From patchwork Fri May 22 15:00:42 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Salyzyn X-Patchwork-Id: 475640 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 891F2140E46 for ; Sat, 23 May 2015 01:01:46 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=android.com header.i=@android.com header.b=GeBrBDjh; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756840AbbEVPB3 (ORCPT ); Fri, 22 May 2015 11:01:29 -0400 Received: from mail-ig0-f175.google.com ([209.85.213.175]:36403 "EHLO mail-ig0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756486AbbEVPB1 (ORCPT ); Fri, 22 May 2015 11:01:27 -0400 Received: by igbpi8 with SMTP id pi8so37675563igb.1 for ; Fri, 22 May 2015 08:01:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20120917; h=from:to:cc:subject:date:message-id; bh=F0ctRl9O/wwy/bZde9mWpKEF4amw3pu/yQB5Jk6MxUY=; b=GeBrBDjh2+Yp2uzQoWFGE94UYvBNDCSYdzFLa+I+FQC/GPbFAN9ciwxfuhY7a37JnT uqA25fJUdccpCGHSJiDY7soaL+QaXARCCWwcdY9iXDG8B/o0lmEfktWykRcFtCKpYbaV eL1Rkq60t9aZf4sQetE3Tffz8PM97km5BMgEfA/fpR0VtdeaFJHoKqvi4rqraw173WUS rpk8wwiwmGhO9t+FempCak07c/BEs/c4NyasA+FHG0goNHRI34KHiyNCQJm2nGIAb2Ro emitAvsDZ0tPBi6o69fvw8qwIqKyrfwuDEKnAN0FqDV/0OGA87pj6NWfb0H7nyTHYxAM vLNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=F0ctRl9O/wwy/bZde9mWpKEF4amw3pu/yQB5Jk6MxUY=; b=bcBkCkaoVrdaj2ZBWvP0oTDGNmWIIiWRZzAbbvvVHkuWu8eFawVAsy086h42w94F+a LWTnHwEQG10OKVpGYT0OeGvUQRyLK2qhuv2nLan7qZn13vwyhi96zlDWXCe6KfpRqmZT RPT/OtoSac4L4e43OfTcMRGTdBLeUQhUoLEYrFtycJ7oV/RJxGgF1Ev6wp5Pqi2p9Q0+ cnn4Xir5+nx6LeqPtPaP2QcFhj0raLnLrjJpT/wClokF3//8RCYci5z6Srro16Zu9Oys bIf0JtErizXCuI/XWNjxKfh3WSeB4eMEHOdLzpMrkWBo75zu2/ji/ORR9wOAvC4SxkbH Tc5A== X-Gm-Message-State: ALoCoQm0h0Z9nzvFxHGQTASvcDLzrDlAxmgnCWtN6HsaBKFMynWW5gBDb++HnvkbGdmH3aaaTsYq X-Received: by 10.107.35.203 with SMTP id j194mr11546165ioj.45.1432306886609; Fri, 22 May 2015 08:01:26 -0700 (PDT) Received: from virago.mtv.corp.google.com ([172.22.122.154]) by mx.google.com with ESMTPSA id o15sm3988009igw.11.2015.05.22.08.01.25 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 22 May 2015 08:01:26 -0700 (PDT) From: Mark Salyzyn To: linux-kernel@vger.kernel.org Cc: Hannes Frederic Sowa , Mark Salyzyn , Dmitry Tarnyagin , "David S. Miller" , Al Viro , David Howells , Ying Xue , Christoph Hellwig , netdev@vger.kernel.org Subject: [PATCH v2] net/unix: sk_socket can disappear when state is unlocked Date: Fri, 22 May 2015 08:00:42 -0700 Message-Id: <1432306867-27009-1-git-send-email-salyzyn@android.com> X-Mailer: git-send-email 2.2.0.rc0.207.ga3a616c Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org got a rare NULL pointer dereference in clear_bit Signed-off-by: Mark Salyzyn ---- v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c net/caif/caif_socket.c | 4 ++++ net/unix/af_unix.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 4ec0c80..8f44c38 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c @@ -330,6 +330,10 @@ static long caif_stream_data_wait(struct sock *sk, long timeo) release_sock(sk); timeo = schedule_timeout(timeo); lock_sock(sk); + + if (sock_flag(sk, SOCK_DEAD)) + break; + clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); } diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 5266ea7..7b68dc8 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1880,6 +1880,10 @@ static long unix_stream_data_wait(struct sock *sk, long timeo, unix_state_unlock(sk); timeo = freezable_schedule_timeout(timeo); unix_state_lock(sk); + + if (sock_flag(sk, SOCK_DEAD)) + break; + clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); }