From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <kuniyu@amazon.com>
Cc: <bharathsm@microsoft.com>, <kuni1840@gmail.com>,
<linux-cifs@vger.kernel.org>, <pc@manguebit.com>,
<ronniesahlberg@gmail.com>, <samba-technical@lists.samba.org>,
<sfrench@samba.org>, <sprasad@microsoft.com>, <tom@talpey.com>
Subject: Re: [PATCH v1] smb: client: Fix use-after-free of network namespace.
Date: Sat, 2 Nov 2024 13:30:41 -0700 [thread overview]
Message-ID: <20241102203041.71353-1-kuniyu@amazon.com> (raw)
In-Reply-To: <20241031175709.20111-1-kuniyu@amazon.com>
From: Kuniyuki Iwashima <kuniyu@amazon.com>
Date: Thu, 31 Oct 2024 10:57:09 -0700
> @@ -3071,7 +3070,7 @@ generic_ip_connect(struct TCP_Server_Info *server)
> socket = server->ssocket;
> } else {
> rc = __sock_create(cifs_net_ns(server), sfamily, SOCK_STREAM,
> - IPPROTO_TCP, &server->ssocket, 1);
> + IPPROTO_TCP, &server->ssocket, 0);
I missed BPF inet_release() hook is invoked for sockets with
sk->sk_kern_sock 0.
This is trivial, but I'll post v2 with the diff below following the
SMC's approach I took in commit 9744d2bf1976 ("smc: Fix use-after-free
in tcp_write_timer_handler().").
---8<---
diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
index 15d94ac4095e..0ce2d704b1f3 100644
--- a/fs/smb/client/connect.c
+++ b/fs/smb/client/connect.c
@@ -1037,6 +1037,7 @@ clean_demultiplex_info(struct TCP_Server_Info *server)
*/
}
+ put_net(cifs_net_ns(server));
kfree(server->leaf_fullpath);
kfree(server);
@@ -1635,8 +1636,6 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
/* srv_count can never go negative */
WARN_ON(server->srv_count < 0);
- put_net(cifs_net_ns(server));
-
list_del_init(&server->tcp_ses_list);
spin_unlock(&cifs_tcp_ses_lock);
@@ -3070,13 +3069,22 @@ generic_ip_connect(struct TCP_Server_Info *server)
if (server->ssocket) {
socket = server->ssocket;
} else {
- rc = __sock_create(cifs_net_ns(server), sfamily, SOCK_STREAM,
+ struct net *net = cifs_net_ns(server);
+ struct sock *sk;
+
+ rc = __sock_create(net, sfamily, SOCK_STREAM,
IPPROTO_TCP, &server->ssocket, 1);
if (rc < 0) {
cifs_server_dbg(VFS, "Error %d creating socket\n", rc);
return rc;
}
+ sk = server->ssocket->sk;
+ __netns_tracker_free(net, &sk->ns_tracker, false);
+ sk->sk_net_refcnt = 1;
+ get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
+ sock_inuse_add(net, 1);
+
/* BB other socket options to set KEEPALIVE, NODELAY? */
cifs_dbg(FYI, "Socket created\n");
socket = server->ssocket;
---8<---
prev parent reply other threads:[~2024-11-02 20:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-31 17:57 [PATCH v1] smb: client: Fix use-after-free of network namespace Kuniyuki Iwashima
2024-11-02 20:30 ` Kuniyuki Iwashima [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241102203041.71353-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=bharathsm@microsoft.com \
--cc=kuni1840@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=pc@manguebit.com \
--cc=ronniesahlberg@gmail.com \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox