From: Cong Wang <cong.wang@bytedance.com>
Date: Fri, 23 Jul 2021 11:36:30 -0700
Subject: unix_bpf: Fix a potential deadlock in unix_dgram_bpf_recvmsg()
Patch-mainline: v5.15-rc1
Git-commit: 0b846445985895e75958ecd59061fd7bf77e0c3f
References: jsc#PED-1377
As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
too, so we have to release it before calling this function.
Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
---
net/unix/unix_bpf.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/net/unix/unix_bpf.c
+++ b/net/unix/unix_bpf.c
@@ -44,7 +44,7 @@ static int unix_dgram_bpf_recvmsg(struct
{
struct unix_sock *u = unix_sk(sk);
struct sk_psock *psock;
- int copied, ret;
+ int copied;
psock = sk_psock_get(sk);
if (unlikely(!psock))
@@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct
mutex_lock(&u->iolock);
if (!skb_queue_empty(&sk->sk_receive_queue) &&
sk_psock_queue_empty(psock)) {
- ret = __unix_dgram_recvmsg(sk, msg, len, flags);
- goto out;
+ mutex_unlock(&u->iolock);
+ sk_psock_put(sk, psock);
+ return __unix_dgram_recvmsg(sk, msg, len, flags);
}
msg_bytes_ready:
@@ -68,16 +69,15 @@ msg_bytes_ready:
if (data) {
if (!sk_psock_queue_empty(psock))
goto msg_bytes_ready;
- ret = __unix_dgram_recvmsg(sk, msg, len, flags);
- goto out;
+ mutex_unlock(&u->iolock);
+ sk_psock_put(sk, psock);
+ return __unix_dgram_recvmsg(sk, msg, len, flags);
}
copied = -EAGAIN;
}
- ret = copied;
-out:
mutex_unlock(&u->iolock);
sk_psock_put(sk, psock);
- return ret;
+ return copied;
}
static struct proto *unix_prot_saved __read_mostly;