[rds-devel] [Patch net] rds: mark bound socket with SOCK_RCU_FREE
Sowmini Varadhan
sowmini.varadhan at oracle.com
Mon Sep 10 15:34:12 PDT 2018
On (09/10/18 15:24), Cong Wang wrote:
>
> When a rds sock is bound, it is inserted into the bind_hash_table
> which is protected by RCU. But when releasing rd sock, after it
> is removed from this hash table, it is freed immediately without
> respecting RCU grace period. This could cause some use-after-free
> as reported by syzbot.
>
I have no objection to the change itself, but the syzbot failures
are caused for a very simple reason: we need synchronize_net()
in rds_release before we remove the rds_sock from the bind_hash_table.
I already pointed this out in
https://www.spinics.net/lists/netdev/msg475074.html
I think the objection to synchronize_net() is that it can cause
perf issues (I'm told that rds_release() has been known to be held
up by other threads in rcu critical sections?) but I personally
dont see any other alternative to this (other than going back
to rwlock, instead of rcu)
--Sowmini
More information about the rds-devel
mailing list