[net] tipc: orphan sock in tipc_release()

Message ID 20180904021241.11426-2-xiyou.wangcong@gmail.com
State Accepted
Delegated to: David Miller
Headers show
Series
  • [net] tipc: orphan sock in tipc_release()
Related show

Commit Message

Cong Wang Sept. 4, 2018, 2:12 a.m.
Before we unlock the sock in tipc_release(), we have to
detach sk->sk_socket from sk, otherwise a parallel
tipc_sk_fill_sock_diag() could stil read it after we
free this socket.

Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC")
Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/tipc/socket.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Ying Xue Sept. 4, 2018, 11:40 a.m. | #1
On 09/04/2018 10:12 AM, Cong Wang wrote:
> Before we unlock the sock in tipc_release(), we have to
> detach sk->sk_socket from sk, otherwise a parallel
> tipc_sk_fill_sock_diag() could stil read it after we
> free this socket.
> 
> Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC")
> Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com
> Cc: Jon Maloy <jon.maloy@ericsson.com>
> Cc: Ying Xue <ying.xue@windriver.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Acked-by: Ying Xue <ying.xue@windriver.com>

> ---
>  net/tipc/socket.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/tipc/socket.c b/net/tipc/socket.c
> index a19b2b1c77ed..b5a6635e4dfa 100644
> --- a/net/tipc/socket.c
> +++ b/net/tipc/socket.c
> @@ -576,6 +576,7 @@ static int tipc_release(struct socket *sock)
>  	sk_stop_timer(sk, &sk->sk_timer);
>  	tipc_sk_remove(tsk);
>  
> +	sock_orphan(sk);
>  	/* Reject any messages that accumulated in backlog queue */
>  	release_sock(sk);
>  	tipc_dest_list_purge(&tsk->cong_links);
>
David Miller Sept. 6, 2018, 5:15 a.m. | #2
From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Mon,  3 Sep 2018 19:12:41 -0700

> Before we unlock the sock in tipc_release(), we have to
> detach sk->sk_socket from sk, otherwise a parallel
> tipc_sk_fill_sock_diag() could stil read it after we
> free this socket.
> 
> Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC")
> Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com
> Cc: Jon Maloy <jon.maloy@ericsson.com>
> Cc: Ying Xue <ying.xue@windriver.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied and queued up for -stable, thanks.

Patch

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index a19b2b1c77ed..b5a6635e4dfa 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -576,6 +576,7 @@  static int tipc_release(struct socket *sock)
 	sk_stop_timer(sk, &sk->sk_timer);
 	tipc_sk_remove(tsk);
 
+	sock_orphan(sk);
 	/* Reject any messages that accumulated in backlog queue */
 	release_sock(sk);
 	tipc_dest_list_purge(&tsk->cong_links);