From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>,
Jason Baron <jbaron@akamai.com>,
Dmitry Vyukov <dvyukov@google.com>,
syzkaller <syzkaller@googlegroups.com>,
Michal Kubecek <mkubecek@suse.cz>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
David Miller <davem@davemloft.net>,
David Howells <dhowells@redhat.com>,
Paul Moore <paul@paul-moore.com>,
salyzyn@android.com, sds@tycho.nsa.gov, ying.xue@windriver.com,
netdev <netdev@vger.kernel.org>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@google.com>,
Sasha Levin <sasha.levin@oracle.com>,
Julien Tinnes <jln@google.com>, Kees Cook <keescook@google.com>,
Mathias Krause <minipli@googlemail.com>
Subject: Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue
Date: Fri, 13 Nov 2015 19:06:11 +0000 [thread overview]
Message-ID: <876115sorg.fsf@doppelsaurus.mobileactivedefense.com> (raw)
In-Reply-To: <1447267928.3704532.436332953.6FB2A816@webmail.messagingengine.com> (Hannes Frederic Sowa's message of "Wed, 11 Nov 2015 19:52:08 +0100")
Hannes Frederic Sowa <hannes@stressinduktion.org> writes:
> On Wed, Nov 11, 2015, at 17:12, Rainer Weikusat wrote:
>> Hannes Frederic Sowa <hannes@stressinduktion.org> writes:
>> > On Tue, Nov 10, 2015, at 22:55, Rainer Weikusat wrote:
>> >> An AF_UNIX datagram socket being the client in an n:1 association with
>> >> some server socket is only allowed to send messages to the server if the
>> >> receive queue of this socket contains at most sk_max_ack_backlog
>> >> datagrams.
>>
>> [...]
>>
>> > This whole patch seems pretty complicated to me.
>> >
>> > Can't we just remove the unix_recvq_full checks alltogether and unify
>> > unix_dgram_poll with unix_poll?
>> >
>> > If we want to be cautious we could simply make unix_max_dgram_qlen limit
>> > the number of skbs which are in flight from a sending socket. The skb
>> > destructor can then decrement this. This seems much simpler.
>> >
>> > Would this work?
>>
>> In the way this is intended to work, cf
>>
>> http://marc.info/?t=115627606000002&r=1&w=2
>
> Oh, I see, we don't limit closed but still referenced sockets. This
> actually makes sense on how fd handling is implemented, just as a range
> check.
>
> Have you checked if we can somehow deregister the socket in the poll
> event framework? You wrote that it does not provide such a function but
> maybe it would be easy to add?
I thought about this but this would amount to adding a general interface
for the sole purpose of enabling the af_unix code to talk to the
eventpoll code and I don't really like this idea: IMHO, there should be
at least two users (preferably three) before creating any kind of
'abstract interface'. An even more ideal "castle in the air"
(hypothetical) solution would be "change the eventpoll.c code such that
it won't be affected if a wait queue just goes away". That's at least
theoretically possible (although it might not be in practice).
I wouldn't mind doing that (assuming it was possible) if it was just
for the kernels my employer uses because I'm aware of the uses these
will be put to and in control of the corresponding userland code. But
for "general Linux code", changing epoll in order to help the af_unix
code is more potential trouble than it's worth: Exchanging a relatively
unimportant bug in some module for a much more visibly damaging bug in a
central facility would be a bad tradeoff.
next prev parent reply other threads:[~2015-11-13 19:06 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-12 11:07 Use-after-free in ep_remove_wait_queue Dmitry Vyukov
2015-10-12 12:02 ` Michal Kubecek
2015-10-12 12:14 ` Eric Dumazet
2015-10-12 12:17 ` Dmitry Vyukov
2015-11-06 13:06 ` Dmitry Vyukov
2015-11-06 14:58 ` Jason Baron
2015-11-06 15:15 ` Rainer Weikusat
2015-11-09 14:40 ` [PATCH] unix: avoid use-after-free " Rainer Weikusat
2015-11-09 18:25 ` David Miller
2015-11-10 17:16 ` Rainer Weikusat
2015-11-09 22:44 ` Jason Baron
2015-11-10 17:38 ` Rainer Weikusat
2015-11-22 21:43 ` alternate queueing mechanism (was: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue) Rainer Weikusat
2015-11-10 21:55 ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue Rainer Weikusat
2015-11-11 12:28 ` Hannes Frederic Sowa
2015-11-11 16:12 ` Rainer Weikusat
2015-11-11 18:52 ` Hannes Frederic Sowa
2015-11-13 19:06 ` Rainer Weikusat [this message]
2015-11-11 17:35 ` Jason Baron
2015-11-12 19:11 ` Rainer Weikusat
2015-11-13 18:51 ` Rainer Weikusat
2015-11-13 22:17 ` Jason Baron
2015-11-15 18:32 ` Rainer Weikusat
2015-11-17 16:08 ` Jason Baron
2015-11-17 18:38 ` Rainer Weikusat
2015-11-16 22:15 ` Rainer Weikusat
2015-11-16 22:28 ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:) Rainer Weikusat
2015-11-17 16:13 ` Jason Baron
2015-11-17 20:14 ` David Miller
2015-11-17 21:37 ` Rainer Weikusat
2015-11-17 22:09 ` Rainer Weikusat
2015-11-19 23:48 ` Rainer Weikusat
2015-11-17 22:48 ` Rainer Weikusat
2015-11-18 18:15 ` Rainer Weikusat
2015-11-18 23:39 ` more statistics (was: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:)) Rainer Weikusat
2015-11-19 23:52 ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:) Rainer Weikusat
2015-11-20 16:03 ` Jason Baron
2015-11-20 16:21 ` Rainer Weikusat
2015-11-20 22:07 ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue Rainer Weikusat
2015-11-23 16:21 ` Jason Baron
2015-11-23 17:30 ` David Miller
2015-11-23 21:37 ` Rainer Weikusat
2015-11-23 23:06 ` Rainer Weikusat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=876115sorg.fsf@doppelsaurus.mobileactivedefense.com \
--to=rweikusat@mobileactivedefense.com \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hannes@stressinduktion.org \
--cc=jbaron@akamai.com \
--cc=jln@google.com \
--cc=kcc@google.com \
--cc=keescook@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=mkubecek@suse.cz \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=salyzyn@android.com \
--cc=sasha.levin@oracle.com \
--cc=sds@tycho.nsa.gov \
--cc=syzkaller@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).