Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3561911rwb;
        Sun, 20 Nov 2022 17:04:23 -0800 (PST)
X-Google-Smtp-Source: AA0mqf7+dw+k91mpBF6GIh7fQgzPAQayhioiaGnZhZkw1pNqOoZAc05AsikH2/WAYla1JUbet57j
X-Received: by 2002:a17:906:298c:b0:7ad:eb7f:d082 with SMTP id x12-20020a170906298c00b007adeb7fd082mr13307458eje.356.1668992663303;
        Sun, 20 Nov 2022 17:04:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668992663; cv=none;
        d=google.com; s=arc-20160816;
        b=im3SPotN7WjmcCL5Rad3CMnYT17YH3aXqaIsCA2bashdx8ALCk7HPMlXUz9y/Gtyw5
         EGOlkS6iS9dtXm1GSf5rHmK0MA52GbZ1Pmhu4Y5ZQcE6+8xwssD03M2X8AWN5Ryzx36a
         Rc9Qre4Ud2G/5lvPcbcRi+w/MueBn3eggJVgKeZLgVfEYRVvdvmJ0xjak/sXWF2h3LKA
         U1UkBLsU+idy1gFJ+5IfHxw0ZeajT7S2BUeC34LSG0jMLogk0n0Wz1wOrFUC2x54glSW
         4t858mKFBaplQ0F4rxgVCjoikCQ9pH4nFrwV3jtipej0ERbHP80QLiZYXmPdy6cugvwz
         Rl2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=TrR9tOTmmG1TbaSCSfozcLow+Bsm4fJxe0iyZV+9CFM=;
        b=Nue2LaSyT/fkpiI1oRFKuTgrBbwIsO8WWKljHJXsR/g+JrKVr7+IXUoBaFIB7AjTYe
         RoyhpBmHLgQMKrvD3Z5XWqgMXRvdCwPS4o5MlzEfaju4Qxe3O3FK7g+Uq++WA3C9gOXP
         3KNrp5c/LIeJ1qSE9H1uXIWWZ5Gi4xq1NPlYIcidJzWo5+cmHX3PZPr899eA34cLi0Hv
         fEmp3b3kXU5Rli6aim+bPZIq+dnmgtsS58Kx7RcDJ7nDn/pZps/SQHNwxmS74wMxGZfQ
         bLE/Mg6t0iLv7i6hGIGdpnoLN6wgSzfZjgS+2WvrlpSaeaPCl7ok9o3Nqio1mMSisTX1
         7yXg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=TVrPTSt8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id sz15-20020a1709078b0f00b0077951929340si7424234ejc.271.2022.11.20.17.04.01;
        Sun, 20 Nov 2022 17:04:23 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=TVrPTSt8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229862AbiKUAyF (ORCPT <rfc822;0xff07.lkml@gmail.com>
        + 90 others); Sun, 20 Nov 2022 19:54:05 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45280 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229755AbiKUAxv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 20 Nov 2022 19:53:51 -0500
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 692AF6434
        for <linux-kernel@vger.kernel.org>; Sun, 20 Nov 2022 16:53:50 -0800 (PST)
Received: by mail-yb1-xb34.google.com with SMTP id y83so3798653yby.6
        for <linux-kernel@vger.kernel.org>; Sun, 20 Nov 2022 16:53:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=TrR9tOTmmG1TbaSCSfozcLow+Bsm4fJxe0iyZV+9CFM=;
        b=TVrPTSt8r2Jz1zSMLgNF08MRtXIIMyyvA3bNcYvH08Ur1qf7Iu/FRV6nliKe7qjgpQ
         dIg5QR7vgbEnp2VmyOH37i1Fa1gUYKI06pOTYkDdpQ20bNT7zf87+0p2geLow62+XTaI
         b627XlsogwLBJKhDHfG3HSY3aqkquc773CFMROBvblJ85uSoKPsmu524wQ4lx2BhdNfp
         XdKqUJ6w0JzWkg5ZH0Feu2HALMF9cs1FAcVDZ6u4aIfan1gRJ7hm2bKc/hrA8KIWZ1UC
         4s88KuUUfWW6Uuqp/5s+bsEe02A0XdJ+/8loJzrJdvlH5ng5mOJzvg+IIxvNTPyXXDXw
         N75g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=TrR9tOTmmG1TbaSCSfozcLow+Bsm4fJxe0iyZV+9CFM=;
        b=4OaglgTSh+aAJHyvq0/1IM9u3g0uFbGMrs94v4nnZ0Nhd6+ClLBqZb0794yAuZ9fG9
         tPq6+EAhVxXA5Bz5YMPvIK9FS/S7mrOOfHqw5r9hfcoWvXCfvd/yae9jUR0cwaeq6aNl
         XJfnKFJ6NmhWCHnsdwVibdRKzIWyYr5c+MrJisM84yXNokPQYiBPy3Y+Is+WYQNvrKQs
         U4/H4a6nYjWt/a6vpjYVXPrmVzNvJUzYAztglB1Jg1cBw7ll8Q0AdVPX7Dr5MZgWAtL8
         4V49P4t7JM9MDt+M2KK7vulmiqxu8BpJgx7AhZLrgcs22NXt0vsITr+aPYy1VnknY6Nq
         MCOQ==
X-Gm-Message-State: ANoB5plmlrETNJOfCKsExoMhD8MfVFvbx++WcveVP8g0Z6HpNHkCHXKW
        04sDNWC/1qDMMK6EWAQBSglPbpIVmsg5e3PmUOMPcQ==
X-Received: by 2002:a25:bcc6:0:b0:6dd:1c5c:5602 with SMTP id
 l6-20020a25bcc6000000b006dd1c5c5602mr15818415ybm.36.1668992029284; Sun, 20
 Nov 2022 16:53:49 -0800 (PST)
MIME-Version: 1.0
References: <20221120090213.922567-1-syoshida@redhat.com> <20221120104907.4795-1-hdanton@sina.com>
 <CANn89iJxiV_-g6n60aeA=mO=DYwGV9VdJswHP4pc-Vwq_UgrRA@mail.gmail.com> <20221121003404.4875-1-hdanton@sina.com>
In-Reply-To: <20221121003404.4875-1-hdanton@sina.com>
From:   Eric Dumazet <edumazet@google.com>
Date:   Sun, 20 Nov 2022 16:53:38 -0800
Message-ID: <CANn89i+cmAAH8om3ET-478ZxPV4=t5nF0Ei+DCZOxND5=EqBLw@mail.gmail.com>
Subject: Re: [PATCH v2] net: tun: Fix use-after-free in tun_detach()
To:     Hillf Danton <hdanton@sina.com>
Cc:     Shigeru Yoshida <syoshida@redhat.com>, kuba@kernel.org,
        pabeni@redhat.com, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Nov 20, 2022 at 4:34 PM Hillf Danton <hdanton@sina.com> wrote:
>
> On 20 Nov 2022 08:04:13 -0800 Eric Dumazet <edumazet@google.com>
> > On Sun, Nov 20, 2022 at 2:49 AM Hillf Danton <hdanton@sina.com> wrote:
> > > On 20 Nov 2022 18:02:13 +0900 Shigeru Yoshida <syoshida@redhat.com>
> > > >
> > > > This patch fixes the issue by calling sock_put() from tun_detach()
> > > > after all necessary accesses for the struct net has done.
> > >
> > > Thanks for your fix.
> > >
> > > But tun is not special wrt netdev_run_todo() and call_netdevice_notifiers(),
> > > so the correct fix should be making netdev grab another hold on net and
> > > invoking put_net() in the path of netdev_run_todo().
> >
> > Well, this is not going to work. Unless I am missing something.
>
> Thanks for taking a look.
>
> I mean bump up refcount for net when updating netdev->nd_net in a bid to
> make dev_net() safe throught netdev's life span.

This would prevent netns deletion, as the following sequence would
then no longer work as intended.

ip netns add foo
ip netns add ip link set lo up
ip netns del foo

When a netns is deleted ("ip netns del" and no more refcounted sockets),
we have callbacks to unregister all devices tied to it.