On Thu, Apr 08, 2021 at 05:05 AM CEST, Cong Wang wrote: > From: Cong Wang <[email protected]> > > The last refcnt of the psock can be gone right after > sock_map_remove_links(), so sk_psock_stop() could trigger a UAF. > The reason why I placed sk_psock_stop() there is to avoid RCU read > critical section, and more importantly, some callee of > sock_map_remove_links() is supposed to be called with RCU read lock, > we can not simply get rid of RCU read lock here. Therefore, the only > choice we have is to grab an additional refcnt with sk_psock_get() > and put it back after sk_psock_stop(). > > Reported-by: [email protected] > Fixes: 799aa7f98d53 ("skmsg: Avoid lock_sock() in sk_psock_backlog()") > Cc: John Fastabend <[email protected]> > Cc: Daniel Borkmann <[email protected]> > Cc: Jakub Sitnicki <[email protected]> > Cc: Lorenz Bauer <[email protected]> > Signed-off-by: Cong Wang <[email protected]> > ---
Acked-by: Jakub Sitnicki <[email protected]>
