Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1992d998 authored by Ursula Braun's avatar Ursula Braun Committed by David S. Miller
Browse files

net/smc: take sock lock in smc_ioctl() 



SMC ioctl processing requires the sock lock to work properly in
all thinkable scenarios.
Problem has been found with RaceFuzzer and fixes:
   KASAN: null-ptr-deref Read in smc_ioctl

Reported-by: default avatarByoungyoung Lee <lifeasageek@gmail.com>
Reported-by: default avatar <syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com>
Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent bd598d20

net/smc/af_smc.c

+15 −4
Original line number Diff line number Diff line
@@ -1524,10 +1524,13 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, 
			return -EBADF;

		return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);

	}

	lock_sock(&smc->sk);

	switch (cmd) {

	case SIOCINQ: /* same as FIONREAD */

		if (smc->sk.sk_state == SMC_LISTEN)

		if (smc->sk.sk_state == SMC_LISTEN) {

			release_sock(&smc->sk);

			return -EINVAL;

		}

		if (smc->sk.sk_state == SMC_INIT ||

		    smc->sk.sk_state == SMC_CLOSED)

			answ = 0;
@@ -1536,8 +1539,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, 
		break;

	case SIOCOUTQ:

		/* output queue size (not send + not acked) */

		if (smc->sk.sk_state == SMC_LISTEN)

		if (smc->sk.sk_state == SMC_LISTEN) {

			release_sock(&smc->sk);

			return -EINVAL;

		}

		if (smc->sk.sk_state == SMC_INIT ||

		    smc->sk.sk_state == SMC_CLOSED)

			answ = 0;
@@ -1547,8 +1552,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, 
		break;

	case SIOCOUTQNSD:

		/* output queue size (not send only) */

		if (smc->sk.sk_state == SMC_LISTEN)

		if (smc->sk.sk_state == SMC_LISTEN) {

			release_sock(&smc->sk);

			return -EINVAL;

		}

		if (smc->sk.sk_state == SMC_INIT ||

		    smc->sk.sk_state == SMC_CLOSED)

			answ = 0;
@@ -1556,8 +1563,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, 
			answ = smc_tx_prepared_sends(&smc->conn);

		break;

	case SIOCATMARK:

		if (smc->sk.sk_state == SMC_LISTEN)

		if (smc->sk.sk_state == SMC_LISTEN) {

			release_sock(&smc->sk);

			return -EINVAL;

		}

		if (smc->sk.sk_state == SMC_INIT ||

		    smc->sk.sk_state == SMC_CLOSED) {

			answ = 0;
@@ -1573,8 +1582,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, 
		}

		break;

	default:

		release_sock(&smc->sk);

		return -ENOIOCTLCMD;

	}

	release_sock(&smc->sk);



	return put_user(answ, (int __user *)arg);

}