Unverified Commit efde108a authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!2108 [sync] PR-2085: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/2085 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/KV3D4JEOMSDYEK6CDBLGZMSDLAIRLK5G/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7Z7C9 
 
Link:https://gitee.com/openeuler/kernel/pulls/2108

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents f9e2a161 0b92b0e7

net/unix/af_unix.c

+4 −5
Original line number Diff line number Diff line
@@ -2008,6 +2008,7 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, 


	if (false) {

alloc_skb:

		spin_unlock(&other->sk_receive_queue.lock);

		unix_state_unlock(other);

		mutex_unlock(&unix_sk(other)->iolock);

		newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
@@ -2047,6 +2048,7 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, 
		init_scm = false;

	}



	spin_lock(&other->sk_receive_queue.lock);

	skb = skb_peek_tail(&other->sk_receive_queue);

	if (tail && tail == skb) {

		skb = newskb;
@@ -2077,14 +2079,11 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, 
	refcount_add(size, &sk->sk_wmem_alloc);



	if (newskb) {

		err = unix_scm_to_skb(&scm, skb, false);

		if (err)

			goto err_state_unlock;

		spin_lock(&other->sk_receive_queue.lock);

		unix_scm_to_skb(&scm, skb, false);

		__skb_queue_tail(&other->sk_receive_queue, newskb);

		spin_unlock(&other->sk_receive_queue.lock);

	}



	spin_unlock(&other->sk_receive_queue.lock);

	unix_state_unlock(other);

	mutex_unlock(&unix_sk(other)->iolock);