From: David Miller <davem@davemloft.net>
To: edumazet@google.com
Cc: acme@kernel.org, aryabinin@virtuozzo.com, ebiederm@xmission.com,
gerrit@erg.abdn.ac.uk, dccp@vger.kernel.org, dvyukov@google.com,
xiyou.wangcong@gmail.com, kuznet@ms2.inr.ac.ru,
yoshfuji@linux-ipv6.org, kaber@trash.net,
syzkaller@googlegroups.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net/dccp: fix use after free in tw_timer_handler()
Date: Tue, 21 Feb 2017 13:23:03 -0500 (EST) [thread overview]
Message-ID: <20170221.132303.1154431393145795762.davem@davemloft.net> (raw)
In-Reply-To: <CANn89iJwGgyskr99Zp6HD7LPg7YfBtRWe4Br4GzV4g9UfN=sgQ@mail.gmail.com>
From: Eric Dumazet <edumazet@google.com>
Date: Tue, 21 Feb 2017 05:53:13 -0800
> On Tue, Feb 21, 2017 at 5:43 AM, Arnaldo Carvalho de Melo
> <acme@kernel.org> wrote:
>>
>> Em Tue, Feb 21, 2017 at 02:27:40PM +0300, Andrey Ryabinin escreveu:
>> > DCCP doesn't purge timewait sockets on network namespace shutdown.
>> > So, after net namespace destroyed we could still have an active timer
>> > which will trigger use after free in tw_timer_handler():
>> >
>> >
>> > Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
>> > timewait sockets on net namespace destruction and prevent above issue.
>>
>> Please add this, to help stable kernels to pick this up
>>
>> Fixes: b099ce2602d8 ("net: Batch inet_twsk_purge")
>> Cc: Eric W. Biederman <ebiederm@xmission.com>
>
>
> This patch has nothing to do with this bug really.
>
> Look at commit d315492b1a6ba29da0fa2860759505ae1b2db857
> ("netns : fix kernel panic in timewait socket destruction")
>
> Back in 2008, nobody spotted that DCCP was using the same infra.
So, let me get this straight, dccp is buggy because it tried as hard as
possible to share and use common pieces of infrastructure instead of
duplicating all of said logic?
Now I've heard everything.
I know it has been a pain in the rear fixing all of these dccp bugs,
but removing it from the tree or even pushing it into staging is
simply not an option. So we better come up with a better plan based
upon reality rather than fantasy. :-)
next prev parent reply other threads:[~2017-02-21 18:23 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-23 10:19 net: use-after-free in tw_timer_handler Dmitry Vyukov
2017-01-23 10:23 ` Dmitry Vyukov
2017-01-24 14:28 ` Eric Dumazet
2017-01-24 15:06 ` Dmitry Vyukov
2017-01-24 15:52 ` Eric Dumazet
2017-02-08 17:36 ` Dmitry Vyukov
2017-02-08 17:58 ` Eric Dumazet
2017-02-08 18:55 ` Dmitry Vyukov
2017-02-08 19:17 ` Eric Dumazet
2017-02-08 19:32 ` Dmitry Vyukov
2017-02-14 19:38 ` Dmitry Vyukov
2017-02-21 11:27 ` [PATCH] net/dccp: fix use after free in tw_timer_handler() Andrey Ryabinin
2017-02-21 11:56 ` Dmitry Vyukov
2017-02-22 6:48 ` Dmitry Vyukov
2017-02-21 13:43 ` Arnaldo Carvalho de Melo
2017-02-21 13:53 ` Eric Dumazet
2017-02-21 18:23 ` David Miller [this message]
2017-02-22 8:59 ` Andrey Ryabinin
2017-02-21 18:23 ` David Miller
2017-02-21 18:24 ` David Miller
2017-02-22 9:35 ` Andrey Ryabinin
2017-02-22 9:35 ` [PATCH v2] " Andrey Ryabinin
2017-02-22 21:15 ` David Miller
2017-02-17 18:51 ` net: use-after-free in tw_timer_handler Cong Wang
2017-02-17 20:36 ` Dmitry Vyukov
2017-02-17 22:30 ` Cong Wang
2017-02-21 9:46 ` Dmitry Vyukov
2017-02-21 10:40 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170221.132303.1154431393145795762.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=acme@kernel.org \
--cc=aryabinin@virtuozzo.com \
--cc=dccp@vger.kernel.org \
--cc=dvyukov@google.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=gerrit@erg.abdn.ac.uk \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=xiyou.wangcong@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).