summaryrefslogtreecommitdiffstats
path: root/net/smc/smc_close.c
diff options
context:
space:
mode:
authorWen Gu <guwen@linux.alibaba.com>2022-04-22 09:56:19 +0200
committerJakub Kicinski <kuba@kernel.org>2022-04-25 20:03:48 +0200
commit0558226cebee256aa3f8ec0cc5a800a10bf120a6 (patch)
treee30751d6e6b40913f4033d436e606fb2888a2bbe /net/smc/smc_close.c
parentnet/smc: Only save the original clcsock callback functions (diff)
downloadlinux-0558226cebee256aa3f8ec0cc5a800a10bf120a6.tar.xz
linux-0558226cebee256aa3f8ec0cc5a800a10bf120a6.zip
net/smc: Fix slab-out-of-bounds issue in fallback
syzbot reported a slab-out-of-bounds/use-after-free issue, which was caused by accessing an already freed smc sock in fallback-specific callback functions of clcsock. This patch fixes the issue by restoring fallback-specific callback functions to original ones and resetting clcsock sk_user_data to NULL before freeing smc sock. Meanwhile, this patch introduces sk_callback_lock to make the access and assignment to sk_user_data mutually exclusive. Reported-by: syzbot+b425899ed22c6943e00b@syzkaller.appspotmail.com Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback") Link: https://lore.kernel.org/r/00000000000013ca8105d7ae3ada@google.com/ Signed-off-by: Wen Gu <guwen@linux.alibaba.com> Acked-by: Karsten Graul <kgraul@linux.ibm.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to '')
-rw-r--r--net/smc/smc_close.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index 7bd1ef55b9df..31db7438857c 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -214,9 +214,11 @@ again:
sk->sk_state = SMC_CLOSED;
sk->sk_state_change(sk); /* wake up accept */
if (smc->clcsock && smc->clcsock->sk) {
+ write_lock_bh(&smc->clcsock->sk->sk_callback_lock);
smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready,
&smc->clcsk_data_ready);
smc->clcsock->sk->sk_user_data = NULL;
+ write_unlock_bh(&smc->clcsock->sk->sk_callback_lock);
rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
}
smc_close_cleanup_listen(sk);