Received: by 2002:a05:7412:8598:b0:f9:33c2:5753 with SMTP id n24csp505348rdh; Tue, 19 Dec 2023 05:45:01 -0800 (PST) X-Google-Smtp-Source: AGHT+IHGe0nSv/fj/ugZGLhNQwV/+4eLC6zSXRUGDqMEG4PJAjcEytJ0foyjH3fQbshLIp7ws6Pv X-Received: by 2002:a17:902:db02:b0:1d3:c383:8843 with SMTP id m2-20020a170902db0200b001d3c3838843mr3461086plx.19.1702993501552; Tue, 19 Dec 2023 05:45:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702993501; cv=none; d=google.com; s=arc-20160816; b=GLUQk0YWWz75ECWKQM0zj3rp3A8D/sicGq/9fw7lYnkSoVTphvHiXc1KP4UWQjt6ej PO4W3wATa2z1U+7FNUIa01VGw1BYq+1WBr1fXU+vRZ9cd7L9fFUDzu4S1XzCxqKiRWtu zt45FZRES5F+I0P4jB5lgKoKvFBPq4BL+7Bgm46/J7XdyLiBAbFPxzPF8teQG1BdJoHe NyTnAcP3FjpoR4pHmg0rgjPvbktqvHb0RXeTRq5fdcZdLQpLAP7lMVCq+ATQObg+DLNF 74iPIvics7U8aHTeTn2wNKaeUhj2kLZXk/hIq7PXD1knEWb3WvFcqGhJRFYGu3Ms1+sX LBQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :content-transfer-encoding:content-language:accept-language :message-id:date:thread-index:thread-topic:subject:cc:to:from; bh=WrQG6KZMcwqm6DHnIenBCcRdNYZYVVZs4RkVQCk8KHg=; fh=5b1A1j8MSE3FONNbd+M4ESIirOkC3NJWlYNRoGWYiZ0=; b=jz49yvzIAMfoizJ+SSKL6EPLC+/axnCWFz5dOhSgwH+UEfxXLRlt9rwy50xEiOqigR 4ei6tE4w3HQnC6KbSIwAaidLa0e3LUIDK/qcrrKNnpycplI5Nmfkobr4WJSfSZe5k2Y0 u4OqkL0g8ANy30DGnikGt6nkb4qTarPUu+BcQNGCCzxNN0WnVG/ej6yqG2dz2ytj1gUZ 1s+95pR0Assh9DrykXD4jCvJB8R1pxU5rCtsPONte0OFwzoqwRzREw+dQpTLryD8F5Z1 GCScGnqI85ORQ7LraZfQACmLJZtvt2FV04bTvrSNwSoS34kBOYjDe0m98eO5dsvIfbTB lGXw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-5274-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5274-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id c12-20020a170902b68c00b001d0b4bfcbc7si19429087pls.27.2023.12.19.05.45.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Dec 2023 05:45:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-5274-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-5274-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5274-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id DCFA9285840 for ; Tue, 19 Dec 2023 13:44:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9056A19BD9; Tue, 19 Dec 2023 13:44:43 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from szxga07-in.huawei.com (szxga07-in.huawei.com [45.249.212.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 093CB19BCB; Tue, 19 Dec 2023 13:44:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.163.44]) by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4SvdF828JHz1Q6Rk; Tue, 19 Dec 2023 21:43:24 +0800 (CST) Received: from kwepemm600002.china.huawei.com (unknown [7.193.23.29]) by mail.maildlp.com (Postfix) with ESMTPS id 74FAE140415; Tue, 19 Dec 2023 21:44:37 +0800 (CST) Received: from dggpeml500007.china.huawei.com (7.185.36.75) by kwepemm600002.china.huawei.com (7.193.23.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Tue, 19 Dec 2023 21:44:37 +0800 Received: from dggpeml500007.china.huawei.com ([7.185.36.75]) by dggpeml500007.china.huawei.com ([7.185.36.75]) with mapi id 15.01.2507.035; Tue, 19 Dec 2023 21:44:36 +0800 From: mengkanglai To: "David S. Miller" , David Ahern , Eric Dumazet , Jakub Kicinski , "Paolo Abeni" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: "Fengtao (fengtao, Euler)" , "Yanan (Euler)" Subject: [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem? Thread-Topic: [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem? Thread-Index: AdoygXTr5FKzOdnSR4i43aSi6m/SRw== Date: Tue, 19 Dec 2023 13:44:36 +0000 Message-ID: <26f7811f5ee247c389ddd38034d8747d@huawei.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Hello, Eric: I found upstream have fixed a UAF issue (smc: Fix use-after-free in tcp_wri= te_timer_handler()):=20 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?= id=3D9744d2bf19762703704ecba885b7ac282c02eacf When create a kernel socket use sock_create_kern , it won't call get_net() = to increase refcnt for net where the socket is located. I found some other subsystem(like rds and sunrpc) also use sock_create_kern= to create kernel tcp socket, I want to know if they have same UAF problem? Best wishes!