net/smc: take sock lock in smc_ioctl()

SMC ioctl processing requires the sock lock to work properly in all thinkable scenarios. Problem has been found with RaceFuzzer and fixes: KASAN: null-ptr-deref Read in smc_ioctl Reported-by: Byoungyoung Lee <lifeasageek@gmail.com> Reported-by: syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com Signed-off-by: Ursula Braun <ubraun@linux.ibm.com> Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Ursula Braun <ursula.braun@linux.ibm.com> 2018-07-16 07:56:52 -0400
committer: David S. Miller <davem@davemloft.net> 2018-07-16 17:45:13 -0400
commit: 1992d99882afda6dc17f9d49c06150856a91282f (patch)
tree: aa249871b27d3e80f1148d7d481419bad67a7586 /net/smc
parent: bd598d205055dfe32698261efe1b1b736d9a7173 (diff)
1 files changed, 15 insertions, 4 deletions
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 5334157f5065..c12a7fc18f56 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1524,10 +1524,13 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
                        return -EBADF;
                return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
        }
+        lock_sock(&smc->sk);
        switch (cmd) {
        case SIOCINQ: /* same as FIONREAD */
-                if (smc->sk.sk_state == SMC_LISTEN)
+                if (smc->sk.sk_state == SMC_LISTEN) {
+                        release_sock(&smc->sk);
                        return -EINVAL;
+                }
                if (smc->sk.sk_state == SMC_INIT ||
                    smc->sk.sk_state == SMC_CLOSED)
                        answ = 0;
@@ -1536,8 +1539,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
                break;
        case SIOCOUTQ:
                /* output queue size (not send + not acked) */
-                if (smc->sk.sk_state == SMC_LISTEN)
+                if (smc->sk.sk_state == SMC_LISTEN) {
+                        release_sock(&smc->sk);
                        return -EINVAL;
+                }
                if (smc->sk.sk_state == SMC_INIT ||
                    smc->sk.sk_state == SMC_CLOSED)
                        answ = 0;
@@ -1547,8 +1552,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
                break;
        case SIOCOUTQNSD:
                /* output queue size (not send only) */
-                if (smc->sk.sk_state == SMC_LISTEN)
+                if (smc->sk.sk_state == SMC_LISTEN) {
+                        release_sock(&smc->sk);
                        return -EINVAL;
+                }
                if (smc->sk.sk_state == SMC_INIT ||
                    smc->sk.sk_state == SMC_CLOSED)
                        answ = 0;
@@ -1556,8 +1563,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
                        answ = smc_tx_prepared_sends(&smc->conn);
                break;
        case SIOCATMARK:
-                if (smc->sk.sk_state == SMC_LISTEN)
+                if (smc->sk.sk_state == SMC_LISTEN) {
+                        release_sock(&smc->sk);
                        return -EINVAL;
+                }
                if (smc->sk.sk_state == SMC_INIT ||
                    smc->sk.sk_state == SMC_CLOSED) {
                        answ = 0;
@@ -1573,8 +1582,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
                }
                break;
        default:
+                release_sock(&smc->sk);
                return -ENOIOCTLCMD;
        }
+        release_sock(&smc->sk);
        return put_user(answ, (int __user *)arg);
 }
author	Ursula Braun <ursula.braun@linux.ibm.com>	2018-07-16 07:56:52 -0400
committer	David S. Miller <davem@davemloft.net>	2018-07-16 17:45:13 -0400
commit	1992d99882afda6dc17f9d49c06150856a91282f (patch)
tree	aa249871b27d3e80f1148d7d481419bad67a7586 /net/smc
parent	bd598d205055dfe32698261efe1b1b736d9a7173 (diff)