Re: [PATCH v2 1/2] sctp: export sctp_endpoint_{hold,put}() and return incremented endpoint

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 17 Dec 2021 13:46:06 +0000 Lee Jones wrote:
> For example, in sctp_sock_dump(), we could have the following hunk:
> 
> 	sctp_endpoint_hold(tsp->asoc->ep);
> 	ep = tsp->asoc->ep;
> 	sk = ep->base.sk
> 	lock_sock(ep->base.sk);
> 
> It is possible for this task to be swapped out immediately following
> the call into sctp_endpoint_hold() that would change the address of
> tsp->asoc->ep to point to a completely different endpoint.  This means
> a reference could be taken to the old endpoint and the new one would
> be processed without a reference taken, moreover the new endpoint
> could then be freed whilst still processing as a result, causing a
> use-after-free.
> 
> If we return the exact pointer that was held, we ensure this task
> processes only the endpoint we have taken a reference to.  The
> resultant hunk now looks like this:
> 
>       ep = sctp_endpoint_hold(tsp->asoc->ep);
> 	sk = ep->base.sk
> 	lock_sock(sk);

If you have to explain what the next patch will do to make sense 
of this one it really is better to merge the two patches.
Exporting something is not a functional change, nor does it make
the changes easier to review, in fact the opposite is true.

> Fixes: 8f840e47f190c ("sctp: add the sctp_diag.c file")

This patch in itself fixes exactly nothing.



[Index of Archives]     [Linux Networking Development]     [Linux OMAP]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     SCTP

  Powered by Linux