Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp669267pxv; Thu, 22 Jul 2021 09:21:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfiyBbARuiIgWMjjr9DbgL1WHHu4Jy4t4qKvpnns5eFsBUhh7gPHbnTbft9e/V+RelP73R X-Received: by 2002:a17:906:b53:: with SMTP id v19mr677328ejg.262.1626970869235; Thu, 22 Jul 2021 09:21:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626970869; cv=none; d=google.com; s=arc-20160816; b=swZgSJcgROcBvT+nwwuCGFlWD1g7WaD6vtTRDpCknH53nS31hY+0uNF8kS3H9qKdvg BQuVCqqkAsuh1MDfCRYEVZxGoKcCBemZE0tHlkwbHT8MtrazzGdYIfWUXjq6xDffEkiw BUHxCPyUbW45seLU/ApPnQdP1QYyO3514z1nv5x44QAVEVM6uREBgeRRfXpNH6zT0Kmz bDU1ZZdIQ6JF/sF9s6I9TYsh0CckOqYXz6xaECYjJiMgo/inYrWcBEQvETY0pwRHfDqN Cn8GTqPBlGm2jE6NsAPZa8lLzWaTT1Y0qXWOxmlYwhwjqeDY4l0yqG5Yx0Mvk/BfWa3l XefQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=uUijDMlwf66Vepiz2SA/l8IhtRRiKMWBDC91ym25DGY=; b=qorEtsjpv7UkNTp+DRvW9dBZ7Nq58jFK/zYuU2i7cMopRG90XifcEDfp/I0T6okA09 oJXfUL6UjLbdmcBMHalv5TUWw39oi7WEhM9KYlIK4JGnzRVR0xW0zsbjxzHgg4KXl+5q 5TjpNba4YDES2CtyF7IjyU4uIlV3WyGWRnxSkKp7D3TZLt7TlO1my8LPja8h9hl0knhN cgWS3BQENjmBl2Nq1+U3n62x9N9+n93XI3krTKGUO1pwg2qE5skVIaTDiDbRzZLBi1bC PMB1tgqcoBFwKVErufMLunL1WnIg/CY9QYO3qWejhmXJmGjDJvQtMaYP/Xp3DhpBQZl3 Ju1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=BhR7+5yZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j18si31324128edr.332.2021.07.22.09.20.44; Thu, 22 Jul 2021 09:21:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=BhR7+5yZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229676AbhGVPf6 (ORCPT + 99 others); Thu, 22 Jul 2021 11:35:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229492AbhGVPf5 (ORCPT ); Thu, 22 Jul 2021 11:35:57 -0400 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76E4CC061575; Thu, 22 Jul 2021 09:16:31 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id o30-20020a05600c511eb029022e0571d1a0so3285352wms.5; Thu, 22 Jul 2021 09:16:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=uUijDMlwf66Vepiz2SA/l8IhtRRiKMWBDC91ym25DGY=; b=BhR7+5yZHxXBFGVNMAKcnaGuntaopLXHQRE5h+q7FtTa7FyEiHhIzM3sREmZLvSNXP wrSshMJcbRbb8P+kaxI5JV5dE1hBNz/0GCtHNvYJYjY5reiQ2vRQWs7U/HJND5FmoR7G jEQQIJGtmrTtPwP7ZaUexmph+D7ab/L1zE+ljcp2PH1Q78zIiZPf87AKtKIfXrWd30GK 5esKC9+qccKWW0djwtZ+LtLgW+VNz94tmbUdP01B9iMc4i+EyV8EsxWX5sbWm43r6WIl KwDAj3I0DuTghhZ/R+zlyLVeEnLDXqZ1lMiVHanqet0P1F1iBqNoQudgGwOHKj1L+LaY G64Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=uUijDMlwf66Vepiz2SA/l8IhtRRiKMWBDC91ym25DGY=; b=l22c7K7hHYMJJpi9SSboubsTW2efatjSIs8da/4lFOOoYms1N3D3qIB4/fya+2Hqkj iMDsuBo0XLSWE4btYIOtXtqipQfd6nOJSh0Y0va5As71yfm2gjCZ35c6+YFj1ru5+UWd 4jOV9v7Pcc54zb1eUhi0hTAO6FBvGshH87Dkdi8+zStcqLlNfPVARWGSMydsaDgxWLFY wE47nzV6lD/7JKNlbVWMZLx2A//06jq6yRF3Bk8m8Fgk4kYuvhBMHyO6CE08gb9KKCtA WagFxCfFY0rzYTvGRbht1Uvc7vzbdMdluCaf260XZJJVczJuZuaF5vGBrMmGpgpHEzf3 87Ug== X-Gm-Message-State: AOAM533DJp8zApUVGT3spT3Rk0Emr+CogZ0B7hd2WlkM/ZfUi0IoWr0V kl2LTKIWJsrVhN0EPbZUHf0= X-Received: by 2002:a7b:ce82:: with SMTP id q2mr9913989wmj.60.1626970589996; Thu, 22 Jul 2021 09:16:29 -0700 (PDT) Received: from localhost.localdomain ([176.30.243.91]) by smtp.gmail.com with ESMTPSA id w15sm4697060wmi.3.2021.07.22.09.16.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jul 2021 09:16:29 -0700 (PDT) From: Pavel Skripkin To: mani@kernel.org, davem@davemloft.net, kuba@kernel.org, bjorn.andersson@sonymobile.com, courtney.cavin@sonymobile.com Cc: linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pavel Skripkin , syzbot+35a511c72ea7356cdcf3@syzkaller.appspotmail.com Subject: [PATCH] net: qrtr: fix memory leak in qrtr_local_enqueue Date: Thu, 22 Jul 2021 19:16:25 +0300 Message-Id: <20210722161625.6956-1-paskripkin@gmail.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzbot reported memory leak in qrtr. The problem was in unputted struct sock. qrtr_local_enqueue() function calls qrtr_port_lookup() which takes sock reference if port was found. Then there is the following check: if (!ipc || &ipc->sk == skb->sk) { ... return -ENODEV; } Since we should drop the reference before returning from this function and ipc can be non-NULL inside this if, we should add qrtr_port_put() inside this if. Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") Reported-and-tested-by: syzbot+35a511c72ea7356cdcf3@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- net/qrtr/qrtr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index e6f4a6202f82..d5ce428d0b25 100644 --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -839,6 +839,8 @@ static int qrtr_local_enqueue(struct qrtr_node *node, struct sk_buff *skb, ipc = qrtr_port_lookup(to->sq_port); if (!ipc || &ipc->sk == skb->sk) { /* do not send to self */ + if (ipc) + qrtr_port_put(ipc); kfree_skb(skb); return -ENODEV; } -- 2.32.0