On 12/31/17 4:33 AM, Sowmini Varadhan wrote:
On (12/30/17 21:09), santosh.shilim...@oracle.com wrote:
Right. This was loop transport in action so xmit will just flip
the direction with receive. And rds_recv_incoming() can race with
socket_release. rds_find_bound() is suppose to add ref count on
On (12/30/17 21:09), santosh.shilim...@oracle.com wrote:
> Right. This was loop transport in action so xmit will just flip
> the direction with receive. And rds_recv_incoming() can race with
> socket_release. rds_find_bound() is suppose to add ref count on
> socket for rds_recv_incoming() but by th
On 12/30/17 2:32 PM, Sowmini Varadhan wrote:
On (12/30/17 13:37), santosh.shilim...@oracle.com wrote:
[...]
Thats what I thought as well initially but since the reported case,
the rs seems to be valid where as sk seems to be freed up as part of
sock_release callback.
I dont understand the s
On (12/30/17 13:37), santosh.shilim...@oracle.com wrote:
> Well thats what the report says o.w flag test wouldn't have
> been attempted.
the bug report says "use-after-free".
It doesnt say that rds_rs_to_sk(rs) is null (if rds_rs_to_sk(rs) was null,
rs would also be null, please cscope struct rd
On 12/30/17 12:26 PM, Sowmini Varadhan wrote:
On (12/30/17 11:36), Santosh Shilimkar wrote:
socket buffer can get freed as part of sock_close
callback so before adding reference check underneath
socket validity.
I'm not sure I understand this fix-
struct rds_sock is:
struct rds_sock {
On (12/30/17 11:36), Santosh Shilimkar wrote:
>
> socket buffer can get freed as part of sock_close
> callback so before adding reference check underneath
> socket validity.
I'm not sure I understand this fix-
struct rds_sock is:
struct rds_sock {
struct sock rs_sk;
socket buffer can get freed as part of sock_close
callback so before adding reference check underneath
socket validity.
Reported-by: syzbot+93a5839deb3555374...@syzkaller.appspotmail.com
Signed-off-by: Santosh Shilimkar
---
net/rds/bind.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
di
