Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3652629pxv; Mon, 26 Jul 2021 08:46:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzsqFNZ+d28v8LqRtLgbseOyZmH/P/XiDE8I4GXkAdzo2FJZW/M1dPdoavdgeGhcBw3jZCb X-Received: by 2002:a92:d4c4:: with SMTP id o4mr12833657ilm.39.1627314414028; Mon, 26 Jul 2021 08:46:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627314414; cv=none; d=google.com; s=arc-20160816; b=h0YQsOhIAnPxd26i9RQpYPw2C+ZafuwR6SKiY/dvUL78Mf8huMfps8CPB3kRV5vBrt 5h4bxiEGRe4E0tRu06fYnfJ49msHM+MBWzNfs+tfVyNEI4d7iu3AIAwDtiNnSftZWn8K 3AZaPlROi5wC3H2XVHWjqYcW/gBUp5WGS1mOSPAb3iiasJV2P6J1dVPgRfov18EKzQwR oOoqmfD0lWqIliM6LaFbxSiCM6u6OJ7LXrer5V0NB0cyG57msrvfQ5EwKtmNwTUEw+lF a8krdFuKaV7CGP3zB84H+lJlJdKgm/3hAEhZf4y0kGgc1exhDOoO+LQTWkha8o2fP8Ee BXqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gm3HxUYiMIOEGm6qFOckizEi8ZtlNxMo30aa6OSSJs4=; b=p0/UcP/M94r2veDy47yLwF5WRIvW9LOvqbl6R/ZdYPKgdrXFsCfJjUzDAJ/hcQ8WLI iNG5qQCFxxZ+ztDH6w74U+xFiXiqZAZExAOUbnMGnOdBqRfeGgE2twGIumYhHRjkvOWd BvDYeFjbMQMpcligBp2gcsFiEqDpMC2iDC1bNvasBHUDXMFqG03SiJFxGqEFhKpus9i5 VCjdYD3ltbkOG5na0OXdbX3tjS/Jj09IOVsqbI036s4HAN/vv9zzHkbQXwE8P3YjSI2q /bLff2xt29/Dc+YX8+G2aUebdGShxjcak9KC3bjH8Te3MWhjhSY3T8YigNajt9wSCuFr BaWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GWWIueCl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i42si248860jav.32.2021.07.26.08.46.42; Mon, 26 Jul 2021 08:46:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GWWIueCl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235971AbhGZPEZ (ORCPT + 99 others); Mon, 26 Jul 2021 11:04:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:43338 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235828AbhGZPDk (ORCPT ); Mon, 26 Jul 2021 11:03:40 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2038B60F22; Mon, 26 Jul 2021 15:44:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627314248; bh=I2P/HKSHOQzt+1zw+yMkiZZVIGw37oF+WlVyIzs8Gaw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GWWIueClH2BOnG6OjAglpObxl0CKutOPPyPCgyhMtjPRy9VmpVHRqtjRk5rj/C4Rz 0jim8fjGv/JIr9UM7SD3E1EpLhTeoJb2Fxf/CtVKIf1k4XGXf4SSwkfBRFaYDSuzok VFphR6Jw9YRCp7RN9AJC3AzIGYzK1B3D8P5o3NaM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nguyen Dinh Phi , syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com, "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 38/60] netrom: Decrease sock refcount when sock timers expire Date: Mon, 26 Jul 2021 17:38:52 +0200 Message-Id: <20210726153826.065942326@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153824.868160836@linuxfoundation.org> References: <20210726153824.868160836@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nguyen Dinh Phi [ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ] Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use sock timer API. It replaces mod_timer() by sk_reset_timer(), and del_timer() by sk_stop_timer(). Function sk_reset_timer() will increase the refcount of sock if it is called on an inactive timer, hence, in case the timer expires, we need to decrease the refcount ourselves in the handler, otherwise, the sock refcount will be unbalanced and the sock will never be freed. Signed-off-by: Nguyen Dinh Phi Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com Fixes: 63346650c1a9 ("netrom: switch to sock timer API") Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/netrom/nr_timer.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c index f0ecaec1ff3d..d1a0b7056743 100644 --- a/net/netrom/nr_timer.c +++ b/net/netrom/nr_timer.c @@ -125,11 +125,9 @@ static void nr_heartbeat_expiry(unsigned long param) is accepted() it isn't 'dead' so doesn't get removed. */ if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { - sock_hold(sk); bh_unlock_sock(sk); nr_destroy_socket(sk); - sock_put(sk); - return; + goto out; } break; @@ -150,6 +148,8 @@ static void nr_heartbeat_expiry(unsigned long param) nr_start_heartbeat(sk); bh_unlock_sock(sk); +out: + sock_put(sk); } static void nr_t2timer_expiry(unsigned long param) @@ -163,6 +163,7 @@ static void nr_t2timer_expiry(unsigned long param) nr_enquiry_response(sk); } bh_unlock_sock(sk); + sock_put(sk); } static void nr_t4timer_expiry(unsigned long param) @@ -172,6 +173,7 @@ static void nr_t4timer_expiry(unsigned long param) bh_lock_sock(sk); nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY; bh_unlock_sock(sk); + sock_put(sk); } static void nr_idletimer_expiry(unsigned long param) @@ -200,6 +202,7 @@ static void nr_idletimer_expiry(unsigned long param) sock_set_flag(sk, SOCK_DEAD); } bh_unlock_sock(sk); + sock_put(sk); } static void nr_t1timer_expiry(unsigned long param) @@ -212,8 +215,7 @@ static void nr_t1timer_expiry(unsigned long param) case NR_STATE_1: if (nr->n2count == nr->n2) { nr_disconnect(sk, ETIMEDOUT); - bh_unlock_sock(sk); - return; + goto out; } else { nr->n2count++; nr_write_internal(sk, NR_CONNREQ); @@ -223,8 +225,7 @@ static void nr_t1timer_expiry(unsigned long param) case NR_STATE_2: if (nr->n2count == nr->n2) { nr_disconnect(sk, ETIMEDOUT); - bh_unlock_sock(sk); - return; + goto out; } else { nr->n2count++; nr_write_internal(sk, NR_DISCREQ); @@ -234,8 +235,7 @@ static void nr_t1timer_expiry(unsigned long param) case NR_STATE_3: if (nr->n2count == nr->n2) { nr_disconnect(sk, ETIMEDOUT); - bh_unlock_sock(sk); - return; + goto out; } else { nr->n2count++; nr_requeue_frames(sk); @@ -244,5 +244,7 @@ static void nr_t1timer_expiry(unsigned long param) } nr_start_t1timer(sk); +out: bh_unlock_sock(sk); + sock_put(sk); } -- 2.30.2