[thirdparty/kernel/stable-queue.git] / releases / 4.19.54 / tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch

From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
From: Xin Long <lucien.xin@gmail.com>
Date: Sun, 16 Jun 2019 17:24:07 +0800
Subject: tipc: purge deferredq list for each grp member in tipc_group_delete

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 5cf02612b33f104fe1015b2dfaf1758ad3675588 ]

Syzbot reported a memleak caused by grp members' deferredq list not
purged when the grp is be deleted.

The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in
tipc_group_filter_msg() and the skb will stay in deferredq.

So fix it by calling __skb_queue_purge for each member's deferredq
in tipc_group_delete() when a tipc sk leaves the grp.

Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast")
Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/group.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net,
 
 	rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
 		tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
+		__skb_queue_purge(&m->deferredq);
 		list_del(&m->list);
 		kfree(m);
 	}
Commit	Line	Data
cc95841f GKH	1	From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
	2	From: Xin Long <lucien.xin@gmail.com>
	3	Date: Sun, 16 Jun 2019 17:24:07 +0800
	4	Subject: tipc: purge deferredq list for each grp member in tipc_group_delete
	5
	6	From: Xin Long <lucien.xin@gmail.com>
	7
	8	[ Upstream commit 5cf02612b33f104fe1015b2dfaf1758ad3675588 ]
	9
	10	Syzbot reported a memleak caused by grp members' deferredq list not
	11	purged when the grp is be deleted.
	12
	13	The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in
	14	tipc_group_filter_msg() and the skb will stay in deferredq.
	15
	16	So fix it by calling __skb_queue_purge for each member's deferredq
	17	in tipc_group_delete() when a tipc sk leaves the grp.
	18
	19	Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast")
	20	Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
	21	Signed-off-by: Xin Long <lucien.xin@gmail.com>
	22	Acked-by: Ying Xue <ying.xue@windriver.com>
	23	Signed-off-by: David S. Miller <davem@davemloft.net>
	24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	25	---
	26	net/tipc/group.c \| 1 +
	27	1 file changed, 1 insertion(+)
	28
	29	--- a/net/tipc/group.c
	30	+++ b/net/tipc/group.c
	31	@@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net,
	32
	33	rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
	34	tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
	35	+ __skb_queue_purge(&m->deferredq);
	36	list_del(&m->list);
	37	kfree(m);
	38	}