| Message ID | 20210810183122.518941-1-Rao.Shoaib@oracle.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | af_unix: Add OOB support | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | warning | 5 maintainers not CCed: christian.brauner@ubuntu.com kuba@kernel.org cong.wang@bytedance.com ast@kernel.org mszeredi@redhat.com |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 4 this patch: 4 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 56 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 4 this patch: 4 |
| netdev/header_inline | success | Link |
On Tue, 10 Aug 2021 11:31:22 -0700 Rao Shoaib wrote: > From: Rao Shoaib <rao.shoaib@oracle.com> > > syzkaller found that OOB code was holding spinlock > while calling a function in which it could sleep. > > Reported-by: syzbot+8760ca6c1ee783ac4abd@syzkaller.appspotmail.com > Fixes: 314001f0bf92 ("af_unix: Add OOB support") > No new lines between tags please. > Signed-off-by: Rao Shoaib <rao.shoaib@oracle.com> Would you mind resending with a better subject? Something like "af_unix: fix possible sleep under spinlock in oob handling"?
Sure will do. Shoaib On 8/11/21 2:55 PM, Jakub Kicinski wrote: > On Tue, 10 Aug 2021 11:31:22 -0700 Rao Shoaib wrote: >> From: Rao Shoaib <rao.shoaib@oracle.com> >> >> syzkaller found that OOB code was holding spinlock >> while calling a function in which it could sleep. >> >> Reported-by: syzbot+8760ca6c1ee783ac4abd@syzkaller.appspotmail.com >> Fixes: 314001f0bf92 ("af_unix: Add OOB support") >> > No new lines between tags please. > >> Signed-off-by: Rao Shoaib <rao.shoaib@oracle.com> > Would you mind resending with a better subject? Something like > "af_unix: fix possible sleep under spinlock in oob handling"?
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 00d8b08cdbe1..a626e52c629a 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -2362,19 +2362,37 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state) struct sock *sk = sock->sk; struct unix_sock *u = unix_sk(sk); int chunk = 1; + struct sk_buff *oob_skb; - if (sock_flag(sk, SOCK_URGINLINE) || !u->oob_skb) + mutex_lock(&u->iolock); + unix_state_lock(sk); + + if (sock_flag(sk, SOCK_URGINLINE) || !u->oob_skb) { + unix_state_unlock(sk); + mutex_unlock(&u->iolock); return -EINVAL; + } - chunk = state->recv_actor(u->oob_skb, 0, chunk, state); - if (chunk < 0) - return -EFAULT; + oob_skb = u->oob_skb; if (!(state->flags & MSG_PEEK)) { - UNIXCB(u->oob_skb).consumed += 1; - kfree_skb(u->oob_skb); u->oob_skb = NULL; } + + unix_state_unlock(sk); + + chunk = state->recv_actor(oob_skb, 0, chunk, state); + + if (!(state->flags & MSG_PEEK)) { + UNIXCB(oob_skb).consumed += 1; + kfree_skb(oob_skb); + } + + mutex_unlock(&u->iolock); + + if (chunk < 0) + return -EFAULT; + state->msg->msg_flags |= MSG_OOB; return 1; } @@ -2434,13 +2452,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, if (unlikely(flags & MSG_OOB)) { err = -EOPNOTSUPP; #if IS_ENABLED(CONFIG_AF_UNIX_OOB) - mutex_lock(&u->iolock); - unix_state_lock(sk); - err = unix_stream_recv_urg(state); - - unix_state_unlock(sk); - mutex_unlock(&u->iolock); #endif goto out; }