Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 5:00 PM, Eric Dumazet wrote: > On Fri, 2017-03-03 at 07:22 -0800, Eric Dumazet wrote: >> On Fri, Mar 3, 2017 at 7:12 AM, Dmitry Vyukov wrote: >> > The first bot that picked this up started spewing: >> > >> > BUG: spinlock

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 5:00 PM, Eric Dumazet wrote: > On Fri, 2017-03-03 at 07:22 -0800, Eric Dumazet wrote: >> On Fri, Mar 3, 2017 at 7:12 AM, Dmitry Vyukov wrote: >> > The first bot that picked this up started spewing: >> > >> > BUG: spinlock recursion on CPU#1, syz-executor2/9452 >> >> Yes.

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 3:48 PM, Eric Dumazet wrote: > On Fri, 2017-03-03 at 06:32 -0800, Eric Dumazet wrote: >> On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: >> > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang >> > wrote: >> > > On Mon,

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 3:48 PM, Eric Dumazet wrote: > On Fri, 2017-03-03 at 06:32 -0800, Eric Dumazet wrote: >> On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: >> > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang >> > wrote: >> > > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov >> > >

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 07:22 -0800, Eric Dumazet wrote: > On Fri, Mar 3, 2017 at 7:12 AM, Dmitry Vyukov wrote: > > The first bot that picked this up started spewing: > > > > BUG: spinlock recursion on CPU#1, syz-executor2/9452 > > Yes. The bug is not about locking the

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 07:22 -0800, Eric Dumazet wrote: > On Fri, Mar 3, 2017 at 7:12 AM, Dmitry Vyukov wrote: > > The first bot that picked this up started spewing: > > > > BUG: spinlock recursion on CPU#1, syz-executor2/9452 > > Yes. The bug is not about locking the listener, but protecting

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang wrote: > > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov > > wrote: > >> Hi, > >> > >> I've got the following error report while fuzzing the

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang wrote: > > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov > > wrote: > >> Hi, > >> > >> I've got the following error report while fuzzing the kernel with > >> syzkaller. > >> > >> On commit

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 3:32 PM, Eric Dumazet wrote: >> > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov >> > wrote: >> >> Hi, >> >> >> >> I've got the following error report while fuzzing the kernel with >> >> syzkaller. >> >> >> >> On commit

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 3:32 PM, Eric Dumazet wrote: >> > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov >> > wrote: >> >> Hi, >> >> >> >> I've got the following error report while fuzzing the kernel with >> >> syzkaller. >> >> >> >> On commit 926af6273fc683cd98cd0ce7bf0d04a02eed6742. >> >>

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 7:12 AM, Dmitry Vyukov wrote: > The first bot that picked this up started spewing: > > BUG: spinlock recursion on CPU#1, syz-executor2/9452 Yes. The bug is not about locking the listener, but protecting fields of struct dccp_request_sock I will provide

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 7:12 AM, Dmitry Vyukov wrote: > The first bot that picked this up started spewing: > > BUG: spinlock recursion on CPU#1, syz-executor2/9452 Yes. The bug is not about locking the listener, but protecting fields of struct dccp_request_sock I will provide a patch, once I

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 06:32 -0800, Eric Dumazet wrote: > On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: > > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang > > wrote: > > > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov > > > wrote: > >

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 06:32 -0800, Eric Dumazet wrote: > On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: > > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang > > wrote: > > > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov > > > wrote: > > >> Hi, > > >> > > >> I've got the following error

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 16:06 +0100, Dmitry Vyukov wrote: > Something that compiles is definitely better :) > Reapplied. Just to be clear : This is not the proper patch. This only reduces the race. bh_lock_sock() does not prevent a user process from owning the socket. We need another protection,

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, 2017-03-03 at 16:06 +0100, Dmitry Vyukov wrote: > Something that compiles is definitely better :) > Reapplied. Just to be clear : This is not the proper patch. This only reduces the race. bh_lock_sock() does not prevent a user process from owning the socket. We need another protection,

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 4:06 PM, Dmitry Vyukov wrote: > On Fri, Mar 3, 2017 at 3:48 PM, Eric Dumazet wrote: >> On Fri, 2017-03-03 at 06:32 -0800, Eric Dumazet wrote: >>> On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: >>> > On Mon, Feb 13, 2017

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 4:06 PM, Dmitry Vyukov wrote: > On Fri, Mar 3, 2017 at 3:48 PM, Eric Dumazet wrote: >> On Fri, 2017-03-03 at 06:32 -0800, Eric Dumazet wrote: >>> On Fri, 2017-03-03 at 15:11 +0100, Dmitry Vyukov wrote: >>> > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang >>> > wrote: >>> >

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 3:11 PM, Dmitry Vyukov wrote: > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang wrote: >> On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov >> wrote: >>> Hi, >>> >>> I've got the following error report

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Fri, Mar 3, 2017 at 3:11 PM, Dmitry Vyukov wrote: > On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang wrote: >> On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov >> wrote: >>> Hi, >>> >>> I've got the following error report while fuzzing the kernel with syzkaller. >>> >>> On commit

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang wrote: > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov > wrote: >> Hi, >> >> I've got the following error report while fuzzing the kernel with syzkaller. >> >> On commit

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Mon, Feb 13, 2017 at 11:29 PM, Cong Wang wrote: > On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov > wrote: >> Hi, >> >> I've got the following error report while fuzzing the kernel with syzkaller. >> >> On commit 926af6273fc683cd98cd0ce7bf0d04a02eed6742. >> >> A reproducer and .config are

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov wrote: > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit 926af6273fc683cd98cd0ce7bf0d04a02eed6742. > > A reproducer and .config are attached. > Note, that it takes quite

Re: net/dccp: use-after-free in dccp_feat_activate_values

On Mon, Feb 13, 2017 at 11:19 AM, Andrey Konovalov wrote: > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit 926af6273fc683cd98cd0ce7bf0d04a02eed6742. > > A reproducer and .config are attached. > Note, that it takes quite some time to trigger the