summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCong Wang <cong.wang@bytedance.com>2021-07-23 21:36:30 +0300
committerAndrii Nakryiko <andrii@kernel.org>2021-07-30 22:40:55 +0300
commit0b846445985895e75958ecd59061fd7bf77e0c3f (patch)
tree47178f8be372abbc3a48077329f45c5cfaf2fc5a
parenta710eed386f182fcbfe517b659f60024fdb7c40c (diff)
downloadlinux-0b846445985895e75958ecd59061fd7bf77e0c3f.tar.xz
unix_bpf: Fix a potential deadlock in unix_dgram_bpf_recvmsg()
As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock too, so we have to release it before calling this function. Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()") Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Cong Wang <cong.wang@bytedance.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Jakub Sitnicki <jakub@cloudflare.com> Acked-by: John Fastabend <john.fastabend@gmail.com>
-rw-r--r--net/unix/unix_bpf.c16
1 files changed, 8 insertions, 8 deletions
diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
index db0cda29fb2f..177e883f451e 100644
--- a/net/unix/unix_bpf.c
+++ b/net/unix/unix_bpf.c
@@ -44,7 +44,7 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
{
struct unix_sock *u = unix_sk(sk);
struct sk_psock *psock;
- int copied, ret;
+ int copied;
psock = sk_psock_get(sk);
if (unlikely(!psock))
@@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
mutex_lock(&u->iolock);
if (!skb_queue_empty(&sk->sk_receive_queue) &&
sk_psock_queue_empty(psock)) {
- ret = __unix_dgram_recvmsg(sk, msg, len, flags);
- goto out;
+ mutex_unlock(&u->iolock);
+ sk_psock_put(sk, psock);
+ return __unix_dgram_recvmsg(sk, msg, len, flags);
}
msg_bytes_ready:
@@ -68,16 +69,15 @@ msg_bytes_ready:
if (data) {
if (!sk_psock_queue_empty(psock))
goto msg_bytes_ready;
- ret = __unix_dgram_recvmsg(sk, msg, len, flags);
- goto out;
+ mutex_unlock(&u->iolock);
+ sk_psock_put(sk, psock);
+ return __unix_dgram_recvmsg(sk, msg, len, flags);
}
copied = -EAGAIN;
}
- ret = copied;
-out:
mutex_unlock(&u->iolock);
sk_psock_put(sk, psock);
- return ret;
+ return copied;
}
static struct proto *unix_prot_saved __read_mostly;