Message ID | 1590707126-16957-1-git-send-email-clew@codeaurora.org |
---|---|
State | New |
Headers | show |
Series | net: qrtr: Allocate workqueue before kernel_bind | expand |
On Thu, May 28, 2020 at 04:05:26PM -0700, Chris Lew wrote: > A null pointer dereference in qrtr_ns_data_ready() is seen if a client > opens a qrtr socket before qrtr_ns_init() can bind to the control port. > When the control port is bound, the ENETRESET error will be broadcasted > and clients will close their sockets. This results in DEL_CLIENT > packets being sent to the ns and qrtr_ns_data_ready() being called > without the workqueue being allocated. > > Allocate the workqueue before setting sk_data_ready and binding to the > control port. This ensures that the work and workqueue structs are > allocated and initialized before qrtr_ns_data_ready can be called. > > Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") > Signed-off-by: Chris Lew <clew@codeaurora.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Thanks, Mani > --- > net/qrtr/ns.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c > index e7d0fe3f4330..c5b3202a14ca 100644 > --- a/net/qrtr/ns.c > +++ b/net/qrtr/ns.c > @@ -712,6 +712,10 @@ void qrtr_ns_init(void) > goto err_sock; > } > > + qrtr_ns.workqueue = alloc_workqueue("qrtr_ns_handler", WQ_UNBOUND, 1); > + if (!qrtr_ns.workqueue) > + goto err_sock; > + > qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready; > > sq.sq_port = QRTR_PORT_CTRL; > @@ -720,17 +724,13 @@ void qrtr_ns_init(void) > ret = kernel_bind(qrtr_ns.sock, (struct sockaddr *)&sq, sizeof(sq)); > if (ret < 0) { > pr_err("failed to bind to socket\n"); > - goto err_sock; > + goto err_wq; > } > > qrtr_ns.bcast_sq.sq_family = AF_QIPCRTR; > qrtr_ns.bcast_sq.sq_node = QRTR_NODE_BCAST; > qrtr_ns.bcast_sq.sq_port = QRTR_PORT_CTRL; > > - qrtr_ns.workqueue = alloc_workqueue("qrtr_ns_handler", WQ_UNBOUND, 1); > - if (!qrtr_ns.workqueue) > - goto err_sock; > - > ret = say_hello(&qrtr_ns.bcast_sq); > if (ret < 0) > goto err_wq; > -- > The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, > a Linux Foundation Collaborative Project >
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c index e7d0fe3f4330..c5b3202a14ca 100644 --- a/net/qrtr/ns.c +++ b/net/qrtr/ns.c @@ -712,6 +712,10 @@ void qrtr_ns_init(void) goto err_sock; } + qrtr_ns.workqueue = alloc_workqueue("qrtr_ns_handler", WQ_UNBOUND, 1); + if (!qrtr_ns.workqueue) + goto err_sock; + qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready; sq.sq_port = QRTR_PORT_CTRL; @@ -720,17 +724,13 @@ void qrtr_ns_init(void) ret = kernel_bind(qrtr_ns.sock, (struct sockaddr *)&sq, sizeof(sq)); if (ret < 0) { pr_err("failed to bind to socket\n"); - goto err_sock; + goto err_wq; } qrtr_ns.bcast_sq.sq_family = AF_QIPCRTR; qrtr_ns.bcast_sq.sq_node = QRTR_NODE_BCAST; qrtr_ns.bcast_sq.sq_port = QRTR_PORT_CTRL; - qrtr_ns.workqueue = alloc_workqueue("qrtr_ns_handler", WQ_UNBOUND, 1); - if (!qrtr_ns.workqueue) - goto err_sock; - ret = say_hello(&qrtr_ns.bcast_sq); if (ret < 0) goto err_wq;
A null pointer dereference in qrtr_ns_data_ready() is seen if a client opens a qrtr socket before qrtr_ns_init() can bind to the control port. When the control port is bound, the ENETRESET error will be broadcasted and clients will close their sockets. This results in DEL_CLIENT packets being sent to the ns and qrtr_ns_data_ready() being called without the workqueue being allocated. Allocate the workqueue before setting sk_data_ready and binding to the control port. This ensures that the work and workqueue structs are allocated and initialized before qrtr_ns_data_ready can be called. Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Chris Lew <clew@codeaurora.org> --- net/qrtr/ns.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)