thanks.