From fda40d7692b31bc74427326c7312bbdb79106a14 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 27 Aug 2023 20:30:43 +0200 Subject: [PATCH] 5.15-stable patches added patches: can-raw-add-missing-refcount-for-memory-leak-fix.patch --- ...missing-refcount-for-memory-leak-fix.patch | 112 ++++++++++++++++++ queue-5.15/series | 1 + 2 files changed, 113 insertions(+) create mode 100644 queue-5.15/can-raw-add-missing-refcount-for-memory-leak-fix.patch diff --git a/queue-5.15/can-raw-add-missing-refcount-for-memory-leak-fix.patch b/queue-5.15/can-raw-add-missing-refcount-for-memory-leak-fix.patch new file mode 100644 index 00000000000..a5fb1ccd789 --- /dev/null +++ b/queue-5.15/can-raw-add-missing-refcount-for-memory-leak-fix.patch @@ -0,0 +1,112 @@ +From c275a176e4b69868576e543409927ae75e3a3288 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Mon, 21 Aug 2023 16:45:47 +0200 +Subject: can: raw: add missing refcount for memory leak fix + +From: Oliver Hartkopp + +commit c275a176e4b69868576e543409927ae75e3a3288 upstream. + +Commit ee8b94c8510c ("can: raw: fix receiver memory leak") introduced +a new reference to the CAN netdevice that has assigned CAN filters. +But this new ro->dev reference did not maintain its own refcount which +lead to another KASAN use-after-free splat found by Eric Dumazet. + +This patch ensures a proper refcount for the CAN nedevice. + +Fixes: ee8b94c8510c ("can: raw: fix receiver memory leak") +Reported-by: Eric Dumazet +Cc: Ziyang Xuan +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/r/20230821144547.6658-3-socketcan@hartkopp.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 34 +++++++++++++++++++++++++--------- + 1 file changed, 25 insertions(+), 9 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -283,8 +283,10 @@ static void raw_notify(struct raw_sock * + case NETDEV_UNREGISTER: + lock_sock(sk); + /* remove current filters & unregister */ +- if (ro->bound) ++ if (ro->bound) { + raw_disable_allfilters(dev_net(dev), dev, sk); ++ dev_put(dev); ++ } + + if (ro->count > 1) + kfree(ro->filter); +@@ -388,10 +390,12 @@ static int raw_release(struct socket *so + + /* remove current filters & unregister */ + if (ro->bound) { +- if (ro->dev) ++ if (ro->dev) { + raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); +- else ++ dev_put(ro->dev); ++ } else { + raw_disable_allfilters(sock_net(sk), NULL, sk); ++ } + } + + if (ro->count > 1) +@@ -442,10 +446,10 @@ static int raw_bind(struct socket *sock, + goto out; + } + if (dev->type != ARPHRD_CAN) { +- dev_put(dev); + err = -ENODEV; +- goto out; ++ goto out_put_dev; + } ++ + if (!(dev->flags & IFF_UP)) + notify_enetdown = 1; + +@@ -453,7 +457,9 @@ static int raw_bind(struct socket *sock, + + /* filters set by default/setsockopt */ + err = raw_enable_allfilters(sock_net(sk), dev, sk); +- dev_put(dev); ++ if (err) ++ goto out_put_dev; ++ + } else { + ifindex = 0; + +@@ -464,18 +470,28 @@ static int raw_bind(struct socket *sock, + if (!err) { + if (ro->bound) { + /* unregister old filters */ +- if (ro->dev) ++ if (ro->dev) { + raw_disable_allfilters(dev_net(ro->dev), + ro->dev, sk); +- else ++ /* drop reference to old ro->dev */ ++ dev_put(ro->dev); ++ } else { + raw_disable_allfilters(sock_net(sk), NULL, sk); ++ } + } + ro->ifindex = ifindex; + ro->bound = 1; ++ /* bind() ok -> hold a reference for new ro->dev */ + ro->dev = dev; ++ if (ro->dev) ++ dev_hold(ro->dev); + } + +- out: ++out_put_dev: ++ /* remove potential reference from dev_get_by_index() */ ++ if (dev) ++ dev_put(dev); ++out: + release_sock(sk); + rtnl_unlock(); + diff --git a/queue-5.15/series b/queue-5.15/series index 4b76611da42..930ebb9bfd8 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -80,3 +80,4 @@ cgroup-cpuset-iterate-only-if-deadline-tasks-are-present.patch sched-deadline-create-dl-bw-alloc-free-check-overflow-interface.patch cgroup-cpuset-free-dl-bw-in-case-can_attach-fails.patch drm-i915-fix-premature-release-of-request-s-reusable-memory.patch +can-raw-add-missing-refcount-for-memory-leak-fix.patch -- 2.47.3