Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2351abe6 authored by Ursula Braun's avatar Ursula Braun Committed by David S. Miller
Browse files

net/smc: return 0 for ioctl calls in states INIT and CLOSED 



A connected SMC-socket contains addresses of descriptors for the
send buffer and the rmb (receive buffer). Fields of these descriptors
are used to determine the answer for certain ioctl requests.
Add extra handling for unconnected SMC socket states without valid
buffer descriptor addresses.

Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
Reported-by: default avatar <syzbot+e6714328fda813fc670f@syzkaller.appspotmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 8156b0ba

net/smc/af_smc.c

+15 −3
Original line number Diff line number Diff line
@@ -1490,12 +1490,20 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, 
	case SIOCINQ: /* same as FIONREAD */

		if (smc->sk.sk_state == SMC_LISTEN)

			return -EINVAL;

		if (smc->sk.sk_state == SMC_INIT ||

		    smc->sk.sk_state == SMC_CLOSED)

			answ = 0;

		else

			answ = atomic_read(&smc->conn.bytes_to_rcv);

		break;

	case SIOCOUTQ:

		/* output queue size (not send + not acked) */

		if (smc->sk.sk_state == SMC_LISTEN)

			return -EINVAL;

		if (smc->sk.sk_state == SMC_INIT ||

		    smc->sk.sk_state == SMC_CLOSED)

			answ = 0;

		else

			answ = smc->conn.sndbuf_desc->len -

					atomic_read(&smc->conn.sndbuf_space);

		break;
@@ -1503,6 +1511,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, 
		/* output queue size (not send only) */

		if (smc->sk.sk_state == SMC_LISTEN)

			return -EINVAL;

		if (smc->sk.sk_state == SMC_INIT ||

		    smc->sk.sk_state == SMC_CLOSED)

			answ = 0;

		else

			answ = smc_tx_prepared_sends(&smc->conn);

		break;

	default: