Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4926830rwb; Sun, 13 Nov 2022 17:22:26 -0800 (PST) X-Google-Smtp-Source: AA0mqf4iRdqFSai+0A2+Fu3A30p/UrtdJkeoyQeSZykvXGcpNWcGdU4Bhd4mhbKeUIfBI0jFSw+U X-Received: by 2002:a17:902:ba8f:b0:179:c436:4528 with SMTP id k15-20020a170902ba8f00b00179c4364528mr11780240pls.102.1668388945898; Sun, 13 Nov 2022 17:22:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668388945; cv=none; d=google.com; s=arc-20160816; b=ymjPDdAB6RFrOtcbAGXuywCP7sBybfLuuq1oPJo/lGws1aFLj+uHNFgNcEx3FPQV2h NxmS8PHzCImJ0vxFIY0Xuk0sK5meTFurWGPl1eg1rpdVeuiy96hsF5MrTG/YQtMllvkR UiEZwln9OJ1M79GjowVB9PsuT7CVpbncgdLYuKG1vgudmANlNDWF3ctZdohjs3e26TWR MLGciWsvDA2uURTqgezEmZFQBmI7VuJgNyAkc9N9tsSwBBKbRvRDtOiSyD2nDp3sehts eeYGcrFoqnuCkP6UnYtPcXQPNTCPEfBhBI+nYAuo/I41mzGeYLayQj0Ip+HV36WGEoRf abXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=1eWmdrMuwMapU7AuwfWIBLQ5gu2VO9LXeJ1JQHUSa5M=; b=vDotXpDC07M+1Yi47S36Ro6g72L0Fzz1ted1h6EQj8bM/ouqSxFgsElIHmIpE6blpj kkVzXqPgQyUZ7Eac04VP3nepDZ8z7hKvIibJ5TXnORAX9K+Z8LISBTBsxQZ2XkYoDCxp i1jO6YoteKy22M5DQvfaeKHkBWVmkY7++yZTySBX367szqHjFob2p23zx+6Lrm3SzoUY /R7iCZH9sFw3YAgXna0PfuX9gFBlOemrjCqygTOo73nMho2s7nRx5EVFyn6lCr/C36di XxgT3QtpT1ZskmZwHKPknbHsBYHsTpbrgTwi0scGRpmwo38uQPwPpuTkgryb3J3Sf/+o HkTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=jHt37U4d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lw14-20020a17090b180e00b0020d47757829si8008836pjb.144.2022.11.13.17.22.14; Sun, 13 Nov 2022 17:22:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=jHt37U4d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235635AbiKNAzT (ORCPT + 89 others); Sun, 13 Nov 2022 19:55:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233069AbiKNAzR (ORCPT ); Sun, 13 Nov 2022 19:55:17 -0500 Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DB80C75C; Sun, 13 Nov 2022 16:55:17 -0800 (PST) Received: by mail-oi1-x230.google.com with SMTP id q186so10051097oia.9; Sun, 13 Nov 2022 16:55:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=1eWmdrMuwMapU7AuwfWIBLQ5gu2VO9LXeJ1JQHUSa5M=; b=jHt37U4d8jNXsCEZDBNP9ic4j08D10mDXoZ6fXku34Z0l/o6Q8Zccryus5a1jbpq/7 GQNEtEszyPRetKWerIMjfbcub5WrwHl/UljDLgXyjqrV/H+CCE2SaNfAD/+5TU5Fp+oo PB4ae29rRoL5oPx8vGJkSFCkG3Y7P/VetJi4gTAlvb+N6GmnQ9CYu5F11npG39s47bWH +DtncEopKarLmD1iUFPpVBnmAsPV39o2tJLuR1G5KkHhKWp3rcs6K1IZSTjo5s4co3V5 AN6R3lCUFRVPpgih8Ne16BLIXCXyZJefIL8PhI/QIAHNXFWBZNkqt1kmaEx22z9d5PiX 0FyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1eWmdrMuwMapU7AuwfWIBLQ5gu2VO9LXeJ1JQHUSa5M=; b=tu0hoxLLZYUJbNutW/mAdQp82ul5CD75HvvxMxakR+jzQXy1e5n9YINdIhT0JszNAc xZMDaJcA9hEFhUXrBoNw36RmhLrIkILztrm7TTa3YNoQsOuPfcVahjP0WdAKnLfeTExA 8ZNrM4+LZI3WRvpMQXcfcQpHObGUN9myU5dCTdk1sRWtHD+QMwMomWPZzYCJoDKrACAS 7OUF2YS/Nk6Y5+RiqWzKypWWDtjsrjEjm+Ewx0XoH47cvmhmz/e1RbvwGC/tYwuAZHvj OAuAvMs6f1ikxoeKcXISz3WktFvvfzs6mmlT83TaHz4ssbTSDpqKqHX1UOsBRwv7Brgr Z3ag== X-Gm-Message-State: ANoB5pnWrVvbeB72csE+YhxDurooAt9LBLJ7b8Bg5z/CsXMhom+zGd0g CM3XuWK/Ulg2rEtuhvxw/kI= X-Received: by 2002:aca:f089:0:b0:35a:e78c:8515 with SMTP id o131-20020acaf089000000b0035ae78c8515mr1562205oih.130.1668387316451; Sun, 13 Nov 2022 16:55:16 -0800 (PST) Received: from localhost ([2600:1700:65a0:ab60:6343:42bb:5d9b:dded]) by smtp.gmail.com with ESMTPSA id q5-20020a056870328500b0012763819bcasm4262716oac.50.2022.11.13.16.55.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Nov 2022 16:55:15 -0800 (PST) Date: Sun, 13 Nov 2022 16:55:15 -0800 From: Cong Wang To: Wang Hai Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, cong.wang@bytedance.com, f.fainelli@gmail.com, tom@herbertland.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH net] kcm: Fix kernel NULL pointer dereference in requeue_rx_msgs Message-ID: References: <20221112120423.56132-1-wanghai38@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221112120423.56132-1-wanghai38@huawei.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Nov 12, 2022 at 08:04:23PM +0800, Wang Hai wrote: > In kcm_rcv_strparser(), the skb is queued to the kcm that is currently > being reserved, and if the queue is full, unreserve_rx_kcm() will be > called. At this point, if KCM_RECV_DISABLE is set, then unreserve_rx_kcm() > will requeue received messages for the current kcm socket to other kcm > sockets. The kcm sock lock is not held during this time, and as long as > someone calls kcm_recvmsg, it will concurrently unlink the same skb, which > ill result in a null pointer reference. > > cpu0 cpu1 cpu2 > kcm_rcv_strparser > reserve_rx_kcm > kcm_setsockopt > kcm_recv_disable > kcm->rx_disabled = 1; > kcm_queue_rcv_skb > unreserve_rx_kcm > requeue_rx_msgs kcm_recvmsg > __skb_dequeue > __skb_unlink(skb) skb_unlink(skb) > //double unlink skb > We will hold skb queue lock after my patch, so this will not happen after applying my patch below? https://lore.kernel.org/netdev/20221114005119.597905-1-xiyou.wangcong@gmail.com/ Thanks.