net/smc: return 0 for ioctl calls in states INIT and CLOSED
A connected SMC-socket contains addresses of descriptors for the send buffer and the rmb (receive buffer). Fields of these descriptors are used to determine the answer for certain ioctl requests. Add extra handling for unconnected SMC socket states without valid buffer descriptor addresses. Signed-off-by: Ursula Braun <ubraun@linux.ibm.com> Reported-by: syzbot+e6714328fda813fc670f@syzkaller.appspotmail.com Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
8156b0ba74
commit
2351abe6f8
|
@ -1490,12 +1490,20 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
|
|||
case SIOCINQ: /* same as FIONREAD */
|
||||
if (smc->sk.sk_state == SMC_LISTEN)
|
||||
return -EINVAL;
|
||||
if (smc->sk.sk_state == SMC_INIT ||
|
||||
smc->sk.sk_state == SMC_CLOSED)
|
||||
answ = 0;
|
||||
else
|
||||
answ = atomic_read(&smc->conn.bytes_to_rcv);
|
||||
break;
|
||||
case SIOCOUTQ:
|
||||
/* output queue size (not send + not acked) */
|
||||
if (smc->sk.sk_state == SMC_LISTEN)
|
||||
return -EINVAL;
|
||||
if (smc->sk.sk_state == SMC_INIT ||
|
||||
smc->sk.sk_state == SMC_CLOSED)
|
||||
answ = 0;
|
||||
else
|
||||
answ = smc->conn.sndbuf_desc->len -
|
||||
atomic_read(&smc->conn.sndbuf_space);
|
||||
break;
|
||||
|
@ -1503,6 +1511,10 @@ static int smc_ioctl(struct socket *sock, unsigned int cmd,
|
|||
/* output queue size (not send only) */
|
||||
if (smc->sk.sk_state == SMC_LISTEN)
|
||||
return -EINVAL;
|
||||
if (smc->sk.sk_state == SMC_INIT ||
|
||||
smc->sk.sk_state == SMC_CLOSED)
|
||||
answ = 0;
|
||||
else
|
||||
answ = smc_tx_prepared_sends(&smc->conn);
|
||||
break;
|
||||
default:
|
||||
|
|
Loading…
Reference in New Issue