net: Fix use after free by removing length arg from sk_data_ready callbacks.

[linux.git] / fs / ocfs2 / cluster / tcp.c

diff --git a/fs/ocfs2/cluster/tcp.c b/fs/ocfs2/cluster/tcp.c
index 2cd2406b41408b61dc0797e2e87e6f29a84506e0..d857534b886efa23b67c9d332aa1cd75bf09518b 100644 (file)
--- a/fs/ocfs2/cluster/tcp.c
+++ b/fs/ocfs2/cluster/tcp.c
@@ -137,7 +137,7 @@ static int o2net_sys_err_translations[O2NET_ERR_MAX] =
 static void o2net_sc_connect_completed(struct work_struct *work);
 static void o2net_rx_until_empty(struct work_struct *work);
 static void o2net_shutdown_sc(struct work_struct *work);
-static void o2net_listen_data_ready(struct sock *sk, int bytes);
+static void o2net_listen_data_ready(struct sock *sk);
 static void o2net_sc_send_keep_req(struct work_struct *work);
 static void o2net_idle_timer(unsigned long data);
 static void o2net_sc_postpone_idle(struct o2net_sock_container *sc);
@@ -262,17 +262,17 @@ static void o2net_update_recv_stats(struct o2net_sock_container *sc)
 
 #endif /* CONFIG_OCFS2_FS_STATS */
 
-static inline int o2net_reconnect_delay(void)
+static inline unsigned int o2net_reconnect_delay(void)
 {
        return o2nm_single_cluster->cl_reconnect_delay_ms;
 }
 
-static inline int o2net_keepalive_delay(void)
+static inline unsigned int o2net_keepalive_delay(void)
 {
        return o2nm_single_cluster->cl_keepalive_delay_ms;
 }
 
-static inline int o2net_idle_timeout(void)
+static inline unsigned int o2net_idle_timeout(void)
 {
        return o2nm_single_cluster->cl_idle_timeout_ms;
 }
@@ -597,9 +597,9 @@ static void o2net_set_nn_state(struct o2net_node *nn,
 }
 
 /* see o2net_register_callbacks() */
-static void o2net_data_ready(struct sock *sk, int bytes)
+static void o2net_data_ready(struct sock *sk)
 {
-       void (*ready)(struct sock *sk, int bytes);
+       void (*ready)(struct sock *sk);
 
        read_lock(&sk->sk_callback_lock);
        if (sk->sk_user_data) {
@@ -613,7 +613,7 @@ static void o2net_data_ready(struct sock *sk, int bytes)
        }
        read_unlock(&sk->sk_callback_lock);
 
-       ready(sk, bytes);
+       ready(sk);
 }
 
 /* see o2net_register_callbacks() */
@@ -1953,9 +1953,9 @@ static void o2net_accept_many(struct work_struct *work)
                cond_resched();
 }
 
-static void o2net_listen_data_ready(struct sock *sk, int bytes)
+static void o2net_listen_data_ready(struct sock *sk)
 {
-       void (*ready)(struct sock *sk, int bytes);
+       void (*ready)(struct sock *sk);
 
        read_lock(&sk->sk_callback_lock);
        ready = sk->sk_user_data;
@@ -1964,18 +1964,29 @@ static void o2net_listen_data_ready(struct sock *sk, int bytes)
                goto out;
        }
 
-       /* ->sk_data_ready is also called for a newly established child socket
-        * before it has been accepted and the acceptor has set up their
-        * data_ready.. we only want to queue listen work for our listening
-        * socket */
+       /* This callback may called twice when a new connection
+        * is  being established as a child socket inherits everything
+        * from a parent LISTEN socket, including the data_ready cb of
+        * the parent. This leads to a hazard. In o2net_accept_one()
+        * we are still initializing the child socket but have not
+        * changed the inherited data_ready callback yet when
+        * data starts arriving.
+        * We avoid this hazard by checking the state.
+        * For the listening socket,  the state will be TCP_LISTEN; for the new
+        * socket, will be  TCP_ESTABLISHED. Also, in this case,
+        * sk->sk_user_data is not a valid function pointer.
+        */
+
        if (sk->sk_state == TCP_LISTEN) {
-               mlog(ML_TCP, "bytes: %d\n", bytes);
                queue_work(o2net_wq, &o2net_listen_work);
+       } else {
+               ready = NULL;
        }
 
 out:
        read_unlock(&sk->sk_callback_lock);
-       ready(sk, bytes);
+       if (ready != NULL)
+               ready(sk);
 }
 
 static int o2net_open_listening_sock(__be32 addr, __be16 port)