On Thu, Apr 08, 2021 at 05:05 AM CEST, Cong Wang wrote:
> From: Cong Wang <cong.w...@bytedance.com>
>
> The last refcnt of the psock can be gone right after
> sock_map_remove_links(), so sk_psock_stop() could trigger a UAF.
> The reason why I placed sk_psock_stop() there is to avoid RCU read
> critical section, and more importantly, some callee of
> sock_map_remove_links() is supposed to be called with RCU read lock,
> we can not simply get rid of RCU read lock here. Therefore, the only
> choice we have is to grab an additional refcnt with sk_psock_get()
> and put it back after sk_psock_stop().
>
> Reported-by: syzbot+7b6548ae483d6f4c6...@syzkaller.appspotmail.com
> Fixes: 799aa7f98d53 ("skmsg: Avoid lock_sock() in sk_psock_backlog()")
> Cc: John Fastabend <john.fastab...@gmail.com>
> Cc: Daniel Borkmann <dan...@iogearbox.net>
> Cc: Jakub Sitnicki <ja...@cloudflare.com>
> Cc: Lorenz Bauer <l...@cloudflare.com>
> Signed-off-by: Cong Wang <cong.w...@bytedance.com>
> ---Acked-by: Jakub Sitnicki <ja...@cloudflare.com>
