linux

mirror of https://github.com/torvalds/linux synced 2024-11-05 18:23:50 +00:00

History

Wen Gu 0558226ceb net/smc: Fix slab-out-of-bounds issue in fallback syzbot reported a slab-out-of-bounds/use-after-free issue, which was caused by accessing an already freed smc sock in fallback-specific callback functions of clcsock. This patch fixes the issue by restoring fallback-specific callback functions to original ones and resetting clcsock sk_user_data to NULL before freeing smc sock. Meanwhile, this patch introduces sk_callback_lock to make the access and assignment to sk_user_data mutually exclusive. Reported-by: syzbot+b425899ed22c6943e00b@syzkaller.appspotmail.com Fixes: `341adeec9a` ("net/smc: Forward wakeup to smc socket waitqueue after fallback") Link: https://lore.kernel.org/r/00000000000013ca8105d7ae3ada@google.com/ Signed-off-by: Wen Gu <guwen@linux.alibaba.com> Acked-by: Karsten Graul <kgraul@linux.ibm.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2022-04-25 11:03:48 -07:00
..
af_smc.c	net/smc: Fix slab-out-of-bounds issue in fallback	2022-04-25 11:03:48 -07:00
Kconfig
Makefile
smc.h	net/smc: Only save the original clcsock callback functions	2022-04-25 11:03:48 -07:00
smc_cdc.c
smc_cdc.h
smc_clc.c	net/smc: use memcpy instead of snprintf to avoid out of bounds read	2022-04-11 18:28:02 -07:00
smc_clc.h
smc_close.c	net/smc: Fix slab-out-of-bounds issue in fallback	2022-04-25 11:03:48 -07:00
smc_close.h
smc_core.c
smc_core.h
smc_diag.c
smc_ib.c
smc_ib.h
smc_ism.c
smc_ism.h
smc_llc.c
smc_llc.h
smc_netlink.c
smc_netlink.h
smc_netns.h
smc_pnet.c	net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()	2022-04-11 18:28:03 -07:00
smc_pnet.h
smc_rx.c
smc_rx.h
smc_stats.c
smc_stats.h
smc_sysctl.c
smc_sysctl.h
smc_tracepoint.c
smc_tracepoint.h
smc_tx.c
smc_tx.h
smc_wr.c
smc_wr.h