Re: [PATCH] af_unix: missing lock releases in af_unix.c

From: Shoaib Rao
Date: Mon Jan 03 2022 - 13:47:55 EST

Next message: Al Viro: "Re: [RFC PATCH 0/8] signals: Support more than 64 signals"
Previous message: Leon Romanovsky: "Re: [syzbot] KASAN: use-after-free Read in ucma_destroy_private_ctx"
Next in thread: Ryan Cai: "Re: [PATCH] af_unix: missing lock releases in af_unix.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/3/22 05:58, Ryan Cai wrote:

In method __unix_dgram_recvmsg, the lock u->iolock is not released when skb is true and loop breaks.

Signed-off-by: Ryan Cai <ycaibb@xxxxxxxxx>
---
net/unix/af_unix.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index b0bfc78e421c..b97972948d9d 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2305,6 +2305,7 @@ int __unix_dgram_recvmsg(struct sock *sk, struct msghdr *msg, size_t size,
if (skb) {
if (!(flags & MSG_PEEK))
scm_stat_del(sk, skb);
+ mutex_unlock(&u->iolock);
break;
}

It seems to me that the unlock at the end will release the mutex?

out_free:
skb_free_datagram(sk, skb);
mutex_unlock(&u->iolock);

Shoaib

Next message: Al Viro: "Re: [RFC PATCH 0/8] signals: Support more than 64 signals"
Previous message: Leon Romanovsky: "Re: [syzbot] KASAN: use-after-free Read in ucma_destroy_private_ctx"
Next in thread: Ryan Cai: "Re: [PATCH] af_unix: missing lock releases in af_unix.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]