[thirdparty/kernel/stable-queue.git] / releases / 4.9.13 / net-llc-avoid-bug_on-in-skb_orphan.patch

From foo@baz Thu Feb 23 21:13:05 CET 2017
From: Eric Dumazet <edumazet@google.com>
Date: Sun, 12 Feb 2017 14:03:52 -0800
Subject: net/llc: avoid BUG_ON() in skb_orphan()

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ]

It seems nobody used LLC since linux-3.12.

Fortunately fuzzers like syzkaller still know how to run this code,
otherwise it would be no fun.

Setting skb->sk without skb->destructor leads to all kinds of
bugs, we now prefer to be very strict about it.

Ideally here we would use skb_set_owner() but this helper does not exist yet,
only CAN seems to have a private helper for that.

Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/llc/llc_conn.c |    3 +++
 net/llc/llc_sap.c  |    3 +++
 2 files changed, 6 insertions(+)

--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa
 		 * another trick required to cope with how the PROCOM state
 		 * machine works. -acme
 		 */
+		skb_orphan(skb);
+		sock_hold(sk);
 		skb->sk = sk;
+		skb->destructor = sock_efree;
 	}
 	if (!sock_owned_by_user(sk))
 		llc_conn_rcv(sk, skb);
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *
 
 	ev->type   = LLC_SAP_EV_TYPE_PDU;
 	ev->reason = 0;
+	skb_orphan(skb);
+	sock_hold(sk);
 	skb->sk = sk;
+	skb->destructor = sock_efree;
 	llc_sap_state_process(sap, skb);
 }
Commit	Line	Data
b2af825a GKH	1	From foo@baz Thu Feb 23 21:13:05 CET 2017
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Sun, 12 Feb 2017 14:03:52 -0800
	4	Subject: net/llc: avoid BUG_ON() in skb_orphan()
	5
	6	From: Eric Dumazet <edumazet@google.com>
	7
	8
	9	[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ]
	10
	11	It seems nobody used LLC since linux-3.12.
	12
	13	Fortunately fuzzers like syzkaller still know how to run this code,
	14	otherwise it would be no fun.
	15
	16	Setting skb->sk without skb->destructor leads to all kinds of
	17	bugs, we now prefer to be very strict about it.
	18
	19	Ideally here we would use skb_set_owner() but this helper does not exist yet,
	20	only CAN seems to have a private helper for that.
	21
	22	Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
	23	Signed-off-by: Eric Dumazet <edumazet@google.com>
	24	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	25	Signed-off-by: David S. Miller <davem@davemloft.net>
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27	---
	28	net/llc/llc_conn.c \| 3 +++
	29	net/llc/llc_sap.c \| 3 +++
	30	2 files changed, 6 insertions(+)
	31
	32	--- a/net/llc/llc_conn.c
	33	+++ b/net/llc/llc_conn.c
	34	@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa
	35	* another trick required to cope with how the PROCOM state
	36	* machine works. -acme
	37	*/
	38	+ skb_orphan(skb);
	39	+ sock_hold(sk);
	40	skb->sk = sk;
	41	+ skb->destructor = sock_efree;
	42	}
	43	if (!sock_owned_by_user(sk))
	44	llc_conn_rcv(sk, skb);
	45	--- a/net/llc/llc_sap.c
	46	+++ b/net/llc/llc_sap.c
	47	@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *
	48
	49	ev->type = LLC_SAP_EV_TYPE_PDU;
	50	ev->reason = 0;
	51	+ skb_orphan(skb);
	52	+ sock_hold(sk);
	53	skb->sk = sk;
	54	+ skb->destructor = sock_efree;
	55	llc_sap_state_process(sap, skb);
	56	}
	57