Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4451201ybz; Tue, 28 Apr 2020 11:31:20 -0700 (PDT) X-Google-Smtp-Source: APiQypLHTtQ9/ayvWYA73Q6f0Mq+s/z/oI1t0fzpLrxN0ptHsKuSK8OMLRVxt/ej7W3fGSNVHEg+ X-Received: by 2002:a05:6402:204b:: with SMTP id bc11mr23278846edb.114.1588098680104; Tue, 28 Apr 2020 11:31:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588098680; cv=none; d=google.com; s=arc-20160816; b=Uhi2z1UXCzhP0+x1CzxTDaauoM+mGarbr4rbojuChbWgNMl2PkP6EUZ9jF6st3dS+e eV8TLxNLjk7pb6Ml1kzrOihOCfamxMB+Q+b/ieZDpH6ToZ8XM4ypUqWgrft3O2nWVKhk 1edhg/dwLV5mcXk0Zy64T5DiTk1l2bP5VgaUIJcjTALqvw1MEdlgdNeOjC4Bl2laW83e 7mQOnUY9auU1646O71HqI2EJkTloKujcPQ4tT336TP+CNekpgzhpaFQ0kRj4CSISHi+t euUbwmSI1Iw/LtvneDGZxOG2wMb2j+Z7RcOiwrWFGpKdWw7+6jTrLJ+11djydYkEOrGi NgMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KkBT7XvtVRSd0M28EGW/RGVQUeKuD9WEtnQYAJfpSs4=; b=IuFXv+b+YfbtLEbWODPn+oGVhJR7vqOoDgInijYRzI0fKMWbDN01GzPuXSV9VdcTBF ro5BO9+ZDSrwfpHvacsLuo+U5COR4cMf/dS9HbXfVlkpPVJFIFG+N522UmZnyqkCRAvJ PoNR8Guhd9PQp/wrYz7Mq3m4K5+IbOYck3p3s8y0sSR+Y5OQhQ6fJKYYse4rQaOdkWTJ tlAV6FIN7Jn04fWOnTXjhxo+8x70pWIjefnmq0lOUR6bVQZ2KQ9UikUjotCoKIFZN8c7 9OdNPE0mzvfAPKKKhLs8pCAOQ14eRLHC+JwtuxmBhiktVjTnvOxtqhBYWVybN8yt3eOD wulg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0u7zjgOw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t10si1962939edi.492.2020.04.28.11.30.56; Tue, 28 Apr 2020 11:31:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0u7zjgOw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728679AbgD1S2k (ORCPT + 99 others); Tue, 28 Apr 2020 14:28:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:41382 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729197AbgD1S2a (ORCPT ); Tue, 28 Apr 2020 14:28:30 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 18A23208E0; Tue, 28 Apr 2020 18:28:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588098509; bh=vQ8mnsbIeQGU8T6YGyNGLmDK4xoJW8U7rXdjDlh5rUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0u7zjgOwIcs4LEGQm7X0w1NrjbQYHPfAmlV3Q68tqnUVooQPHRQPPxsgD+Np48r5N cykrylxv0qeqLZAsqLSAtyx41pHwjnAZUIfJU1/+Au5sH7HzcaYo9aWn3m0JIdG+Fg H9aYmB3LWySqmXZirhHGcx+DgM6/Pj+lJO0reGd8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiyu Yang , Xin Tan , "David S. Miller" Subject: [PATCH 5.6 063/167] tipc: Fix potential tipc_node refcnt leak in tipc_rcv Date: Tue, 28 Apr 2020 20:23:59 +0200 Message-Id: <20200428182232.923942002@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428182225.451225420@linuxfoundation.org> References: <20200428182225.451225420@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiyu Yang [ Upstream commit de058420767df21e2b6b0f3bb36d1616fb962032 ] tipc_rcv() invokes tipc_node_find() twice, which returns a reference of the specified tipc_node object to "n" with increased refcnt. When tipc_rcv() returns or a new object is assigned to "n", the original local reference of "n" becomes invalid, so the refcount should be decreased to keep refcount balanced. The issue happens in some paths of tipc_rcv(), which forget to decrease the refcnt increased by tipc_node_find() and will cause a refcnt leak. Fix this issue by calling tipc_node_put() before the original object pointed by "n" becomes invalid. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tipc/node.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/tipc/node.c +++ b/net/tipc/node.c @@ -2037,6 +2037,7 @@ void tipc_rcv(struct net *net, struct sk n = tipc_node_find_by_id(net, ehdr->id); } tipc_crypto_rcv(net, (n) ? n->crypto_rx : NULL, &skb, b); + tipc_node_put(n); if (!skb) return; @@ -2089,7 +2090,7 @@ rcv: /* Check/update node state before receiving */ if (unlikely(skb)) { if (unlikely(skb_linearize(skb))) - goto discard; + goto out_node_put; tipc_node_write_lock(n); if (tipc_node_check_state(n, skb, bearer_id, &xmitq)) { if (le->link) { @@ -2118,6 +2119,7 @@ rcv: if (!skb_queue_empty(&xmitq)) tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr, n); +out_node_put: tipc_node_put(n); discard: kfree_skb(skb);