| Message ID | 20180904021241.11426-2-xiyou.wangcong@gmail.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net] tipc: orphan sock in tipc_release() | expand |
On 09/04/2018 10:12 AM, Cong Wang wrote: > Before we unlock the sock in tipc_release(), we have to > detach sk->sk_socket from sk, otherwise a parallel > tipc_sk_fill_sock_diag() could stil read it after we > free this socket. > > Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC") > Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com > Cc: Jon Maloy <jon.maloy@ericsson.com> > Cc: Ying Xue <ying.xue@windriver.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Ying Xue <ying.xue@windriver.com> > --- > net/tipc/socket.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/tipc/socket.c b/net/tipc/socket.c > index a19b2b1c77ed..b5a6635e4dfa 100644 > --- a/net/tipc/socket.c > +++ b/net/tipc/socket.c > @@ -576,6 +576,7 @@ static int tipc_release(struct socket *sock) > sk_stop_timer(sk, &sk->sk_timer); > tipc_sk_remove(tsk); > > + sock_orphan(sk); > /* Reject any messages that accumulated in backlog queue */ > release_sock(sk); > tipc_dest_list_purge(&tsk->cong_links); >
From: Cong Wang <xiyou.wangcong@gmail.com> Date: Mon, 3 Sep 2018 19:12:41 -0700 > Before we unlock the sock in tipc_release(), we have to > detach sk->sk_socket from sk, otherwise a parallel > tipc_sk_fill_sock_diag() could stil read it after we > free this socket. > > Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC") > Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com > Cc: Jon Maloy <jon.maloy@ericsson.com> > Cc: Ying Xue <ying.xue@windriver.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Applied and queued up for -stable, thanks.
diff --git a/net/tipc/socket.c b/net/tipc/socket.c index a19b2b1c77ed..b5a6635e4dfa 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -576,6 +576,7 @@ static int tipc_release(struct socket *sock) sk_stop_timer(sk, &sk->sk_timer); tipc_sk_remove(tsk); + sock_orphan(sk); /* Reject any messages that accumulated in backlog queue */ release_sock(sk); tipc_dest_list_purge(&tsk->cong_links);
Before we unlock the sock in tipc_release(), we have to detach sk->sk_socket from sk, otherwise a parallel tipc_sk_fill_sock_diag() could stil read it after we free this socket. Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC") Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com Cc: Jon Maloy <jon.maloy@ericsson.com> Cc: Ying Xue <ying.xue@windriver.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> --- net/tipc/socket.c | 1 + 1 file changed, 1 insertion(+)