From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mark Salyzyn <salyzyn@android.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 10/44] unix/caif: sk_socket can disappear when state is unlocked
Date: Fri, 19 Jun 2015 13:36:09 -0700 [thread overview]
Message-ID: <20150619203556.509257931@linuxfoundation.org> (raw)
In-Reply-To: <20150619203556.192033912@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Salyzyn <salyzyn@android.com>
[ Upstream commit b48732e4a48d80ed4a14812f0bab09560846514e ]
got a rare NULL pointer dereference in clear_bit
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/caif/caif_socket.c | 8 ++++++++
net/unix/af_unix.c | 8 ++++++++
2 files changed, 16 insertions(+)
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -332,6 +332,10 @@ static long caif_stream_data_wait(struct
release_sock(sk);
timeo = schedule_timeout(timeo);
lock_sock(sk);
+
+ if (sock_flag(sk, SOCK_DEAD))
+ break;
+
clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
}
@@ -376,6 +380,10 @@ static int caif_stream_recvmsg(struct ki
struct sk_buff *skb;
lock_sock(sk);
+ if (sock_flag(sk, SOCK_DEAD)) {
+ err = -ECONNRESET;
+ goto unlock;
+ }
skb = skb_dequeue(&sk->sk_receive_queue);
caif_check_flow_release(sk);
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1893,6 +1893,10 @@ static long unix_stream_data_wait(struct
unix_state_unlock(sk);
timeo = freezable_schedule_timeout(timeo);
unix_state_lock(sk);
+
+ if (sock_flag(sk, SOCK_DEAD))
+ break;
+
clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
}
@@ -1957,6 +1961,10 @@ static int unix_stream_recvmsg(struct ki
struct sk_buff *skb, *last;
unix_state_lock(sk);
+ if (sock_flag(sk, SOCK_DEAD)) {
+ err = -ECONNRESET;
+ goto unlock;
+ }
last = skb = skb_peek(&sk->sk_receive_queue);
again:
if (skb == NULL) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2015-06-19 20:36 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-19 20:35 [PATCH 3.14 00/44] 3.14.45-stable review Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 01/44] crush: ensuring at most num-rep osds are selected Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 02/44] net: core: Correct an over-stringent device loop detection Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 03/44] x86: bpf_jit: fix compilation of large bpf programs Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 04/44] net: phy: Allow EEE for all RGMII variants Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 05/44] tcp/ipv6: fix flow label setting in TIME_WAIT state Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 06/44] ipv4: Avoid crashing in ip_error Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 07/44] bridge: fix parsing of MLDv2 reports Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 08/44] net: dp83640: fix broken calibration routine Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 09/44] net: dp83640: reinforce locking rules Greg Kroah-Hartman
2015-06-19 20:36 ` Greg Kroah-Hartman [this message]
2015-06-19 20:36 ` [PATCH 3.14 11/44] net_sched: invoke ->attach() after setting dev->qdisc Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 12/44] udp: fix behavior of wrong checksums Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 13/44] xen: netback: read hotplug script once at start of day Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 14/44] ipv4/udp: Verify multicast group is ours in upd_v4_early_demux() Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 15/44] bridge: disable softirqs around br_fdb_update to avoid lockup Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 16/44] iio: adc: twl6030-gpadc: Fix modalias Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 17/44] iio: adis16400: Report pressure channel scale Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 18/44] iio: adis16400: Use != channel indices for the two voltage channels Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 19/44] iio: adis16400: Compute the scan mask from channel indices Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 21/44] ALSA: hda/realtek - Add a fixup for another Acer Aspire 9420 Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 22/44] ALSA: usb-audio: Add mic volume fix quirk for Logitech Quickcam Fusion Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 23/44] ALSA: usb-audio: add MAYA44 USB+ mixer control names Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 24/44] Input: synaptics - add min/max quirk for Lenovo S540 Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 26/44] block: fix ext_dev_lock lockdep report Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 27/44] USB: cp210x: add ID for HubZ dual ZigBee and Z-Wave dongle Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 28/44] USB: serial: ftdi_sio: Add support for a Motion Tracker Development Board Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 29/44] x86/asm/irq: Stop relying on magic JMP behavior for early_idt_handlers Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 30/44] ring-buffer-benchmark: Fix the wrong sched_priority of producer Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 31/44] MIPS: Fix enabling of DEBUG_STACKOVERFLOW Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 32/44] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 33/44] ozwpan: divide-by-zero leading to panic Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 34/44] ozwpan: unchecked signed subtraction leads to DoS Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 35/44] pata_octeon_cf: fix broken build Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 36/44] ARM: dts: am335x-boneblack: disable RTC-only sleep to avoid hardware damage Greg Kroah-Hartman
2015-06-22 8:23 ` Johan Hovold
2015-06-22 15:41 ` Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 37/44] drm/i915/hsw: Fix workaround for server AUX channel clock divisor Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 40/44] serial: imx: Fix DMA handling for IDLE condition aborts Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 41/44] mm/memory_hotplug.c: set zone->wait_table to null after freeing it Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 42/44] cfg80211: wext: clear sinfo struct before calling driver Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 43/44] btrfs: incorrect handling for fiemap_fill_next_extent return Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 3.14 44/44] btrfs: cleanup orphans while looking up default subvolume Greg Kroah-Hartman
2015-06-20 1:12 ` [PATCH 3.14 00/44] 3.14.45-stable review Shuah Khan
2015-06-20 1:26 ` Guenter Roeck
2015-06-20 7:49 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150619203556.509257931@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=salyzyn@android.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).