[PATCH] sock: Fix sk_sleep return invalid pointer
From: <hidden>
Date: 2023-08-22 13:05:04
Also in:
linux-hams
Subsystem:
networking [general], the rest · Maintainers:
"David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds
From: Edward AD <redacted> The parameter sk_sleep(sk) passed in when calling prepare_to_wait may return an invalid pointer due to nr-release reclaiming the sock. Here, schedule_timeout_interruptible is used to replace the combination of 'prepare_to_wait, schedule, finish_wait' to solve the problem. Reported-and-tested-by: syzbot+666c97e4686410e79649@syzkaller.appspotmail.com Signed-off-by: Edward AD <redacted> --- net/netrom/af_netrom.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index eb8ccbd58d..c84a4c65b3 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c@@ -732,23 +732,18 @@ static int nr_connect(struct socket *sock, struct sockaddr *uaddr, * closed. */ if (sk->sk_state == TCP_SYN_SENT) { - DEFINE_WAIT(wait); - for (;;) { - prepare_to_wait(sk_sleep(sk), &wait, - TASK_INTERRUPTIBLE); if (sk->sk_state != TCP_SYN_SENT) break; if (!signal_pending(current)) { release_sock(sk); - schedule(); + schedule_timeout_interruptible(HZ); lock_sock(sk); continue; } err = -ERESTARTSYS; break; } - finish_wait(sk_sleep(sk), &wait); if (err) goto out_release; }
@@ -772,7 +767,6 @@ static int nr_accept(struct socket *sock, struct socket *newsock, int flags, { struct sk_buff *skb; struct sock *newsk; - DEFINE_WAIT(wait); struct sock *sk; int err = 0;
@@ -795,7 +789,6 @@ static int nr_accept(struct socket *sock, struct socket *newsock, int flags, * hooked into the SABM we saved */ for (;;) { - prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); skb = skb_dequeue(&sk->sk_receive_queue); if (skb) break;
@@ -806,14 +799,13 @@ static int nr_accept(struct socket *sock, struct socket *newsock, int flags, } if (!signal_pending(current)) { release_sock(sk); - schedule(); + schedule_timeout_uninterruptible(HZ); lock_sock(sk); continue; } err = -ERESTARTSYS; break; } - finish_wait(sk_sleep(sk), &wait); if (err) goto out_release;
--
2.25.1