Received-SPF: pass (google.com: domain of linux-kernel+bounces-5455-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <mengkanglai2@huawei.com>
CC: <davem@davemloft.net>, <dsahern@kernel.org>, <edumazet@google.com>,
	<fengtao40@huawei.com>, <kuba@kernel.org>, <linux-kernel@vger.kernel.org>,
	<netdev@vger.kernel.org>, <pabeni@redhat.com>, <yanan@huawei.com>,
	<kuniyu@amazon.com>
Subject: Re: [Consult]kernel tcp socket lack of refcnt for net may cause uaf problem?
Date: Wed, 20 Dec 2023 00:09:07 +0900
Message-ID: <20231219150907.9338-1-kuniyu@amazon.com>
In-Reply-To: <26f7811f5ee247c389ddd38034d8747d@huawei.com>
References: <26f7811f5ee247c389ddd38034d8747d@huawei.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Precedence: Bulk

From: mengkanglai <mengkanglai2@huawei.com>
Date: Tue, 19 Dec 2023 13:44:36 +0000
> Hello, Eric:
> 
> I found upstream have fixed a UAF issue (smc: Fix use-after-free in
> tcp_write_timer_handler()):
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9744d2bf19762703704ecba885b7ac282c02eacf
> 
> When create a kernel socket use sock_create_kern , it won't call get_net()
> to increase refcnt for net where the socket is located.
> I found some other subsystem(like rds and sunrpc) also use sock_create_kern
> to create kernel tcp socket, I want to know if they have same UAF problem?

You need to check if the subsystem itself holds net refcnt (not per socket)
and if it waits for TCP timer to be fired before destroying a socket.

It seems that runrpc holds net refcnt (xprt_net) and rds holds per-socket
net refcnt.