* [PATCH net 1/4] net/smc: take sock lock in smc_ioctl()
@ 2018-07-16 10:01 Ursula Braun
2018-07-16 10:09 ` Stefano Brivio
0 siblings, 1 reply; 3+ messages in thread
From: Ursula Braun @ 2018-07-16 10:01 UTC (permalink / raw)
To: davem
Cc: netdev, linux-s390, schwidefsky, heiko.carstens, raspl,
linux-kernel, eric.dumazet, lifeasageek
From: Ursula Braun <ursula.braun@linux.ibm.com>
SMC ioctl processing requires the sock lock to work properly in
all thinkable scenarios.
Problem has been found with RaceFuzzer and fixes:
KASAN: null-ptr-deref Read in smc_ioctl
Reported-by: Byoungyoung Lee <lifeasageek@gmail.com>
Reported-by: syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com
Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
---
net/smc/af_smc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 5334157f5065..a4381b38a521 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1524,6 +1524,7 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
return -EBADF;
return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
}
+ lock_sock(&smc->sk);
switch (cmd) {
case SIOCINQ: /* same as FIONREAD */
if (smc->sk.sk_state == SMC_LISTEN)
@@ -1573,8 +1574,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
}
break;
default:
+ release_sock(&smc->sk);
return -ENOIOCTLCMD;
}
+ release_sock(&smc->sk);
return put_user(answ, (int __user *)arg);
}
--
2.16.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net 1/4] net/smc: take sock lock in smc_ioctl()
2018-07-16 10:01 [PATCH net 1/4] net/smc: take sock lock in smc_ioctl() Ursula Braun
@ 2018-07-16 10:09 ` Stefano Brivio
2018-07-16 11:56 ` Ursula Braun
0 siblings, 1 reply; 3+ messages in thread
From: Stefano Brivio @ 2018-07-16 10:09 UTC (permalink / raw)
To: Ursula Braun
Cc: davem, netdev, linux-s390, schwidefsky, heiko.carstens, raspl,
linux-kernel, eric.dumazet, lifeasageek
On Mon, 16 Jul 2018 12:01:01 +0200
Ursula Braun <ubraun@linux.ibm.com> wrote:
> From: Ursula Braun <ursula.braun@linux.ibm.com>
>
> SMC ioctl processing requires the sock lock to work properly in
> all thinkable scenarios.
> Problem has been found with RaceFuzzer and fixes:
> KASAN: null-ptr-deref Read in smc_ioctl
>
> Reported-by: Byoungyoung Lee <lifeasageek@gmail.com>
> Reported-by: syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com
> Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
> ---
> net/smc/af_smc.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
> index 5334157f5065..a4381b38a521 100644
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -1524,6 +1524,7 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
> return -EBADF;
> return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
> }
> + lock_sock(&smc->sk);
> switch (cmd) {
> case SIOCINQ: /* same as FIONREAD */
> if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
you should also unlock here, and:
case SIOCOUTQ:
/* output queue size (not send + not acked) */
if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
here, and:
case SIOCOUTQNSD:
/* output queue size (not send only) */
if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
here, and:
case SIOCATMARK:
if (smc->sk.sk_state == SMC_LISTEN)
return -EINVAL;
here.
--
Stefano
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net 1/4] net/smc: take sock lock in smc_ioctl()
2018-07-16 10:09 ` Stefano Brivio
@ 2018-07-16 11:56 ` Ursula Braun
0 siblings, 0 replies; 3+ messages in thread
From: Ursula Braun @ 2018-07-16 11:56 UTC (permalink / raw)
To: Stefano Brivio
Cc: davem, netdev, linux-s390, schwidefsky, heiko.carstens, raspl,
linux-kernel, eric.dumazet, lifeasageek
On 07/16/2018 12:09 PM, Stefano Brivio wrote:
> On Mon, 16 Jul 2018 12:01:01 +0200
> Ursula Braun <ubraun@linux.ibm.com> wrote:
>
>> From: Ursula Braun <ursula.braun@linux.ibm.com>
>>
>> SMC ioctl processing requires the sock lock to work properly in
>> all thinkable scenarios.
>> Problem has been found with RaceFuzzer and fixes:
>> KASAN: null-ptr-deref Read in smc_ioctl
>>
>> Reported-by: Byoungyoung Lee <lifeasageek@gmail.com>
>> Reported-by: syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com
>> Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
>> ---
>> net/smc/af_smc.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
>> index 5334157f5065..a4381b38a521 100644
>> --- a/net/smc/af_smc.c
>> +++ b/net/smc/af_smc.c
>> @@ -1524,6 +1524,7 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
>> return -EBADF;
>> return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
>> }
>> + lock_sock(&smc->sk);
>> switch (cmd) {
>> case SIOCINQ: /* same as FIONREAD */
>> if (smc->sk.sk_state == SMC_LISTEN)
>
> return -EINVAL;
>
> you should also unlock here, and:
>
> case SIOCOUTQ:
> /* output queue size (not send + not acked) */
> if (smc->sk.sk_state == SMC_LISTEN)
> return -EINVAL;
>
> here, and:
>
> case SIOCOUTQNSD:
> /* output queue size (not send only) */
> if (smc->sk.sk_state == SMC_LISTEN)
> return -EINVAL;
>
> here, and:
>
> case SIOCATMARK:
> if (smc->sk.sk_state == SMC_LISTEN)
> return -EINVAL;
>
> here.
>
sorry, my fault! V2 is on its way. Thanks for your hint.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-16 11:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-16 10:01 [PATCH net 1/4] net/smc: take sock lock in smc_ioctl() Ursula Braun
2018-07-16 10:09 ` Stefano Brivio
2018-07-16 11:56 ` Ursula Braun
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.