Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp839681imu;
        Fri, 11 Jan 2019 09:57:23 -0800 (PST)
X-Google-Smtp-Source: ALg8bN7UyzlleAFZZTyIc03NzLKe9QNGMmJgnjn567JoWrmNG0J4oR/ChJjzv18dEVWAoiF50tlG
X-Received: by 2002:a17:902:7044:: with SMTP id h4mr15397453plt.35.1547229443407;
        Fri, 11 Jan 2019 09:57:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547229443; cv=none;
        d=google.com; s=arc-20160816;
        b=0Y6LZUbtWMkRi0KbibNPSGhqtNTUh4DbSz7FYYW/1ptG2NV4KHKGrzsM87Qm9d9lFr
         wceQ2tI/fKA08uiB+qvYzu9uAGcx41Ucga/A2vFzp3qV+c62PCyFTdDci6xWC4vHtU5y
         iG33AjVSU0WsXx2w5r8c3i9UO5oNe97h6XzhyoF+bY39Sv8XUJW2lyua1v4OezueqNHf
         4PIKDLoe4iH4sXZJ7FU/OSILSpdAHg3nYyo59gYg7lurYleY0g1EgFY62FjSgdbH+F+A
         tP7TidNnMDok2bh5wobq8F0EOdAV1NGcnkxAoCWHzDUei6csCCb3Anxi9676HgYQj2Nh
         OawA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=PX4ySpG70l8a4kNDkkBsqR3W5hADu1aDQQWCLWHLrrk=;
        b=NQ9bHQ62YRzkSvmoJoryouhDfpDAFgFs/Oc8BBiOMPmQihhVgfiCsWIJZe0TQ1+RQ0
         LtZsXSse21+t4U2HO0HWm3wWQ3KTjBIfZh6RmX5aDS+vWggGVpWWXnP/bA3qzNahsy5n
         z5L6M7OgKRcoL8eG1JcCnZfH6MiCrhOb+hoyusu+x2RRHHSFn/hNMhwqNzaHRc6JiL51
         jMYPTSf4jq2LaemevNPAD/EQHcmqJqwuh0h2F8zACCbsy8I0seLGSzEoWs1w2M8sAoZq
         8FcAPKtaaxXk50XjvxfShJUmPaua2tyjerdGDJOHP7qn1GHGVyW3jwE6ohSp1bYl7pBz
         0/XA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=S7QJjwer;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d23si72579829pgm.559.2019.01.11.09.57.07;
        Fri, 11 Jan 2019 09:57:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=S7QJjwer;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1733191AbfAKOO7 (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Fri, 11 Jan 2019 09:14:59 -0500
Received: from mail.kernel.org ([198.145.29.99]:58868 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1733178AbfAKOO4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 11 Jan 2019 09:14:56 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D9163217D6;
        Fri, 11 Jan 2019 14:14:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1547216095;
        bh=V+pdW+o0NrhshV+EF77I4bvVNnyyMy4/2Kqz/joJmIw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=S7QJjwerdhNIv/PaIit6i8ZGgdxtnImVUiLr884anUzbweBI0VLi4/n3tqwIvO2X0
         UXJuZzJHTJphkNfBlT3jV3DyMe/s3gq27esifSp84EybHYNiXG1Iwwqd8FWPxF6j+j
         Iik6seKCg+cw2NP11GOgGy7D2qjz3LgehhNeJigQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
        "David S. Miller" <davem@davemloft.net>,
        syzbot+f621cda8b7e598908efa@syzkaller.appspotmail.com
Subject: [PATCH 3.18 12/47] netrom: fix locking in nr_find_socket()
Date:   Fri, 11 Jan 2019 15:07:57 +0100
Message-Id: <20190111130957.608361184@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190111130956.170952125@linuxfoundation.org>
References: <20190111130956.170952125@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 7314f5480f3e37e570104dc5e0f28823ef849e72 ]

nr_find_socket(), nr_find_peer() and nr_find_listener() lock the
sock after finding it in the global list. However, the call path
requires BH disabled for the sock lock consistently.

Actually the locking is unnecessary at this point, we can just hold
the sock refcnt to make sure it is not gone after we unlock the global
list, and lock it later only when needed.

Reported-and-tested-by: syzbot+f621cda8b7e598908efa@syzkaller.appspotmail.com
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netrom/af_netrom.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax2
 	sk_for_each(s, &nr_list)
 		if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
 		    s->sk_state == TCP_LISTEN) {
-			bh_lock_sock(s);
+			sock_hold(s);
 			goto found;
 		}
 	s = NULL;
@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsig
 		struct nr_sock *nr = nr_sk(s);
 
 		if (nr->my_index == index && nr->my_id == id) {
-			bh_lock_sock(s);
+			sock_hold(s);
 			goto found;
 		}
 	}
@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigne
 
 		if (nr->your_index == index && nr->your_id == id &&
 		    !ax25cmp(&nr->dest_addr, dest)) {
-			bh_lock_sock(s);
+			sock_hold(s);
 			goto found;
 		}
 	}
@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circu
 		if (i != 0 && j != 0) {
 			if ((sk=nr_find_socket(i, j)) == NULL)
 				break;
-			bh_unlock_sock(sk);
+			sock_put(sk);
 		}
 
 		id++;
@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, str
 	}
 
 	if (sk != NULL) {
+		bh_lock_sock(sk);
 		skb_reset_transport_header(skb);
 
 		if (frametype == NR_CONNACK && skb->len == 22)
@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, str
 
 		ret = nr_process_rx_frame(sk, skb);
 		bh_unlock_sock(sk);
+		sock_put(sk);
 		return ret;
 	}
 
@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, str
 	    (make = nr_make_new(sk)) == NULL) {
 		nr_transmit_refusal(skb, 0);
 		if (sk)
-			bh_unlock_sock(sk);
+			sock_put(sk);
 		return 0;
 	}
 
+	bh_lock_sock(sk);
+
 	window = skb->data[20];
 
 	skb->sk             = make;
@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, str
 		sk->sk_data_ready(sk);
 
 	bh_unlock_sock(sk);
+	sock_put(sk);
 
 	nr_insert_socket(make);