Home Home > GIT Browse > SLE15-SP1
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-01-17 18:32:52 +0100
committerPetr Tesarik <ptesarik@suse.cz>2019-01-17 18:32:52 +0100
commitac9857f9a8f5526837de895491e974b9ffce0eb9 (patch)
tree4681fc9b33217312bb3069c614563ccdca1a99a4
parent71f53af014151674fce09ea55d7093edcb88dacc (diff)
smc: move unhash as early as possible in smc_release()
(git-fixes).
-rw-r--r--patches.fixes/smc-move-unhash-as-early-as-possible-in-smc_release44
-rw-r--r--series.conf1
2 files changed, 45 insertions, 0 deletions
diff --git a/patches.fixes/smc-move-unhash-as-early-as-possible-in-smc_release b/patches.fixes/smc-move-unhash-as-early-as-possible-in-smc_release
new file mode 100644
index 0000000000..52b40ee82d
--- /dev/null
+++ b/patches.fixes/smc-move-unhash-as-early-as-possible-in-smc_release
@@ -0,0 +1,44 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 5 Jan 2019 23:45:26 -0800
+Subject: smc: move unhash as early as possible in smc_release()
+Git-commit: 26d92e951fe0a44ee4aec157cabb65a818cc8151
+Patch-mainline: v5.0 or v5.0-rc3 (next release)
+References: git-fixes
+
+In smc_release() we release smc->clcsock before unhash the smc
+sock, but a parallel smc_diag_dump() may be still reading
+smc->clcsock, therefore this could cause a use-after-free as
+reported by syzbot.
+
+Reported-and-tested-by: syzbot+fbd1e5476e4c94c7b34e@syzkaller.appspotmail.com
+Fixes: 51f1de79ad8e ("net/smc: replace sock_put worker by socket refcounting")
+Cc: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reported-by: syzbot+0bf2e01269f1274b4b03@syzkaller.appspotmail.com
+Reported-by: syzbot+e3132895630f957306bc@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -146,6 +146,9 @@ static int smc_release(struct socket *so
+ sock_set_flag(sk, SOCK_DEAD);
+ sk->sk_shutdown |= SHUTDOWN_MASK;
+ }
++
++ sk->sk_prot->unhash(sk);
++
+ if (smc->clcsock) {
+ sock_release(smc->clcsock);
+ smc->clcsock = NULL;
+@@ -164,7 +167,6 @@ static int smc_release(struct socket *so
+ smc_conn_free(&smc->conn);
+ release_sock(sk);
+
+- sk->sk_prot->unhash(sk);
+ sock_put(sk); /* final sock_put */
+ out:
+ return rc;
diff --git a/series.conf b/series.conf
index e0d92b0236..e9c873b7e8 100644
--- a/series.conf
+++ b/series.conf
@@ -42510,6 +42510,7 @@
patches.drivers/ALSA-hda-realtek-Disable-headset-Mic-VREF-for-headse.patch
patches.drm/0001-drm-fb-helper-Ignore-the-value-of-fb_var_screeninfo..patch
patches.drivers/tty-Don-t-hold-ldisc-lock-in-tty_reopen-if-ldisc-pre.patch
+ patches.fixes/smc-move-unhash-as-early-as-possible-in-smc_release
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch