unix/caif: sk_socket can disappear when state is unlocked

got a rare NULL pointer dereference in clear_bit

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 8 insertions, 0 deletions

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 5266ea7b922b..06430598cf51 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1880,6 +1880,10 @@ static long unix_stream_data_wait(struct sock *sk, long timeo,
                 unix_state_unlock(sk);
                 timeo = freezable_schedule_timeout(timeo);
                 unix_state_lock(sk);
+
+                if (sock_flag(sk, SOCK_DEAD))
+                        break;
+
                 clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
         }
 
@@ -1939,6 +1943,10 @@ static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
                 struct sk_buff *skb, *last;
 
                 unix_state_lock(sk);
+                if (sock_flag(sk, SOCK_DEAD)) {
+                        err = -ECONNRESET;
+                        goto unlock;
+                }
                 last = skb = skb_peek(&sk->sk_receive_queue);
 again:
                 if (skb == NULL) {