diff options
author | Wen Gu <guwen@linux.alibaba.com> | 2022-04-22 09:56:19 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-04-25 20:03:48 +0200 |
commit | 0558226cebee256aa3f8ec0cc5a800a10bf120a6 (patch) | |
tree | e30751d6e6b40913f4033d436e606fb2888a2bbe /net/smc/smc_close.c | |
parent | net/smc: Only save the original clcsock callback functions (diff) | |
download | linux-0558226cebee256aa3f8ec0cc5a800a10bf120a6.tar.xz linux-0558226cebee256aa3f8ec0cc5a800a10bf120a6.zip |
net/smc: Fix slab-out-of-bounds issue in fallback
syzbot reported a slab-out-of-bounds/use-after-free issue,
which was caused by accessing an already freed smc sock in
fallback-specific callback functions of clcsock.
This patch fixes the issue by restoring fallback-specific
callback functions to original ones and resetting clcsock
sk_user_data to NULL before freeing smc sock.
Meanwhile, this patch introduces sk_callback_lock to make
the access and assignment to sk_user_data mutually exclusive.
Reported-by: syzbot+b425899ed22c6943e00b@syzkaller.appspotmail.com
Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
Link: https://lore.kernel.org/r/00000000000013ca8105d7ae3ada@google.com/
Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
Acked-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to '')
-rw-r--r-- | net/smc/smc_close.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c index 7bd1ef55b9df..31db7438857c 100644 --- a/net/smc/smc_close.c +++ b/net/smc/smc_close.c @@ -214,9 +214,11 @@ again: sk->sk_state = SMC_CLOSED; sk->sk_state_change(sk); /* wake up accept */ if (smc->clcsock && smc->clcsock->sk) { + write_lock_bh(&smc->clcsock->sk->sk_callback_lock); smc_clcsock_restore_cb(&smc->clcsock->sk->sk_data_ready, &smc->clcsk_data_ready); smc->clcsock->sk->sk_user_data = NULL; + write_unlock_bh(&smc->clcsock->sk->sk_callback_lock); rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); } smc_close_cleanup_listen(sk); |