On Sun, Jan 14, 2018 at 11:32:57AM +0000, James Chapman wrote: > SIOCKCMATTACH writes a connected socket's sk_user_data for its own > use. Prevent it doing so if the socket's sk_user_data is already set > since some sockets (e.g. encapsulated sockets) use sk_user_data > internally. > > diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c > index d4e98f20fc2a..65392ed58f4a 100644 > --- a/net/kcm/kcmsock.c > +++ b/net/kcm/kcmsock.c > @@ -1391,6 +1391,10 @@ static int kcm_attach(struct socket *sock, struct > socket *csock, > if (csk->sk_family == PF_KCM) > return -EOPNOTSUPP; > > + /* Cannot proceed if connected socket already uses sk_user_data */ > + if (csk->sk_user_data) > + return -EOPNOTSUPP; > + > psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL); > if (!psock) > return -ENOMEM; > Isn't that racy? What if sk_user_data was concurrently set right after this test? Also, it looks like we could create a UDP socket, attach it to KCM, then create an L2TP tunnel on this same UDP socket. l2tp_tunnel_create() or setup_udp_tunnel_sock() would unconditionally overwrite sk_user_data, which will probably confuse KCM.
Tom, if I understand KCM correctly, it only makes sense to attach it to SOCK_STREAM sockets. Shouldn't that be enforced? Maybe we should restrict it even further, so that only known KCM-safe sockets could be attached (that is, reject anything that isn't AF_INET* | SOCK_STREAM).
