On 3/17/25 10:22, Jiayuan Chen wrote:
> The sk->sk_socket is not locked or referenced, and during the call to
> skb_send_sock(), there is a race condition with the release of sk_socket.
> All types of sockets(tcp/udp/unix/vsock) will be affected.
> ...
> Some approach I tried
> ...
> 2. Increased the reference of sk_socket->file:
> - If the user calls close(fd), we will do nothing because the reference
> count is not set to 0. It's unexpected.
Have you considered bumping file's refcnt only for the time of
send/callback? Along the lines of:
static struct file *sock_get_file(struct sock *sk)
{
struct file *file = NULL;
struct socket *sock;
rcu_read_lock();
sock = sk->sk_socket;
if (sock)
file = get_file_active(&sock->file);
rcu_read_unlock();
return file;
}
static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
u32 off, u32 len, bool ingress)
{
int err;
if (!ingress) {
struct sock *sk = psock->sk;
struct file *file;
...
file = sock_get_file(sk);
if (!file)
return -EIO;
err = skb_send_sock(sk, skb, off, len);
fput(file);
return err;
}
...
}
static void sk_psock_verdict_data_ready(struct sock *sk)
{
struct file *file;
...
file = sock_get_file(sk);
if (!file)
return;
copied = sk->sk_socket->ops->read_skb(sk, sk_psock_verdict_recv);
fput(file);
...
}
