From: Greg Kroah-Hartman Date: Sun, 27 Aug 2023 10:11:06 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.49~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27cad89cbd4a4e168db656de1f49aef3ab9dd97f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: can-raw-add-missing-refcount-for-memory-leak-fix.patch --- diff --git a/queue-6.1/can-raw-add-missing-refcount-for-memory-leak-fix.patch b/queue-6.1/can-raw-add-missing-refcount-for-memory-leak-fix.patch new file mode 100644 index 00000000000..de2bda3cb40 --- /dev/null +++ b/queue-6.1/can-raw-add-missing-refcount-for-memory-leak-fix.patch @@ -0,0 +1,120 @@ +From c275a176e4b69868576e543409927ae75e3a3288 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Mon, 21 Aug 2023 16:45:47 +0200 +Subject: can: raw: add missing refcount for memory leak fix + +From: Oliver Hartkopp + +commit c275a176e4b69868576e543409927ae75e3a3288 upstream. + +Commit ee8b94c8510c ("can: raw: fix receiver memory leak") introduced +a new reference to the CAN netdevice that has assigned CAN filters. +But this new ro->dev reference did not maintain its own refcount which +lead to another KASAN use-after-free splat found by Eric Dumazet. + +This patch ensures a proper refcount for the CAN nedevice. + +Fixes: ee8b94c8510c ("can: raw: fix receiver memory leak") +Reported-by: Eric Dumazet +Cc: Ziyang Xuan +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/r/20230821144547.6658-3-socketcan@hartkopp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -85,6 +85,7 @@ struct raw_sock { + int bound; + int ifindex; + struct net_device *dev; ++ netdevice_tracker dev_tracker; + struct list_head notifier; + int loopback; + int recv_own_msgs; +@@ -285,8 +286,10 @@ static void raw_notify(struct raw_sock * + case NETDEV_UNREGISTER: + lock_sock(sk); + /* remove current filters & unregister */ +- if (ro->bound) ++ if (ro->bound) { + raw_disable_allfilters(dev_net(dev), dev, sk); ++ netdev_put(dev, &ro->dev_tracker); ++ } + + if (ro->count > 1) + kfree(ro->filter); +@@ -391,10 +394,12 @@ static int raw_release(struct socket *so + + /* remove current filters & unregister */ + if (ro->bound) { +- if (ro->dev) ++ if (ro->dev) { + raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); +- else ++ netdev_put(ro->dev, &ro->dev_tracker); ++ } else { + raw_disable_allfilters(sock_net(sk), NULL, sk); ++ } + } + + if (ro->count > 1) +@@ -445,10 +450,10 @@ static int raw_bind(struct socket *sock, + goto out; + } + if (dev->type != ARPHRD_CAN) { +- dev_put(dev); + err = -ENODEV; +- goto out; ++ goto out_put_dev; + } ++ + if (!(dev->flags & IFF_UP)) + notify_enetdown = 1; + +@@ -456,7 +461,9 @@ static int raw_bind(struct socket *sock, + + /* filters set by default/setsockopt */ + err = raw_enable_allfilters(sock_net(sk), dev, sk); +- dev_put(dev); ++ if (err) ++ goto out_put_dev; ++ + } else { + ifindex = 0; + +@@ -467,18 +474,28 @@ static int raw_bind(struct socket *sock, + if (!err) { + if (ro->bound) { + /* unregister old filters */ +- if (ro->dev) ++ if (ro->dev) { + raw_disable_allfilters(dev_net(ro->dev), + ro->dev, sk); +- else ++ /* drop reference to old ro->dev */ ++ netdev_put(ro->dev, &ro->dev_tracker); ++ } else { + raw_disable_allfilters(sock_net(sk), NULL, sk); ++ } + } + ro->ifindex = ifindex; + ro->bound = 1; ++ /* bind() ok -> hold a reference for new ro->dev */ + ro->dev = dev; ++ if (ro->dev) ++ netdev_hold(ro->dev, &ro->dev_tracker, GFP_KERNEL); + } + +- out: ++out_put_dev: ++ /* remove potential reference from dev_get_by_index() */ ++ if (dev) ++ dev_put(dev); ++out: + release_sock(sk); + rtnl_unlock(); + diff --git a/queue-6.1/series b/queue-6.1/series index cae4ed5d88e..e1a14844464 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -110,3 +110,4 @@ sched-deadline-create-dl-bw-alloc-free-check-overflow-interface.patch cgroup-cpuset-free-dl-bw-in-case-can_attach-fails.patch thunderbolt-fix-thunderbolt-3-display-flickering-issue-on-2nd-hot-plug-onwards.patch ublk-remove-check-io_uring_f_sqe128-in-ublk_ch_uring_cmd.patch +can-raw-add-missing-refcount-for-memory-leak-fix.patch