On Mon, 16 Jul 2018 12:01:01 +0200
Ursula Braun <ubraun@xxxxxxxxxxxxx> wrote:
> From: Ursula Braun <ursula.braun@xxxxxxxxxxxxx>
>
> SMC ioctl processing requires the sock lock to work properly in
> all thinkable scenarios.
> Problem has been found with RaceFuzzer and fixes:
> KASAN: null-ptr-deref Read in smc_ioctl
>
> Reported-by: Byoungyoung Lee <lifeasageek@xxxxxxxxx>
> Reported-by: syzbot+35b2c5aa76fd398b9fd4@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Ursula Braun <ubraun@xxxxxxxxxxxxx>
> ---
> net/smc/af_smc.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
> index 5334157f5065..a4381b38a521 100644
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -1524,6 +1524,7 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
> return -EBADF;
> return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
> }
> + lock_sock(&smc->sk);
> switch (cmd) {
> case SIOCINQ: /* same as FIONREAD */
> if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
you should also unlock here, and:
case SIOCOUTQ:
/* output queue size (not send + not acked) */
if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
here, and:
case SIOCOUTQNSD:
/* output queue size (not send only) */
if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
here, and:
case SIOCATMARK:
if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
here.
--
Stefano
--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
