From: Greg Kroah-Hartman Date: Tue, 23 Aug 2022 07:11:49 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.9.326~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06035d31ea1a670c2846793d02fbcea7c1fbf5c7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch --- diff --git a/queue-5.4/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch b/queue-5.4/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch new file mode 100644 index 00000000000..2d98a26f791 --- /dev/null +++ b/queue-5.4/can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch @@ -0,0 +1,55 @@ +From 8c21c54a53ab21842f5050fa090f26b03c0313d6 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Fri, 5 Aug 2022 18:02:16 +0300 +Subject: can: j1939: j1939_session_destroy(): fix memory leak of skbs + +From: Fedor Pchelkin + +commit 8c21c54a53ab21842f5050fa090f26b03c0313d6 upstream. + +We need to drop skb references taken in j1939_session_skb_queue() when +destroying a session in j1939_session_destroy(). Otherwise those skbs +would be lost. + +Link to Syzkaller info and repro: https://forge.ispras.ru/issues/11743. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +V1: https://lore.kernel.org/all/20220708175949.539064-1-pchelkin@ispras.ru + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Suggested-by: Oleksij Rempel +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20220805150216.66313-1-pchelkin@ispras.ru +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -260,6 +260,8 @@ static void __j1939_session_drop(struct + + static void j1939_session_destroy(struct j1939_session *session) + { ++ struct sk_buff *skb; ++ + if (session->err) + j1939_sk_errqueue(session, J1939_ERRQUEUE_ABORT); + else +@@ -270,7 +272,11 @@ static void j1939_session_destroy(struct + WARN_ON_ONCE(!list_empty(&session->sk_session_queue_entry)); + WARN_ON_ONCE(!list_empty(&session->active_session_list_entry)); + +- skb_queue_purge(&session->skb_queue); ++ while ((skb = skb_dequeue(&session->skb_queue)) != NULL) { ++ /* drop ref taken in j1939_session_skb_queue() */ ++ skb_unref(skb); ++ kfree_skb(skb); ++ } + __j1939_session_drop(session); + j1939_priv_put(session->priv); + kfree(session); diff --git a/queue-5.4/can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch b/queue-5.4/can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch new file mode 100644 index 00000000000..99306439e87 --- /dev/null +++ b/queue-5.4/can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch @@ -0,0 +1,43 @@ +From 8ef49f7f8244424adcf4a546dba4cbbeb0b09c09 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Fri, 29 Jul 2022 17:36:55 +0300 +Subject: can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once() + +From: Fedor Pchelkin + +commit 8ef49f7f8244424adcf4a546dba4cbbeb0b09c09 upstream. + +We should warn user-space that it is doing something wrong when trying +to activate sessions with identical parameters but WARN_ON_ONCE macro +can not be used here as it serves a different purpose. + +So it would be good to replace it with netdev_warn_once() message. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20220729143655.1108297-1-pchelkin@ispras.ru +[mkl: fix indention] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/socket.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -178,7 +178,10 @@ activate_next: + if (!first) + return; + +- if (WARN_ON_ONCE(j1939_session_activate(first))) { ++ if (j1939_session_activate(first)) { ++ netdev_warn_once(first->priv->ndev, ++ "%s: 0x%p: Identical session is already activated.\n", ++ __func__, first); + first->err = -EBUSY; + goto activate_next; + } else { diff --git a/queue-5.4/series b/queue-5.4/series index cee218b04ad..dc5abb869b2 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -385,3 +385,5 @@ powerpc-64-init-jump-labels-before-parse_early_param.patch video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch mips-tlbex-explicitly-compare-_page_no_exec-against-.patch tracing-probes-have-kprobes-and-uprobes-use-comm-too.patch +can-j1939-j1939_sk_queue_activate_next_locked-replace-warn_on_once-with-netdev_warn_once.patch +can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch