From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [Patch net] tipc: switch to rhashtable iterator Date: Wed, 29 Aug 2018 18:05:16 -0700 (PDT) Message-ID: <20180829.180516.859582570374575869.davem@davemloft.net> References: <20180824192806.32005-1-xiyou.wangcong@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, jon.maloy@ericsson.com, ying.xue@windriver.com To: xiyou.wangcong@gmail.com Return-path: Received: from shards.monkeyblade.net ([23.128.96.9]:39220 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725768AbeH3FEt (ORCPT ); Thu, 30 Aug 2018 01:04:49 -0400 In-Reply-To: <20180824192806.32005-1-xiyou.wangcong@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Cong Wang Date: Fri, 24 Aug 2018 12:28:06 -0700 > syzbot reported a use-after-free in tipc_group_fill_sock_diag(), > where tipc_group_fill_sock_diag() still reads tsk->group meanwhile > tipc_group_delete() just deletes it in tipc_release(). > > tipc_nl_sk_walk() aims to lock this sock when walking each sock > in the hash table to close race conditions with sock changes like > this one, by acquiring tsk->sk.sk_lock.slock spinlock, unfortunately > this doesn't work at all. All non-BH call path should take > lock_sock() instead to make it work. > > tipc_nl_sk_walk() brutally iterates with raw rht_for_each_entry_rcu() > where RCU read lock is required, this is the reason why lock_sock() > can't be taken on this path. This could be resolved by switching to > rhashtable iterator API's, where taking a sleepable lock is possible. > Also, the iterator API's are friendly for restartable calls like > diag dump, the last position is remembered behind the scence, > all we need to do here is saving the iterator into cb->args[]. > > I tested this with parallel tipc diag dump and thousands of tipc > socket creation and release, no crash or memory leak. > > Reported-by: syzbot+b9c8f3ab2994b7cd1625@syzkaller.appspotmail.com > Cc: Jon Maloy > Cc: Ying Xue > Signed-off-by: Cong Wang Applied and queued up for -stable, thanks Cong.