• Cong Wang's avatar
    socket: close race condition between sock_close() and sockfs_setattr() · 6d8c50dc
    Cong Wang authored
    fchownat() doesn't even hold refcnt of fd until it figures out
    fd is really needed (otherwise is ignored) and releases it after
    it resolves the path. This means sock_close() could race with
    sockfs_setattr(), which leads to a NULL pointer dereference
    since typically we set sock->sk to NULL in ->release().
    
    As pointed out by Al, this is unique to sockfs. So we can fix this
    in socket layer by acquiring inode_lock in sock_close() and
    checking against NULL in sockfs_setattr().
    
    sock_release() is called in many places, only the sock_close()
    path matters here. And fortunately, this should not affect normal
    sock_close() as it is only called when the last fd refcnt is gone.
    It only affects sock_close() with a parallel sockfs_setattr() in
    progress, which is not common.
    
    Fixes: 86741ec2 ("net: core: Add a UID field to struct sock.")
    Reported-by: default avatarshankarapailoor <shankarapailoor@gmail.com>
    Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
    Cc: Lorenzo Colitti <lorenzo@google.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    6d8c50dc
Name
Last commit
Last update
Documentation Loading commit data...
LICENSES Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.clang-format Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...