subject:"\[PATCH\] net\/rds\: Avoid potential use after free in rds_send_remove_from

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

2021-04-20 Thread Leon Romanovsky

On Tue, Apr 20, 2021 at 12:09:06PM +0300, Leon Romanovsky wrote:
> On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:
> > In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> > is freed and later under spinlock, causing potential use-after-free.
> > Set the free pointer to NULL to avoid undefined behavior.
> > 
> > Signed-off-by: Aditya Pakki 
> > ---
> >  net/rds/message.c | 1 +
> >  net/rds/send.c| 2 +-
> >  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> Dave, Jakub
> 
> Please revert this patch, given responses from Eric and Al together
> with this response from Greg here 
> https://lore.kernel.org/lkml/YH5/i7ovsjsmq...@kroah.com

https://lore.kernel.org/lkml/yh5%2fi7ovsjsmq...@kroah.com/

> 
> BTW, I looked on the rds code too and agree with Eric, this patch
> is a total garbage.
> 
> Thanks

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

2021-04-20 Thread Leon Romanovsky

On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki 
> ---
>  net/rds/message.c | 1 +
>  net/rds/send.c| 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)

Dave, Jakub

Please revert this patch, given responses from Eric and Al together
with this response from Greg here 
https://lore.kernel.org/lkml/YH5/i7ovsjsmq...@kroah.com

BTW, I looked on the rds code too and agree with Eric, this patch
is a total garbage.

Thanks

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

2021-04-19 Thread Al Viro

On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:

> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head 
> *messages, int status)
>  unlock_and_drop:
>   spin_unlock_irqrestore(&rm->m_rs_lock, flags);
>   rds_message_put(rm);
> - if (was_on_sock)
> + if (was_on_sock && rm)
>   rds_message_put(rm);

Look at the code immediately prior to the site of your "fix".
Think for a second what will happen if we *could* get there with rm
equal to NULL (with your patch applied, that is).  Now, try to construct
the sequence of events that would lead to that situation.  Either you
will arrive at a real bug (in which case your fix does not actually
fix anything) *OR* you will get closer to realization that "defensive
programming" tends to be worthless garbage.  In both case the result
would be useful...

Incidentally, locate the place where that variable is
last modified and find the precondition required for rm == NULL
downstream of that.

Plainly put, the patch demonstrates either complete lack of
understanding or somebody not acting in good faith.  If it's the latter[1],
may I suggest the esteemed sociologists to fuck off and stop
testing the reviewers with deliberately spewed excrements?

[1] 
https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

2021-04-09 Thread Eric Dumazet




On 4/7/21 2:09 AM, Aditya Pakki wrote:
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki 
> ---
>  net/rds/message.c | 1 +
>  net/rds/send.c| 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/rds/message.c b/net/rds/message.c
> index 071a261fdaab..90ebcfe5fe3b 100644
> --- a/net/rds/message.c
> +++ b/net/rds/message.c
> @@ -180,6 +180,7 @@ void rds_message_put(struct rds_message *rm)
>   rds_message_purge(rm);
>  
>   kfree(rm);
> + rm = NULL;

This is a nop really.

This does not clear @rm variable in the caller.



>   }
>  }
>  EXPORT_SYMBOL_GPL(rds_message_put);
> diff --git a/net/rds/send.c b/net/rds/send.c
> index 985d0b7713ac..fe5264b9d4b3 100644
> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head 
> *messages, int status)
>  unlock_and_drop:
>   spin_unlock_irqrestore(&rm->m_rs_lock, flags);
>   rds_message_put(rm);
> - if (was_on_sock)
> + if (was_on_sock && rm)
>   rds_message_put(rm);

Maybe the bug is that the refcount has not be elevated when was_on_sock
has been set.

>   }
>  
>

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

2021-04-07 Thread patchwork-bot+netdevbpf

Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Tue,  6 Apr 2021 19:09:12 -0500 you wrote:
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki 
> ---
>  net/rds/message.c | 1 +
>  net/rds/send.c| 2 +-
>  2 files changed, 2 insertions(+), 1 deletion(-)

Here is the summary with links:
  - net/rds: Avoid potential use after free in rds_send_remove_from_sock
https://git.kernel.org/netdev/net/c/0c85a7e87465

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

2021-04-07 Thread Santosh Shilimkar



> On Apr 6, 2021, at 5:09 PM, Aditya Pakki  wrote:
> 
> In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
> is freed and later under spinlock, causing potential use-after-free.
> Set the free pointer to NULL to avoid undefined behavior.
> 
> Signed-off-by: Aditya Pakki 
> ---
> net/rds/message.c | 1 +
> net/rds/send.c| 2 +-
> 2 files changed, 2 insertions(+), 1 deletion(-)

Looks fine by me. Thanks.

Acked-by: Santosh Shilimkar

[PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

2021-04-06 Thread Aditya Pakki

In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
is freed and later under spinlock, causing potential use-after-free.
Set the free pointer to NULL to avoid undefined behavior.

Signed-off-by: Aditya Pakki 
---
 net/rds/message.c | 1 +
 net/rds/send.c| 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/rds/message.c b/net/rds/message.c
index 071a261fdaab..90ebcfe5fe3b 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -180,6 +180,7 @@ void rds_message_put(struct rds_message *rm)
rds_message_purge(rm);
 
kfree(rm);
+   rm = NULL;
}
 }
 EXPORT_SYMBOL_GPL(rds_message_put);
diff --git a/net/rds/send.c b/net/rds/send.c
index 985d0b7713ac..fe5264b9d4b3 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head 
*messages, int status)
 unlock_and_drop:
spin_unlock_irqrestore(&rm->m_rs_lock, flags);
rds_message_put(rm);
-   if (was_on_sock)
+   if (was_on_sock && rm)
rds_message_put(rm);
}
 
-- 
2.25.1

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

Re: [PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

[PATCH] net/rds: Avoid potential use after free in rds_send_remove_from_sock

7 matches

Site Navigation

Mail list logo

Footer information