git.baikalelectronics.ru Git - kernel.git/commit

author	Hannes Frederic Sowa <hannes@stressinduktion.org>
	Mon, 16 Nov 2015 15:25:56 +0000 (16:25 +0100)
committer	David S. Miller <davem@davemloft.net>
	Mon, 16 Nov 2015 20:39:35 +0000 (15:39 -0500)
commit	c0bb454d7d084efe3e3d167910601a496825347c
tree	ae78e41bca38aa8c0b35fa0065ed117516df2418	tree \| snapshot
parent	4fd1cf50994962a5726039aca5c9367d031012e9	commit \| diff

af_unix: don't append consumed skbs to sk_receive_queue

In case multiple writes to a unix stream socket race we could end up in a
situation where we pre-allocate a new skb for use in unix_stream_sendpage
but have to free it again in the locked section because another skb
has been appended meanwhile, which we must use. Accidentally we didn't
clear the pointer after consuming it and so we touched freed memory
while appending it to the sk_receive_queue. So, clear the pointer after
consuming the skb.

This bug has been found with syzkaller
(http://github.com/google/syzkaller) by Dmitry Vyukov.

Fixes: a32cdd043ebf ("net: af_unix: implement stream sendpage support")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>