Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2150741imm; Mon, 16 Jul 2018 03:10:56 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfugmuWUrqJvF+3NYF2bOtMRKDzF/KS5w6f6XS6BQ7EYXGyBJcKSqnscYRSUYzKuWrA14Qs X-Received: by 2002:a63:530b:: with SMTP id h11-v6mr14862720pgb.139.1531735856182; Mon, 16 Jul 2018 03:10:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531735856; cv=none; d=google.com; s=arc-20160816; b=r7OcFLhN9yw6Xi+NBLsNDYGswz1S26ngBfiKFTSWa4U/F2Jt3R/7hZt4imifROhJt5 vbNkvgL85ldlGtyBgzM4XT2qrFbpazmXQ4dbdaGcOD8mIMTuV6u45YnlIhKqP8F4uX+n 507lqp5AJpUrBRfONE5lcjg6dLjciNd1tITph8mYSM+FgXnPTRr7N+nC15pc8eONOi7t GxWk+9Perhms2ymUc69Mh2ikjrKR2Zplguf9bG+WjudeehB15/CR8wB1PcrEmpJpgzux Bl181riuO6Gx31xcRKKSEyXtjJtQ/RHhxsCduNVp//krQ2tBT7ynulDEop/aRZ/dM/Dx cVZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=uF8z3y3+sQK71izLOwtBB3rGON6jTuaBJVIndrwd/B8=; b=y9GYWOHk2OE8uOGcB2GEeB3meAmJvXVl9ZxRwjs2OzyWC+F3C4tbgy77Qt8+MbfIeN MeJMP9b0yu0H1p/aYiyWedwh89s2SAOzMGY6xjgXuvdWhns4pIKEwg54gRGLTM6weOUl s+KrSVfgZqSuI9ceCvkxcbQ3/Ce5rwYoya0WNQf9c1rllGKP+vOVoI5CZiXjw+82Wjej ndCDFh6V1H+sp1fGD40U4cUqKg6LeynWFHgLS68Z/QYR9AbGOKQKp0IFvXd6SW3iBxiz iYBOAx2EF/0fstSUAmv+Rnx/ZHVR/U31wwYMZuNjyvqBCly/4pEhWCdDpaz37wZYiGq+ ZE2Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e3-v6si11887581pgh.385.2018.07.16.03.10.41; Mon, 16 Jul 2018 03:10:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730094AbeGPKgE (ORCPT + 99 others); Mon, 16 Jul 2018 06:36:04 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:48888 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727494AbeGPKgE (ORCPT ); Mon, 16 Jul 2018 06:36:04 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A88CF402315B; Mon, 16 Jul 2018 10:09:23 +0000 (UTC) Received: from epycfail (ovpn-200-23.brq.redhat.com [10.40.200.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8228C1C589; Mon, 16 Jul 2018 10:09:20 +0000 (UTC) Date: Mon, 16 Jul 2018 12:09:15 +0200 From: Stefano Brivio To: Ursula Braun Cc: davem@davemloft.net, netdev@vger.kernel.org, linux-s390@vger.kernel.org, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, raspl@linux.ibm.com, linux-kernel@vger.kernel.org, eric.dumazet@gmail.com, lifeasageek@gmail.com Subject: Re: [PATCH net 1/4] net/smc: take sock lock in smc_ioctl() Message-ID: <20180716120915.09d35dc0@epycfail> In-Reply-To: <20180716100101.79272-1-ubraun@linux.ibm.com> References: <20180716100101.79272-1-ubraun@linux.ibm.com> Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 16 Jul 2018 10:09:23 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 16 Jul 2018 10:09:23 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 16 Jul 2018 12:01:01 +0200 Ursula Braun wrote: > From: Ursula Braun > > SMC ioctl processing requires the sock lock to work properly in > all thinkable scenarios. > Problem has been found with RaceFuzzer and fixes: > KASAN: null-ptr-deref Read in smc_ioctl > > Reported-by: Byoungyoung Lee > Reported-by: syzbot+35b2c5aa76fd398b9fd4@syzkaller.appspotmail.com > Signed-off-by: Ursula Braun > --- > net/smc/af_smc.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c > index 5334157f5065..a4381b38a521 100644 > --- a/net/smc/af_smc.c > +++ b/net/smc/af_smc.c > @@ -1524,6 +1524,7 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd, > return -EBADF; > return smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg); > } > + lock_sock(&smc->sk); > switch (cmd) { > case SIOCINQ: /* same as FIONREAD */ > if (smc->sk.sk_state == SMC_LISTEN) return -EINVAL; you should also unlock here, and: case SIOCOUTQ: /* output queue size (not send + not acked) */ if (smc->sk.sk_state == SMC_LISTEN) return -EINVAL; here, and: case SIOCOUTQNSD: /* output queue size (not send only) */ if (smc->sk.sk_state == SMC_LISTEN) return -EINVAL; here, and: case SIOCATMARK: if (smc->sk.sk_state == SMC_LISTEN) return -EINVAL; here. -- Stefano