Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4452771ybz; Tue, 28 Apr 2020 11:32:46 -0700 (PDT) X-Google-Smtp-Source: APiQypJG5jR48M9qYajg88DE2IbmPnBe2/7KEN4FIUVEOlRo84Eg7l7r/LRsiW84p9rWSQ7Etz8f X-Received: by 2002:a17:906:b2c2:: with SMTP id cf2mr24845427ejb.262.1588098766152; Tue, 28 Apr 2020 11:32:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588098766; cv=none; d=google.com; s=arc-20160816; b=vNEn8dMtXplaQxLknpCZu3Gw6CdXJQ1p9pwvf/WbOH0hMnx0jS/1lmE92PEenNWkrj kesJiZ1ifOIsElnhu+LZetCnuiAGIiMcyx1KRnBoq/5ltObj/1S+MhYrT1EcQuLA4bZw 8wS9vHy1RqOgmITSIwIH8VRrNCH5zB/Mrno32GxPYEJ4C76+ufFQSU2B1VrwCzEmRFid BUAfXBdXcp7D5/NXkC/ND6pGHcheKJz8s+wbFgodSs9yb6BOmMJxXGjlNvE9wLz9EeA6 7vGq+K4g+1f6jz/RKE6h8m53W1R+6jyO6CoMux7FlBQC0s4uad3j7X+JDi1M+2EdffRg /nfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NwBXfSwE9G7opxGGG9dvY0iigiCdj7ve59dmvA5ebU4=; b=O+lPP/jnzgjyoA/DSDzH91GlCotso2UW38m3tyDL9AXJ/e2uEHDdXOdyWqsTs6GRQm bPlxgA0/EIw56g5m1h1DGxiXiTkO/F1J7/qvitEidtWVZyug4iJQ8IFeN+Eb9/jMKhRN 6znW7TgU6IrM4ruc7WdpgbFDa8Rrq/tnTNJgRwIodou2DVStVx3nl3YffNWBi90a6GKX fuKjQnEX+K6HoGeg7u3HIturO/uCTqh1u9MEtp01dAOCxT7JufRB7jRuaHSWVuH5rDLg Hy71eGWxH4pVj27m2QzKnKEbL7EOhmP9A0FEiFltqz5VVkQinb2TxaQlS4RRkCgFd/Xo jGKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fl5neKqG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r12si2180559edm.95.2020.04.28.11.32.22; Tue, 28 Apr 2020 11:32:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fl5neKqG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729147AbgD1S2L (ORCPT + 99 others); Tue, 28 Apr 2020 14:28:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:40460 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729111AbgD1S2B (ORCPT ); Tue, 28 Apr 2020 14:28:01 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 37DCF20730; Tue, 28 Apr 2020 18:28:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588098480; bh=PDn7z5TjoQE7tSSAS//QLkvjBMmkHUo1fAqHroZxP34=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fl5neKqG2hCPuwXtD+DguT+0EAViexcFMc4fbabTeweWTdfnmXqS44ZSV5dWQ+Qru zbJeX/l01UYSpQ6D2xXOwjREdbwmEfihW8wC6HrDkKd6Wt+b1aT8LIx6KmwUAsiF4F 5vTK7VZ8h+S/VRZxiIO8hnp6RvOS93PaOVH4IZAc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiyu Yang , Xin Tan , "David S. Miller" Subject: [PATCH 5.6 057/167] net/x25: Fix x25_neigh refcnt leak when receiving frame Date: Tue, 28 Apr 2020 20:23:53 +0200 Message-Id: <20200428182232.201265461@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428182225.451225420@linuxfoundation.org> References: <20200428182225.451225420@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiyu Yang [ Upstream commit f35d12971b4d814cdb2f659d76b42f0c545270b6 ] x25_lapb_receive_frame() invokes x25_get_neigh(), which returns a reference of the specified x25_neigh object to "nb" with increased refcnt. When x25_lapb_receive_frame() returns, local variable "nb" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one path of x25_lapb_receive_frame(). When pskb_may_pull() returns false, the function forgets to decrease the refcnt increased by x25_get_neigh(), causing a refcnt leak. Fix this issue by calling x25_neigh_put() when pskb_may_pull() returns false. Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/x25/x25_dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/x25/x25_dev.c +++ b/net/x25/x25_dev.c @@ -115,8 +115,10 @@ int x25_lapb_receive_frame(struct sk_buf goto drop; } - if (!pskb_may_pull(skb, 1)) + if (!pskb_may_pull(skb, 1)) { + x25_neigh_put(nb); return 0; + } switch (skb->data[0]) {