On Fri, 2018-06-08 at 10:53 -0400, David Miller wrote:
> From: Paolo Abeni
> Date: Wed, 6 Jun 2018 15:16:29 +0200
>
> > @@ -1126,7 +1132,7 @@ static int kcm_recvmsg(struct socket *sock, struct
> > msghdr *msg,
> >
> > lock_sock(sk);
> >
> > - skb = kcm_wait_data(sk, flags, timeo,
From: Paolo Abeni
Date: Wed, 6 Jun 2018 15:16:29 +0200
> @@ -1126,7 +1132,7 @@ static int kcm_recvmsg(struct socket *sock, struct
> msghdr *msg,
>
> lock_sock(sk);
>
> - skb = kcm_wait_data(sk, flags, timeo, &err);
> + skb = kcm_wait_data(sk, flags, peek, timeo, &err);
>
On Wed, 2018-06-06 at 16:28 +0300, Kirill Tkhai wrote:
> On 06.06.2018 16:16, Paolo Abeni wrote:
> > KCM removes the packets from sk_receive_queue in requeue_rx_msgs()
> >
> > without acquiring any lock. Moreover, in R() when the MSG_PEEK
> > flag is not present, the skb is peeked and dequeued wit
On 06.06.2018 16:16, Paolo Abeni wrote:
> KCM removes the packets from sk_receive_queue in requeue_rx_msgs()
>
> without acquiring any lock. Moreover, in R() when the MSG_PEEK
> flag is not present, the skb is peeked and dequeued with two
> separate, non-atomic, calls.
>
> The above create room f
KCM removes the packets from sk_receive_queue in requeue_rx_msgs()
without acquiring any lock. Moreover, in R() when the MSG_PEEK
flag is not present, the skb is peeked and dequeued with two
separate, non-atomic, calls.
The above create room for races, which SYZBOT has been able to
exploit, causi
