On Wed, 13 Jul 2022 10:26:21 -0400 Chuck Lever wrote: > The sk_psock facility populates the sk_user_data field with the > address of an extra bit of metadata. User space sockets never > populate the sk_user_data field, so this has worked out fine. > > However, kernel socket consumers such as the RPC client and server > do populate the sk_user_data field. The sk_psock() function cannot > tell that the content of sk_user_data does not point to psock > metadata, so it will happily return a pointer to something else, > cast to a struct sk_psock. > > Thus kernel socket consumers and psock currently cannot co-exist. > > We could educate sk_psock() to return NULL if sk_user_data does > not point to a struct sk_psock. However, a more general solution > that enables full co-existence psock and other uses of sk_user_data > might be more interesting. > > Move the struct sk_psock address to its own pointer field so that > the contents of the sk_user_data field is preserved. > > Reviewed-by: Hannes Reinecke <hare@xxxxxxx> > Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> The patch seems to fix the syzbot bug: [syzbot] KASAN: slab-out-of-bounds Read in sk_psock_get Reported-by: syzbot+1fa91bcd05206ff8cbb5@xxxxxxxxxxxxxxxxxxxxxxxxx As the reproducer no longer triggers the warning. Tested-by: Khalid Masum <khalid.masum.92@xxxxxxxxx>
