On 07/16/2018 12:09 PM, Stefano Brivio wrote:
> On Mon, 16 Jul 2018 12:01:01 +0200
> Ursula Braun <ubraun@xxxxxxxxxxxxx> wrote:
>
>> From: Ursula Braun <ursula.braun@xxxxxxxxxxxxx>
>>
>> SMC ioctl processing requires the sock lock to work properly in
>> all thinkable scenarios.
>> Problem has been found with RaceFuzzer and fixes:
>> KASAN: null-ptr-deref Read in smc_ioctl
>>
>> Reported-by: Byoungyoung Lee <lifeasageek@xxxxxxxxx>
>> Reported-by: syzbot+35b2c5aa76fd398b9fd4@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Signed-off-by: Ursula Braun <ubraun@xxxxxxxxxxxxx>
>> ---
>> net/smc/af_smc.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
>> index 5334157f5065..a4381b38a521 100644
>> --- a/net/smc/af_smc.c
>> +++ b/net/smc/af_smc.c
>> @@ -1524,6 +1524,7 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
>> return -EBADF;
>> return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
>> }
>> + lock_sock(&smc->sk);
>> switch (cmd) {
>> case SIOCINQ: /* same as FIONREAD */
>> if (smc->sk.sk_state == SMC_LISTEN)
>
> return -EINVAL;
>
> you should also unlock here, and:
>
> case SIOCOUTQ:
> /* output queue size (not send + not acked) */
> if (smc->sk.sk_state == SMC_LISTEN)
> return -EINVAL;
>
> here, and:
>
> case SIOCOUTQNSD:
> /* output queue size (not send only) */
> if (smc->sk.sk_state == SMC_LISTEN)
> return -EINVAL;
>
> here, and:
>
> case SIOCATMARK:
> if (smc->sk.sk_state == SMC_LISTEN)
> return -EINVAL;
>
> here.
>
sorry, my fault! V2 is on its way. Thanks for your hint.
--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
