From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
David Miller <davem@davemloft.net>,
Willem de Bruijn <willemb@google.com>,
Eric Dumazet <edumazet@google.com>,
Daniel Borkmann <daniel@iogearbox.net>,
jarno@ovn.org, Philip Pettersson <philip.pettersson@gmail.com>,
weongyo.linux@gmail.com, netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net/packet: use-after-free in packet_rcv_fanout
Date: Fri, 10 Feb 2017 11:16:24 -0800 [thread overview]
Message-ID: <20170210191624.GA11187@oracle.com> (raw)
In-Reply-To: <CAM_iQpWtFo80Z5yDn1Mf6bcZg+OWCyeq98WF7t+bwxGOuSjXpA@mail.gmail.com>
On (02/10/17 10:00), Cong Wang wrote:
> My understanding about the race here is packet_release() doesn't
> wait for flying packets correctly, which leads to a flying packet still
> refers to the struct sock which is being released.
>
> This could happen because struct packet_fanout is refcn'ted, it is
:
> At least I believe this explains the crash Dmitry reported.
hmm, the proof of the pudding is in the eating- would be good to
be able to reliably reproduce this somewhere (thus proving that
root-cause analysis is rock-solid), maybe by introducing artificial
delays to slow down paths..
I'm travelling at the moment but may be able to give this (try
to reproduce it reliably) next week.
--Sowmini
prev parent reply other threads:[~2017-02-10 19:16 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-09 13:14 net/packet: use-after-free in packet_rcv_fanout Dmitry Vyukov
2017-02-09 15:12 ` Sowmini Varadhan
2017-02-09 15:17 ` Eric Dumazet
2017-02-10 1:24 ` Cong Wang
2017-02-10 3:19 ` Eric Dumazet
2017-02-10 3:23 ` Eric Dumazet
2017-02-10 17:49 ` Cong Wang
2017-02-10 17:59 ` Eric Dumazet
2017-02-10 18:02 ` Cong Wang
2017-02-10 18:15 ` Eric Dumazet
2017-02-10 18:02 ` Eric Dumazet
2017-02-10 18:34 ` Cong Wang
2017-02-13 1:42 ` Sowmini Varadhan
2017-02-13 15:17 ` Dmitry Vyukov
2017-02-17 19:27 ` Cong Wang
2017-02-10 3:33 ` Sowmini Varadhan
2017-02-10 4:18 ` Eric Dumazet
2017-02-10 18:00 ` Cong Wang
2017-02-10 19:16 ` Sowmini Varadhan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170210191624.GA11187@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=jarno@ovn.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=philip.pettersson@gmail.com \
--cc=syzkaller@googlegroups.com \
--cc=weongyo.linux@gmail.com \
--cc=willemb@google.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.