net/unix: sk_socket can disappear when state is unlocked

got a rare NULL pointer dereference in clear_bit Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 21252747 [cherry-picked from https://review.lineageos.org/#/c/160491/ fixed a typo to compile, typo wasn't exist in upstream] Signed-off-by: Pavel Malyutin <pavel.malyutin@gmail.com> Change-Id: I27e70f2543034097c8a590a212c2c6fa846fe694
mdmower · Feb 27, 2017 · b34e47b · b34e47b
1 parent 27631e0
commit b34e47b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
@@ -333,6 +333,10 @@ static long caif_stream_data_wait(struct sock *sk, long timeo)
 		release_sock(sk);
 		timeo = schedule_timeout(timeo);
 		lock_sock(sk);
+
+		if (sock_flag(sk, SOCK_DEAD))
+			break;
+
 		clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
 	}
 
@@ -377,6 +381,10 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
 		struct sk_buff *skb;
 
 		lock_sock(sk);
+		if (sock_flag(sk, SOCK_DEAD)) {
+			err = -ECONNRESET;
+			goto unlock;
+		}
 		skb = skb_dequeue(&sk->sk_receive_queue);
 		caif_check_flow_release(sk);
 

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
@@ -2042,6 +2042,10 @@ static long unix_stream_data_wait(struct sock *sk, long timeo)
 		unix_state_unlock(sk);
 		timeo = freezable_schedule_timeout(timeo);
 		unix_state_lock(sk);
+
+		if (sock_flag(sk, SOCK_DEAD))
+			break;
+
 		clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
 	}
 
@@ -2105,6 +2109,10 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
 		struct sk_buff *skb;
 
 		unix_state_lock(sk);
+		if (sock_flag(sk, SOCK_DEAD)) {
+			err = -ECONNRESET;
+			goto unlock;
+		}
 		skb = skb_peek(&sk->sk_receive_queue);
 again:
 		if (skb == NULL) {