• U
    net/smc: keep clcsock reference in smc_tcp_listen_work() · 070204a3
    Ursula Braun 提交于
    The internal CLC socket should exist till the SMC-socket is released.
    Function tcp_listen_worker() releases the internal CLC socket of a
    listen socket, if an smc_close_active() is called. This function
    is called for the final release(), but it is called for shutdown
    SHUT_RDWR as well. This opens a door for protection faults, if
    socket calls using the internal CLC socket are called for a
    shutdown listen socket.
    
    With the changes of
    commit 3d502067 ("net/smc: simplify wait when closing listen socket")
    there is no need anymore to release the internal CLC socket in
    function tcp_listen_worker((). It is sufficient to release it in
    smc_release().
    
    Fixes: 127f4970 ("net/smc: release clcsock from tcp_listen_worker")
    Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
    Reported-by: syzbot+9045fc589fcd196ef522@syzkaller.appspotmail.com
    Reported-by: syzbot+28a2c86cf19c81d871fa@syzkaller.appspotmail.com
    Reported-by: syzbot+9605e6cace1b5efd4a0a@syzkaller.appspotmail.com
    Reported-by: syzbot+cf9012c597c8379d535c@syzkaller.appspotmail.com
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    070204a3
af_smc.c 36.4 KB