Skip to content

Commit

Permalink
af_unix: don't append consumed skbs to sk_receive_queue
Browse files Browse the repository at this point in the history 
In case multiple writes to a unix stream socket race we could end up in a
situation where we pre-allocate a new skb for use in unix_stream_sendpage
but have to free it again in the locked section because another skb
has been appended meanwhile, which we must use. Accidentally we didn't
clear the pointer after consuming it and so we touched freed memory
while appending it to the sk_receive_queue. So, clear the pointer after
consuming the skb.

This bug has been found with syzkaller
(http://github.com/google/syzkaller) by Dmitry Vyukov.

Fixes: 869e7c6 ("net: af_unix: implement stream sendpage support")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Hannes Frederic Sowa authored and David S. Miller committed Nov 16, 2015
1 parent 24cb705 commit 8844f97
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/unix/af_unix.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1800,6 +1800,7 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page,
* this - does no harm
*/
consume_skb(newskb);
newskb = NULL;
}

if (skb_append_pagefrags(skb, page, offset, size)) {
Expand Down

0 comments on commit 8844f97

Please sign in to comment.