Thread (4 messages) 4 messages, 3 authors, 2023-08-23
STALE1047d

[PATCH] sock: Fix sk_sleep return invalid pointer

From: <hidden>
Date: 2023-08-22 13:05:04
Also in: linux-hams
Subsystem: networking [general], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

From: Edward AD <redacted>

The parameter sk_sleep(sk) passed in when calling prepare_to_wait may 
return an invalid pointer due to nr-release reclaiming the sock.
Here, schedule_timeout_interruptible is used to replace the combination 
of 'prepare_to_wait, schedule, finish_wait' to solve the problem.

Reported-and-tested-by: syzbot+666c97e4686410e79649@syzkaller.appspotmail.com
Signed-off-by: Edward AD <redacted>
---
 net/netrom/af_netrom.c | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index eb8ccbd58d..c84a4c65b3 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -732,23 +732,18 @@ static int nr_connect(struct socket *sock, struct sockaddr *uaddr,
 	 * closed.
 	 */
 	if (sk->sk_state == TCP_SYN_SENT) {
-		DEFINE_WAIT(wait);
-
 		for (;;) {
-			prepare_to_wait(sk_sleep(sk), &wait,
-					TASK_INTERRUPTIBLE);
 			if (sk->sk_state != TCP_SYN_SENT)
 				break;
 			if (!signal_pending(current)) {
 				release_sock(sk);
-				schedule();
+				schedule_timeout_interruptible(HZ);
 				lock_sock(sk);
 				continue;
 			}
 			err = -ERESTARTSYS;
 			break;
 		}
-		finish_wait(sk_sleep(sk), &wait);
 		if (err)
 			goto out_release;
 	}
@@ -772,7 +767,6 @@ static int nr_accept(struct socket *sock, struct socket *newsock, int flags,
 {
 	struct sk_buff *skb;
 	struct sock *newsk;
-	DEFINE_WAIT(wait);
 	struct sock *sk;
 	int err = 0;
 
@@ -795,7 +789,6 @@ static int nr_accept(struct socket *sock, struct socket *newsock, int flags,
 	 *	hooked into the SABM we saved
 	 */
 	for (;;) {
-		prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
 		skb = skb_dequeue(&sk->sk_receive_queue);
 		if (skb)
 			break;
@@ -806,14 +799,13 @@ static int nr_accept(struct socket *sock, struct socket *newsock, int flags,
 		}
 		if (!signal_pending(current)) {
 			release_sock(sk);
-			schedule();
+			schedule_timeout_uninterruptible(HZ);
 			lock_sock(sk);
 			continue;
 		}
 		err = -ERESTARTSYS;
 		break;
 	}
-	finish_wait(sk_sleep(sk), &wait);
 	if (err)
 		goto out_release;
 
-- 
2.25.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help