From patchwork Tue May 26 15:22:19 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Salyzyn <salyzyn@android.com>
X-Patchwork-Id: 476512
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id D5EB81402B5
	for <patchwork-incoming@ozlabs.org>;
	Wed, 27 May 2015 01:23:32 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=android.com header.i=@android.com
	header.b=jdPA+zFr; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753688AbbEZPX3 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 26 May 2015 11:23:29 -0400
Received: from mail-ig0-f178.google.com ([209.85.213.178]:38288 "EHLO
	mail-ig0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753652AbbEZPX1 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 26 May 2015 11:23:27 -0400
Received: by igcau1 with SMTP id au1so55895174igc.1
	for <netdev@vger.kernel.org>; Tue, 26 May 2015 08:23:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=android.com; s=20120917;
	h=from:to:cc:subject:date:message-id;
	bh=LCr42des56N/SpTIv0a80iWp9Snp0ol1nNaCef6JsRc=;
	b=jdPA+zFrjAwZ3JqXyR156buDlSNmGVByFikH/Iemwox3Wyz/eL/Uoe8Y3daKPeRsJ/
	KAsYV/tZAm2ei1xE7aBwZzQmC8MIuxA/ysgEI2e+nwRLv3zerzS69/8rd3hJaBmXM9Rf
	1us4j9cpDJbc6KIpgHRu9vNe5iisyj+dtxnwd/n7sugqfi7RNIX94uwoj8qwTq3/Jgww
	8d4nMv5SqOXsMspBhArdB+qWR/Htb0pWBn0atlDBOofattVni686UBH8kr9KD6CQERLh
	tFHrm+xsC8mEgftQVI4ykc9/Oxb7+SVGSc3C0tAaRybWJ4b5ZGMwtbP/deDYPz+8HONa
	uvIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=LCr42des56N/SpTIv0a80iWp9Snp0ol1nNaCef6JsRc=;
	b=AkY/nmHGpJNpkPFsWtjH7VfH5fH2S0b9Ayggz0Qr/wOLwx/BnDUpTTTogE0dRcKSYL
	MAJtnmEZoxVmvx0SbZHlbksFE1XUHZ5HzwPUIRkzCbzVqiEzs2oP0+O7YCKV9LKEIM2K
	iK12xYu/n4FXvswX163koL152JQeXCRcJ7RW74di2b201xmw92hTkfJm7wAaGbgMUdF1
	46cJImEKfN7EsB2ppxOI/ONuq7aOgIt1VOPO38ikAYJmAlNcg/K2NFyFJ7HUz8qB2HGE
	qjwU4BOW+cFfuGe/nWSpT1q0JCTzAHiVBG/LdJR+dJmqS7PMFh3C2ara8NC+RQA+6Nis
	/YnQ==
X-Gm-Message-State: 
 ALoCoQmUDw9/L+RjvAg1jZ7R8K3DOA+ZcNANNHQsrjPII799AgdExEDdNT2099Mnc1IudisGt8aa
X-Received: by 10.50.147.10 with SMTP id tg10mr30925353igb.36.1432653802798;
	Tue, 26 May 2015 08:23:22 -0700 (PDT)
Received: from virago.mtv.corp.google.com ([172.22.122.154])
	by mx.google.com with ESMTPSA id t7sm8536877ign.8.2015.05.26.08.23.21
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 26 May 2015 08:23:22 -0700 (PDT)
From: Mark Salyzyn <salyzyn@android.com>
To: hannes@redhat.com, linux-kernel@vger.kernel.org
Cc: Mark Salyzyn <salyzyn@android.com>,
	Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>,
	"David S. Miller" <davem@davemloft.net>,
	Al Viro <viro@zeniv.linux.org.uk>, David Howells <dhowells@redhat.com>,
	Ying Xue <ying.xue@windriver.com>,
	Christoph Hellwig <hch@lst.de>, netdev@vger.kernel.org
Subject: [PATCH v3] net/unix: sk_socket can disappear when state is unlocked
Date: Tue, 26 May 2015 08:22:19 -0700
Message-Id: <1432653777-13799-1-git-send-email-salyzyn@android.com>
X-Mailer: git-send-email 2.2.0.rc0.207.ga3a616c
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

got a rare NULL pointer dereference in clear_bit

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
 net/caif/caif_socket.c | 8 ++++++++
 net/unix/af_unix.c     | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 4ec0c80..112ad78 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -330,6 +330,10 @@ static long caif_stream_data_wait(struct sock *sk, long timeo)
 		release_sock(sk);
 		timeo = schedule_timeout(timeo);
 		lock_sock(sk);
+
+		if (sock_flag(sk, SOCK_DEAD))
+			break;
+
 		clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
 	}
 
@@ -373,6 +377,10 @@ static int caif_stream_recvmsg(struct socket *sock, struct msghdr *msg,
 		struct sk_buff *skb;
 
 		lock_sock(sk);
+		if (sock_flag(sk, SOCK_DEAD)) {
+			err = -ECONNRESET;
+			goto unlock;
+		}
 		skb = skb_dequeue(&sk->sk_receive_queue);
 		caif_check_flow_release(sk);
 
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 5266ea7..0643059 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1880,6 +1880,10 @@ static long unix_stream_data_wait(struct sock *sk, long timeo,
 		unix_state_unlock(sk);
 		timeo = freezable_schedule_timeout(timeo);
 		unix_state_lock(sk);
+
+		if (sock_flag(sk, SOCK_DEAD))
+			break;
+
 		clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
 	}
 
@@ -1939,6 +1943,10 @@ static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
 		struct sk_buff *skb, *last;
 
 		unix_state_lock(sk);
+		if (sock_flag(sk, SOCK_DEAD)) {
+			err = -ECONNRESET;
+			goto unlock;
+		}
 		last = skb = skb_peek(&sk->sk_receive_queue);
 again:
 		if (skb == NULL) {