Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06ac276e authored by Mohamad Ayyash's avatar Mohamad Ayyash Committed by Amit Pundir
Browse files

ANDROID: netfilter: xt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket 



It prevents a kernel panic when accessing sk->sk_socket fields due to NULLing sk->sk_socket when sock_orphan is called through
sk_common_release.

Change-Id: I4aa46b4e2d8600e4d4ef8dcdd363aa4e6e5f8433
Signed-off-by: default avatarMohamad Ayyash <mkayyash@google.com>
(cherry picked from commit cdea0ebcb8bcfe57688f6cb692b49e550ebd9796)
Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
parent 9b19736f

net/netfilter/xt_qtaguid.c

+5 −0
Original line number Diff line number Diff line
@@ -1658,6 +1658,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) 
	struct sock *sk;

	kuid_t sock_uid;

	bool res;

	bool set_sk_callback_lock = false;



	if (unlikely(module_passive))

		return (info->match ^ info->invert) == 0;
@@ -1715,6 +1716,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) 
	MT_DEBUG("qtaguid[%d]: sk=%p got_sock=%d fam=%d proto=%d\n",

		 par->hooknum, sk, got_sock, par->family, ipx_proto(skb, par));

	if (sk != NULL) {

		set_sk_callback_lock = true;

		read_lock_bh(&sk->sk_callback_lock);

		MT_DEBUG("qtaguid[%d]: sk=%p->sk_socket=%p->file=%p\n",

			par->hooknum, sk, sk->sk_socket,

			sk->sk_socket ? sk->sk_socket->file : (void *)-1LL);
@@ -1801,6 +1804,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par) 
put_sock_ret_res:

	if (got_sock)

		sock_gen_put(sk);

	if (set_sk_callback_lock)

		read_unlock_bh(&sk->sk_callback_lock);

ret_res:

	MT_DEBUG("qtaguid[%d]: left %d\n", par->hooknum, res);

	return res;