projects / platform / kernel / linux-rpi.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
af_unix: fix use-after-free in unix_stream_read_actor()
[platform/kernel/linux-rpi.git] / net / unix / af_unix.c
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 86930a8..3e6eeac 100644 (file)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -680,7 +680,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
         *        What the above comment does talk about? --ANK(980817)
         */
 
-       if (unix_tot_inflight)
+       if (READ_ONCE(unix_tot_inflight))
                unix_gc();              /* Garbage collect fds */
 }
 
@@ -2553,15 +2553,16 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
 
        if (!(state->flags & MSG_PEEK))
                WRITE_ONCE(u->oob_skb, NULL);
-
+       else
+               skb_get(oob_skb);
        unix_state_unlock(sk);
 
        chunk = state->recv_actor(oob_skb, 0, chunk, state);
 
-       if (!(state->flags & MSG_PEEK)) {
+       if (!(state->flags & MSG_PEEK))
                UNIXCB(oob_skb).consumed += 1;
-               kfree_skb(oob_skb);
-       }
+
+       consume_skb(oob_skb);
 
        mutex_unlock(&u->iolock);
 
Domain: System / Kernel;