diff mbox series

[2/2] phonet/pep: fix racy skb_queue_empty() use

Message ID 20240210125054.71391-2-remi@remlab.net
State New
Headers
Series [1/2] phonet: take correct lock to peek at the RX queue |

Commit Message

Rémi Denis-Courmont Feb. 10, 2024, 12:50 p.m. UTC 
  From: Rémi Denis-Courmont <courmisch@gmail.com>

The receive queues are protected by their respective spin-lock, not
the socket lock. This could lead to skb_peek() unexpectedly
returning NULL or a pointer to an already dequeued socket buffer.

Signed-off-by: Rémi Denis-Courmont <courmisch@gmail.com>
---
 net/phonet/pep.c | 41 ++++++++++++++++++++++++++++++++---------
 1 file changed, 32 insertions(+), 9 deletions(-)

Comments

Paolo Abeni Feb. 13, 2024, 12:14 p.m. UTC | #1 
On Sat, 2024-02-10 at 14:50 +0200, Rémi Denis-Courmont wrote:
> From: Rémi Denis-Courmont <courmisch@gmail.com>
> 
> The receive queues are protected by their respective spin-lock, not
> the socket lock. This could lead to skb_peek() unexpectedly
> returning NULL or a pointer to an already dequeued socket buffer.
> 
> Signed-off-by: Rémi Denis-Courmont <courmisch@gmail.com>

Please provide a suitable fixes tag here.

Also include the target tree into the subj prefix when you post the v2.

Thank,

Paolo
diff mbox series

Patch

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index faba31f2eff2..3dd5f52bc1b5 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -917,6 +917,37 @@  static int pep_sock_enable(struct sock *sk, struct sockaddr *addr, int len)
 	return 0;
 }
 
+static unsigned int pep_first_packet_length(struct sock *sk)
+{
+	struct pep_sock *pn = pep_sk(sk);
+	struct sk_buff_head *q;
+	struct sk_buff *skb;
+	unsigned int len = 0;
+	bool found = false;
+
+	if (sock_flag(sk, SOCK_URGINLINE)) {
+		q = &pn->ctrlreq_queue;
+		spin_lock_bh(&q->lock);
+		skb = skb_peek(q);
+		if (skb) {
+			len = skb->len;
+			found = true;
+		}
+		spin_unlock_bh(&q->lock);
+	}
+
+	if (likely(!found)) {
+		q = &sk->sk_receive_queue;
+		spin_lock_bh(&q->lock);
+		skb = skb_peek(q);
+		if (skb)
+			len = skb->len;
+		spin_unlock_bh(&q->lock);
+	}
+
+	return len;
+}
+
 static int pep_ioctl(struct sock *sk, int cmd, int *karg)
 {
 	struct pep_sock *pn = pep_sk(sk);
@@ -929,15 +960,7 @@  static int pep_ioctl(struct sock *sk, int cmd, int *karg)
 			break;
 		}
 
-		lock_sock(sk);
-		if (sock_flag(sk, SOCK_URGINLINE) &&
-		    !skb_queue_empty(&pn->ctrlreq_queue))
-			*karg = skb_peek(&pn->ctrlreq_queue)->len;
-		else if (!skb_queue_empty(&sk->sk_receive_queue))
-			*karg = skb_peek(&sk->sk_receive_queue)->len;
-		else
-			*karg = 0;
-		release_sock(sk);
+		*karg = pep_first_packet_length(sk);
 		ret = 0;
 		break;