| From: Cong Wang <xiyou.wangcong@gmail.com> |
| Date: Thu, 19 Apr 2018 21:54:34 -0700 |
| Subject: llc: fix NULL pointer deref for SOCK_ZAPPED |
| |
| commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f upstream. |
| |
| For SOCK_ZAPPED socket, we don't need to care about llc->sap, |
| so we should just skip these refcount functions in this case. |
| |
| Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()") |
| Reported-by: kernel test robot <lkp@intel.com> |
| Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/llc/af_llc.c | 21 ++++++++++++--------- |
| 1 file changed, 12 insertions(+), 9 deletions(-) |
| |
| --- a/net/llc/af_llc.c |
| +++ b/net/llc/af_llc.c |
| @@ -187,7 +187,6 @@ static int llc_ui_release(struct socket |
| { |
| struct sock *sk = sock->sk; |
| struct llc_sock *llc; |
| - struct llc_sap *sap; |
| |
| if (unlikely(sk == NULL)) |
| goto out; |
| @@ -198,15 +197,19 @@ static int llc_ui_release(struct socket |
| llc->laddr.lsap, llc->daddr.lsap); |
| if (!llc_send_disc(sk)) |
| llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo); |
| - sap = llc->sap; |
| - /* Hold this for release_sock(), so that llc_backlog_rcv() could still |
| - * use it. |
| - */ |
| - llc_sap_hold(sap); |
| - if (!sock_flag(sk, SOCK_ZAPPED)) |
| + if (!sock_flag(sk, SOCK_ZAPPED)) { |
| + struct llc_sap *sap = llc->sap; |
| + |
| + /* Hold this for release_sock(), so that llc_backlog_rcv() |
| + * could still use it. |
| + */ |
| + llc_sap_hold(sap); |
| llc_sap_remove_socket(llc->sap, sk); |
| - release_sock(sk); |
| - llc_sap_put(sap); |
| + release_sock(sk); |
| + llc_sap_put(sap); |
| + } else { |
| + release_sock(sk); |
| + } |
| if (llc->dev) |
| dev_put(llc->dev); |
| sock_put(sk); |
