From patchwork Wed Oct 28 23:06:04 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Stultz <john.stultz@linaro.org>
X-Patchwork-Id: 55735
Delivered-To: patches@linaro.org
Received: by 10.112.61.134 with SMTP id p6csp218009lbr;
 Wed, 28 Oct 2015 16:06:42 -0700 (PDT)
X-Received: by 10.68.201.200 with SMTP id kc8mr36682301pbc.18.1446073602254; 
 Wed, 28 Oct 2015 16:06:42 -0700 (PDT)
Return-Path: <john.stultz@linaro.org>
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com.
 [2607:f8b0:400e:c03::235]) by mx.google.com with ESMTPS id
 of6si73566404pbc.54.2015.10.28.16.06.42 for <patches@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 28 Oct 2015 16:06:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of john.stultz@linaro.org designates
 2607:f8b0:400e:c03::235 as permitted sender)
 client-ip=2607:f8b0:400e:c03::235; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of john.stultz@linaro.org designates
 2607:f8b0:400e:c03::235 as permitted sender)
 smtp.mailfrom=john.stultz@linaro.org; 
 dkim=pass header.i=@linaro_org.20150623.gappssmtp.com
Received: by pasz6 with SMTP id z6so19965801pas.2
 for <patches@linaro.org>; Wed, 28 Oct 2015 16:06:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro_org.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=R53qzHzN6OMIKDmepxe0uqsWw2aKB+4kGmhdpJaBv5g=;
 b=JJCTvrOu0sIRTKOiH5ED/CXFKGE8cIuKUR31dlQ5eBOGaA3UJEB5BV/wkKij4eLDeA
 dX7xWqBhEi9O6x2U59/esgqC1LCrZTYSn9kYYbj47u6mBOxSC5dC4KXs/K5DtItgZccV
 X/aSwG14FfspKlNqCRLVOD9EZ61+N99/OtTcNyR0gAcFfBFWnwvAzHjT/KOAzMVuPdgr
 IkFyh+aQReTO7qpYnOVy9gmgJMJ3bvHKagjnmbR1GkT1Gf6Oq90C8CN6VOwCplGTHoJl
 PyrGYnupFKsA6SuIEPc6Jut+mexCq6ExrRuAkDVUY6KpNJCW0sjI0i1i5wqefEnQ1rru
 eRlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=R53qzHzN6OMIKDmepxe0uqsWw2aKB+4kGmhdpJaBv5g=;
 b=VWPp+t/3wk6DZMr9+OQpb7egLNWa+UJIrWuL/chj1ytnwICt7Gb2Zqxb+GJv/5ka0o
 8723215ADCeP6yWh9O4pvgrp391A7AH2kCn0vDVYu9vfPr2/wAPe5f4KxAoLCHJzgcTD
 jGj/BPi5lBuBVw9WJ3cXR8bzjRdVvkqrooUFUO/C+Nm90+jKH8gunVF4EBMoiA3wPudw
 Qa7UZ0GCfSNzI2Dm0Wb8kc8yMKSyLgN+nyw9yr2I4h4+qh21MTg6ELinGTgLiSjdjNTb
 eVB+/Rz+wN1mMPZNKhN7Ywqfyg43LYu0pR9Hd0resXWKHRTogO8HbHtHkHpIbKurgrse
 PZUw==
X-Gm-Message-State: ALoCoQn5o0a/+FBYXXt8lRRK66DRfWht9oy/gQYH81wVSiZ/x7UN3w4/dyc9YlBWPQ0WrYJn0fP2
X-Received: by 10.68.193.231 with SMTP id hr7mr36758642pbc.111.1446073601864; 
 Wed, 28 Oct 2015 16:06:41 -0700 (PDT)
Return-Path: <john.stultz@linaro.org>
Received: from localhost.localdomain (c-76-115-103-22.hsd1.or.comcast.net.
 [76.115.103.22]) by smtp.gmail.com with ESMTPSA id
 by6sm42851961pab.25.2015.10.28.16.06.40
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 28 Oct 2015 16:06:41 -0700 (PDT)
From: John Stultz <john.stultz@linaro.org>
To: Dmitry Shmidt <dimitrysh@google.com>
Cc: Amit Pundir <amit.pundir@linaro.org>, Mohamad Ayyash <mkayyash@google.com>,
 John Stultz <john.stultz@linaro.org>
Subject: [PATCH 3/5] xt_qtaguid: Use sk_callback_lock read locks before
 reading sk->sk_socket
Date: Wed, 28 Oct 2015 16:06:04 -0700
Message-Id: <1446073566-6401-4-git-send-email-john.stultz@linaro.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1446073566-6401-1-git-send-email-john.stultz@linaro.org>
References: <1446073566-6401-1-git-send-email-john.stultz@linaro.org>

From: Mohamad Ayyash <mkayyash@google.com>

It prevents a kernel panic when accessing sk->sk_socket fields due to NULLing sk->sk_socket when sock_orphan is called through
sk_common_release.

Change-Id: I4aa46b4e2d8600e4d4ef8dcdd363aa4e6e5f8433
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
(cherry picked from commit cdea0ebcb8bcfe57688f6cb692b49e550ebd9796)
[jstultz: Cherry-picked from AmitP's tree]
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 net/netfilter/xt_qtaguid.c | 5 +++++
 1 file changed, 5 insertions(+)

-- 
1.9.1

diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c
index 9664bec..e33be3a 100644
--- a/net/netfilter/xt_qtaguid.c
+++ b/net/netfilter/xt_qtaguid.c
@@ -1658,6 +1658,7 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	struct sock *sk;
 	kuid_t sock_uid;
 	bool res;
+	bool set_sk_callback_lock = false;
 
 	if (unlikely(module_passive))
 		return (info->match ^ info->invert) == 0;
@@ -1715,6 +1716,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	MT_DEBUG("qtaguid[%d]: sk=%p got_sock=%d fam=%d proto=%d\n",
 		 par->hooknum, sk, got_sock, par->family, ipx_proto(skb, par));
 	if (sk != NULL) {
+		set_sk_callback_lock = true;
+		read_lock_bh(&sk->sk_callback_lock);
 		MT_DEBUG("qtaguid[%d]: sk=%p->sk_socket=%p->file=%p\n",
 			par->hooknum, sk, sk->sk_socket,
 			sk->sk_socket ? sk->sk_socket->file : (void *)-1LL);
@@ -1801,6 +1804,8 @@ static bool qtaguid_mt(const struct sk_buff *skb, struct xt_action_param *par)
 put_sock_ret_res:
 	if (got_sock)
 		xt_socket_put_sk(sk);
+	if (set_sk_callback_lock)
+		read_unlock_bh(&sk->sk_callback_lock);
 ret_res:
 	MT_DEBUG("qtaguid[%d]: left %d\n", par->hooknum, res);
 	return res;