From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751242AbcBKREI (ORCPT ); Thu, 11 Feb 2016 12:04:08 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44725 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750928AbcBKREG (ORCPT ); Thu, 11 Feb 2016 12:04:06 -0500 Message-ID: <1455210224.2801.21.camel@decadent.org.uk> Subject: Re: Bug 4.1.16: self-detected stall in net/unix/? From: Ben Hutchings To: Rainer Weikusat , Philipp Hahn Cc: Hannes Frederic Sowa , Sasha Levin , "David S. Miller" , linux-kernel@vger.kernel.org, Karolin Seeger , Jason Baron , Greg Kroah-Hartman , Arvid Requate , Stefan Gohmann Date: Thu, 11 Feb 2016 17:03:44 +0000 In-Reply-To: <87fuwzkzr5.fsf@doppelsaurus.mobileactivedefense.com> References: <56B4BF9D.9070609@pmhahn.de> <56BC90E7.7040007@pmhahn.de> <87fuwzkzr5.fsf@doppelsaurus.mobileactivedefense.com> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-j4wpVxByIktUsFKtKEOA" X-Mailer: Evolution 3.18.3-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:a11:96ff:fe28:a980 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-j4wpVxByIktUsFKtKEOA Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2016-02-11 at 15:55 +0000, Rainer Weikusat wrote: > Philipp Hahn writes: >=20 > [...] >=20 > > Probably the same bug was also reported to samba-technical by Karolin > > Seeger; she filed the bug for 3.19-ckt with Ubuntu: > >=20 > >=20 > >=20 > > Running the Samba test suite reproduces the problem; see bug for > > details. >=20 >=20 > JFTR: The oops in this bug report is for 3.13.0-77 and the patch you > reverted for 4.1 is not part of that (at least not of the upstream 3.13). [...] It is in 3.13-ckt and basically all the stable branches. Does the patch below fix this bug? Ben. --- unix: Fix potential double-unlock in unix_dgram_sendmsg() A datagram socket may be peered with itself, so that sk =3D=3D other.=C2=A0= =C2=A0We use unix_state_double_lock() to lock sk and other in the right order, which also guards against this and only locks the socket once, but we then end up trying to unlock it twice.=C2=A0=C2=A0Add the check for sk !=3D= other. Reported-by: Philipp Hahn Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") Cc: stable Signed-off-by: Ben Hutchings --- =C2=A0net/unix/af_unix.c | 4 ++-- =C2=A01 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index c5bf5ef2bf89..b4320d3e3a25 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1810,7 +1810,7 @@ restart_locked: =C2=A0 } =C2=A0 } =C2=A0 - if (unlikely(sk_locked)) + if (unlikely(sk_locked) && sk !=3D other) =C2=A0 unix_state_unlock(sk); =C2=A0 =C2=A0 if (sock_flag(other, SOCK_RCVTSTAMP)) @@ -1826,7 +1826,7 @@ restart_locked: =C2=A0 return len; =C2=A0 =C2=A0out_unlock: - if (sk_locked) + if (sk_locked && sk !=3D other) =C2=A0 unix_state_unlock(sk); =C2=A0 unix_state_unlock(other); =C2=A0out_free: --=20 Ben Hutchings Who are all these weirdos? - David Bowie, reading IRC for the first time --=-j4wpVxByIktUsFKtKEOA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUAVry+8Oe/yOyVhhEJAQpxQBAAni9TaBl0Bl3GcVGKuaOjNPksuSZeT5Or pInhbazrATEmHXxo2nivDr0xqZBaUyc1mfJrvkPLr3Yhm2SSkhVPCOTyOKOw1VlM kEr5ksKR9rBl6xnQkr1OEJw3L0JURAKqY7L5OKwFPoktYB6uzMSVqVPMhBhGk48K tOF8YBfvrRNAdPVzi9vAXR0zUL6/I3beaSNCOrzwiFSf3hgiA7JXBY4msR6O8J+Y VGt5gXumdnuPS61pRFFQSjyalxBwupiDkMoYkTTW3XqCzeKaIUn0MknRnrL5hCKZ qlrJlIVA2wAdt5HpwFTXf1b+T3DHKi7Mef4PstUAzxWLGcO8sxNOmw8yxMu+fYLC fvwanz7x5JemkBPYlsN9cX1lwLG9gbxeFrM+Ku57dPHAYda8WBeWD3pM5QoTI4IP F4+yX2aJ/jW93XfzA2+bLB1k8w3ZWg7kW3NImg4vytL+5A2e0fdI7Xty5srnf3kF ERcbrDtS1OdAP8/KGaRMlpck+Pn6lFJQCMRHutqOxeygfupZDqQ+yIehp6d7KJ74 Y1+prtx/6liRqvjitdQi4k0/1TWNam7BxaY51jEUot0awdWikHhOqIhmpu74vLHN D/FaeKEYOr4TY7y5q7U0R/TZljjVxFzapWCLJmMGQvKhvEnEOihtVmq9B7yWhdFg snsojxoGNmg= =Jy+z -----END PGP SIGNATURE----- --=-j4wpVxByIktUsFKtKEOA--