From patchwork Tue Sep 4 02:12:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 965663 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="jyaUK4IN"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4249NK1WRFz9s3l for ; Tue, 4 Sep 2018 12:13:05 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726200AbeIDGfo (ORCPT ); Tue, 4 Sep 2018 02:35:44 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:47033 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725874AbeIDGfn (ORCPT ); Tue, 4 Sep 2018 02:35:43 -0400 Received: by mail-pf1-f193.google.com with SMTP id u24-v6so856033pfn.13 for ; Mon, 03 Sep 2018 19:12:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=4HKSxZt+yeb3RAaq9K/pzoF/z8pFUzly+nSIruK6XWI=; b=jyaUK4INQ32XqPI7uFzMjtEjHF42ZPEjiz93q/ODCzJdp1NVmrPBYFHqGTHtTogFec 8shkZebNsy1Skv5K7tmNscbvE1k/iAo0pO1l9hhvQ9et0QqSgulsR7l7TeRzJ/Aoz3F1 DDrnz4WplR7Es1wYurtzQyiGbvSPYvV2/Vs3Ywz47tJ8j1YnObBOaxrMIVRHYkg3SN0/ +kvsTcwWsTiscdtxqNUCCFJShcOe9bdhZADUpPtoT/3itsChm3u4cwrrY6+nHZ29rKK6 vpu2zrUMum1HiXstOwt09cAftSNwygn9oH4lMMw5XB4KUdQxNuuRh4t1oNZvhQNGMiws MO4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=4HKSxZt+yeb3RAaq9K/pzoF/z8pFUzly+nSIruK6XWI=; b=cbrRrjlnEH5pNH3iOPe6KuTtsjxxsd8NFshOLVoBftsiypsYzoducXCpKyWepevtIb udp53Y4BRN1afE9wxEDYQWyb8lkK5f7U/J7nShrCEe1OP5tGoIh+KUevB04U7uLE/FQ6 eMcJTe0fGjLWIi8BWjeR75ZOXp16VXeegewRFfY0B9tzxeGQqD0odEGsnSNhTTDALjdR vDsEgoiVcm9I2tp2YWWmC8DRccaH4PVbmX+xwy4Fx7y7tgIqtdG3/D8KVS7ZcZc3t9LJ NoU8FQ+z/G8Ax2gUP/1LTjI+FhL1NWod3F+xKEBUktpCsf4lQfUb1FFe9ZjLoLCPy2ay zSFw== X-Gm-Message-State: APzg51CQFlcsZDwu0mwejoJebto2wKqMDO1aLikXw47QNL7qMiQGrvEz tDnGPEeHSlSS3m8aD+CwLpcY+yCZ X-Google-Smtp-Source: ANB0VdZ02+WwxuRQtBHjYPv80CgCZpb2IosjPMgL0oLARhQyu+MinFg/C3+n+s0GQWk49+LDbBZlyw== X-Received: by 2002:a62:3909:: with SMTP id g9-v6mr32265455pfa.176.1536027174723; Mon, 03 Sep 2018 19:12:54 -0700 (PDT) Received: from tw-172-25-29-37.office.twttr.net ([8.25.197.25]) by smtp.gmail.com with ESMTPSA id k64-v6sm30649913pfg.141.2018.09.03.19.12.53 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 03 Sep 2018 19:12:54 -0700 (PDT) From: Cong Wang To: netdev@vger.kernel.org Cc: tipc-discussion@lists.sourceforge.net, Cong Wang , Jon Maloy , Ying Xue Subject: [Patch net] tipc: orphan sock in tipc_release() Date: Mon, 3 Sep 2018 19:12:41 -0700 Message-Id: <20180904021241.11426-2-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.14.4 In-Reply-To: <20180904021241.11426-1-xiyou.wangcong@gmail.com> References: <20180904021241.11426-1-xiyou.wangcong@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Before we unlock the sock in tipc_release(), we have to detach sk->sk_socket from sk, otherwise a parallel tipc_sk_fill_sock_diag() could stil read it after we free this socket. Fixes: c30b70deb5f4 ("tipc: implement socket diagnostics for AF_TIPC") Reported-and-tested-by: syzbot+48804b87c16588ad491d@syzkaller.appspotmail.com Cc: Jon Maloy Cc: Ying Xue Signed-off-by: Cong Wang Acked-by: Ying Xue --- net/tipc/socket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index a19b2b1c77ed..b5a6635e4dfa 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -576,6 +576,7 @@ static int tipc_release(struct socket *sock) sk_stop_timer(sk, &sk->sk_timer); tipc_sk_remove(tsk); + sock_orphan(sk); /* Reject any messages that accumulated in backlog queue */ release_sock(sk); tipc_dest_list_purge(&tsk->cong_links);