Unverified Commit 7d9330d7 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!2085 af_unix: Fix null-ptr-deref in unix_stream_sendpage(). 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/KV3D4JEOMSDYEK6CDBLGZMSDLAIRLK5G/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7Z7C9 
 
Link:https://gitee.com/openeuler/kernel/pulls/2085

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 53809f3a d9de61f4

net/unix/af_unix.c

+4 −5
Original line number Diff line number Diff line
@@ -2118,6 +2118,7 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, 


	if (false) {

alloc_skb:

		spin_unlock(&other->sk_receive_queue.lock);

		unix_state_unlock(other);

		mutex_unlock(&unix_sk(other)->iolock);

		newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
@@ -2157,6 +2158,7 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, 
		init_scm = false;

	}



	spin_lock(&other->sk_receive_queue.lock);

	skb = skb_peek_tail(&other->sk_receive_queue);

	if (tail && tail == skb) {

		skb = newskb;
@@ -2187,14 +2189,11 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, 
	refcount_add(size, &sk->sk_wmem_alloc);



	if (newskb) {

		err = unix_scm_to_skb(&scm, skb, false);

		if (err)

			goto err_state_unlock;

		spin_lock(&other->sk_receive_queue.lock);

		unix_scm_to_skb(&scm, skb, false);

		__skb_queue_tail(&other->sk_receive_queue, newskb);

		spin_unlock(&other->sk_receive_queue.lock);

	}



	spin_unlock(&other->sk_receive_queue.lock);

	unix_state_unlock(other);

	mutex_unlock(&unix_sk(other)->iolock);