summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHannes Frederic Sowa <hannes@stressinduktion.org>2015-11-16 18:25:56 +0300
committerDavid S. Miller <davem@davemloft.net>2015-11-16 23:39:35 +0300
commit8844f97238ca6c1ca92a5d6c69f53efd361a266f (patch)
treeae78e41bca38aa8c0b35fa0065ed117516df2418
parent24cb7055a3066634a0f3fa0cd6a4780652905d35 (diff)
downloadlinux-8844f97238ca6c1ca92a5d6c69f53efd361a266f.tar.xz
af_unix: don't append consumed skbs to sk_receive_queue
In case multiple writes to a unix stream socket race we could end up in a situation where we pre-allocate a new skb for use in unix_stream_sendpage but have to free it again in the locked section because another skb has been appended meanwhile, which we must use. Accidentally we didn't clear the pointer after consuming it and so we touched freed memory while appending it to the sk_receive_queue. So, clear the pointer after consuming the skb. This bug has been found with syzkaller (http://github.com/google/syzkaller) by Dmitry Vyukov. Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support") Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/unix/af_unix.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 12b886f07982..a8352db5c5b5 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1800,6 +1800,7 @@ alloc_skb:
* this - does no harm
*/
consume_skb(newskb);
+ newskb = NULL;
}
if (skb_append_pagefrags(skb, page, offset, size)) {