diff options
| author | Mark Salyzyn <salyzyn@android.com> | 2015-05-26 11:22:19 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-05-26 23:19:29 -0400 |
| commit | b48732e4a48d80ed4a14812f0bab09560846514e (patch) | |
| tree | 979d5c6257fe181758030d4a9d52a257c328cf9a /net | |
| parent | 983942a5eacae8821882a3d348618b020098e8dc (diff) | |
unix/caif: sk_socket can disappear when state is unlocked
got a rare NULL pointer dereference in clear_bit
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/caif/caif_socket.c | 8 | ||||
| -rw-r--r-- | net/unix/af_unix.c | 8 |
2 files changed, 16 insertions, 0 deletions
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 4ec0c803aef1..112ad784838a 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c | |||
| @@ -330,6 +330,10 @@ static long caif_stream_data_wait(struct sock *sk, long timeo) | |||
| 330 | release_sock(sk); | 330 | release_sock(sk); |
| 331 | timeo = schedule_timeout(timeo); | 331 | timeo = schedule_timeout(timeo); |
| 332 | lock_sock(sk); | 332 | lock_sock(sk); |
| 333 | |||
| 334 | if (sock_flag(sk, SOCK_DEAD)) | ||
| 335 | break; | ||
| 336 | |||
| 333 | clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); | 337 | clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); |
| 334 | } | 338 | } |
| 335 | 339 | ||
| @@ -373,6 +377,10 @@ static int caif_stream_recvmsg(struct socket *sock, struct msghdr *msg, | |||
| 373 | struct sk_buff *skb; | 377 | struct sk_buff *skb; |
| 374 | 378 | ||
| 375 | lock_sock(sk); | 379 | lock_sock(sk); |
| 380 | if (sock_flag(sk, SOCK_DEAD)) { | ||
| 381 | err = -ECONNRESET; | ||
| 382 | goto unlock; | ||
| 383 | } | ||
| 376 | skb = skb_dequeue(&sk->sk_receive_queue); | 384 | skb = skb_dequeue(&sk->sk_receive_queue); |
| 377 | caif_check_flow_release(sk); | 385 | caif_check_flow_release(sk); |
| 378 | 386 | ||
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 5266ea7b922b..06430598cf51 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c | |||
| @@ -1880,6 +1880,10 @@ static long unix_stream_data_wait(struct sock *sk, long timeo, | |||
| 1880 | unix_state_unlock(sk); | 1880 | unix_state_unlock(sk); |
| 1881 | timeo = freezable_schedule_timeout(timeo); | 1881 | timeo = freezable_schedule_timeout(timeo); |
| 1882 | unix_state_lock(sk); | 1882 | unix_state_lock(sk); |
| 1883 | |||
| 1884 | if (sock_flag(sk, SOCK_DEAD)) | ||
| 1885 | break; | ||
| 1886 | |||
| 1883 | clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); | 1887 | clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); |
| 1884 | } | 1888 | } |
| 1885 | 1889 | ||
| @@ -1939,6 +1943,10 @@ static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg, | |||
| 1939 | struct sk_buff *skb, *last; | 1943 | struct sk_buff *skb, *last; |
| 1940 | 1944 | ||
| 1941 | unix_state_lock(sk); | 1945 | unix_state_lock(sk); |
| 1946 | if (sock_flag(sk, SOCK_DEAD)) { | ||
| 1947 | err = -ECONNRESET; | ||
| 1948 | goto unlock; | ||
| 1949 | } | ||
| 1942 | last = skb = skb_peek(&sk->sk_receive_queue); | 1950 | last = skb = skb_peek(&sk->sk_receive_queue); |
| 1943 | again: | 1951 | again: |
| 1944 | if (skb == NULL) { | 1952 | if (skb == NULL) { |