On Fri, Sep 24, 2021 at 01:14:41PM -0700, Jakub Kicinski wrote: > On Fri, 24 Sep 2021 10:21:33 +0200 Krzysztof Kozlowski wrote: > > On 23/09/2021 14:22, Dan Carpenter wrote: > > > On Thu, Sep 23, 2021 at 09:26:51AM +0200, Krzysztof Kozlowski wrote: > > >> On 23/09/2021 08:50, Dan Carpenter wrote: > > [...] > > >> > > >> I think the difference between this llcp_sock code and above transport, > > >> is lack of writer to llcp_sock->local with whom you could race. > > >> > > >> Commits c0cfa2d8a788fcf4 and 6a2c0962105ae8ce causing the > > >> multi-transport race show nicely assigns to vsk->transport when module > > >> is unloaded. > > >> > > >> Here however there is no writer to llcp_sock->local, except bind and > > >> connect and their error paths. The readers which you modify here, have > > >> to happen after bind/connect. You cannot have getsockopt() or release() > > >> before bind/connect, can you? Unless you mean here the bind error path, > > >> where someone calls getsockopt() in the middle of bind()? Is it even > > >> possible? > > >> > > > > > > I don't know if this is a real issue either. > > > > > > Racing with bind would be harmless. The local pointer would be NULL and > > > it would return harmlessly. You would have to race with release and > > > have a third trying to release local devices. (Again that might be > > > wild imagination. It may not be possible). > > > > Indeed. The code looks reasonable, though, so even if race is not really > > reproducible: > > > > Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxxxxx> > > Would you mind making a call if this is net (which will mean stable) or > net-next material (without the Fixes tags) and reposting? Thanks! :) This should be ported to stable. The race is condition is real because ->release() can race with itself. I don't know if expliotable or not beyond just a denial of service. regards, dan carpenter
