Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-21 Thread Rainer Weikusat
Rainer Weikusat writes: > Jason Baron writes: >> On 10/18/2015 04:58 PM, Rainer Weikusat wrote: [...] >> 1) >> >> In unix_peer_wake_relay() function, 'sk_wq' is an __rcu pointer and thus >> it requires proper dereferencing.

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-20 Thread Rainer Weikusat
Jason Baron writes: > On 10/18/2015 04:58 PM, Rainer Weikusat wrote: > > [...] > >> >> The idea behind 'the wait queue' (insofar I'm aware of it) is that it >> will be used as list of threads who need to be notified when the >> associated event occurs. Since you seem to argue

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-19 Thread Jason Baron
On 10/18/2015 04:58 PM, Rainer Weikusat wrote: [...] > > The idea behind 'the wait queue' (insofar I'm aware of it) is that it > will be used as list of threads who need to be notified when the > associated event occurs. Since you seem to argue that the run-of-the-mill > algorithm is too slow

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-18 Thread Rainer Weikusat
Jason Baron writes: > >> >> X-Signed-Off-By: Rainer Weikusat >> Sorry for the delayed reply but I had to do some catching up on what the people who pay me consider 'useful work' :-). > So the patches I've posted and yours both use

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-14 Thread Rainer Weikusat
Jason Baron writes: > On 10/12/2015 04:41 PM, Rainer Weikusat wrote: >> Jason Baron writes: >>> On 10/05/2015 12:31 PM, Rainer Weikusat wrote: [...] >> OTOH, something I seriously dislike about your relaying implementation >> is the unconditional

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-14 Thread Jason Baron
> > X-Signed-Off-By: Rainer Weikusat > Hi, So the patches I've posted and yours both use the idea of a relaying the remote peer wakeup via callbacks that are internal to the net/unix, such that we avoid exposing the remote peer wakeup to the external

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-13 Thread Jason Baron
On 10/12/2015 04:41 PM, Rainer Weikusat wrote: > Jason Baron writes: >> On 10/05/2015 12:31 PM, Rainer Weikusat wrote: > > [...] > >>> Here's a more simple idea which _might_ work. The underlying problem >>> seems to be that the second sock_poll_wait introduces a covert

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-12 Thread Rainer Weikusat
Jason Baron writes: > On 10/05/2015 12:31 PM, Rainer Weikusat wrote: [...] >> Here's a more simple idea which _might_ work. The underlying problem >> seems to be that the second sock_poll_wait introduces a covert reference >> to the peer socket which isn't accounted for. The

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-05 Thread Jason Baron
On 10/05/2015 12:31 PM, Rainer Weikusat wrote: > Jason Baron writes: >> The unix_dgram_poll() routine calls sock_poll_wait() not only for the wait >> queue associated with the socket s that we are poll'ing against, but also >> calls >> sock_poll_wait() for a remote peer socket

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-05 Thread Eric Dumazet
On Mon, 2015-10-05 at 17:31 +0100, Rainer Weikusat wrote: > atomic_long_set(>inflight, 0); > INIT_LIST_HEAD(>link); > @@ -2135,8 +2139,16 @@ static unsigned int unix_poll(struct fil > static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, >

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-05 Thread Rainer Weikusat
Eric Dumazet writes: > On Mon, 2015-10-05 at 17:31 +0100, Rainer Weikusat wrote: > >> atomic_long_set(>inflight, 0); >> INIT_LIST_HEAD(>link); >> @@ -2135,8 +2139,16 @@ static unsigned int unix_poll(struct fil >> static unsigned int unix_dgram_poll(struct file

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-04 Thread Rainer Weikusat
Rainer Weikusat writes: > Mathias Krause writes: >> On 2 October 2015 at 22:43, Jason Baron wrote: >>> The unix_dgram_poll() routine calls sock_poll_wait() not only for the wait >>> queue associated with the socket s

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-03 Thread Rainer Weikusat
Mathias Krause writes: > On 2 October 2015 at 22:43, Jason Baron wrote: >> The unix_dgram_poll() routine calls sock_poll_wait() not only for the wait >> queue associated with the socket s that we are poll'ing against, but also >> calls [useless

[PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-02 Thread Jason Baron
The unix_dgram_poll() routine calls sock_poll_wait() not only for the wait queue associated with the socket s that we are poll'ing against, but also calls sock_poll_wait() for a remote peer socket p, if it is connected. Thus, if we call poll()/select()/epoll() for the socket s, there are then a

Re: [PATCH v2 1/3] unix: fix use-after-free in unix_dgram_poll()

2015-10-02 Thread Mathias Krause
On 2 October 2015 at 22:43, Jason Baron wrote: > The unix_dgram_poll() routine calls sock_poll_wait() not only for the wait > queue associated with the socket s that we are poll'ing against, but also > calls > sock_poll_wait() for a remote peer socket p, if it is connected.