Received: by 2002:a05:7208:c250:b0:86:f851:443 with SMTP id w16csp934710rbd; Thu, 13 Jun 2024 01:36:25 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUhAe+q0CrwbdifZYMytZhghLnnrXA8gT/e7sTsstPoji/n37TtNXcve4VCLGFaEX95iHL5wvyXMisw4SYiUqxDzNWCYS+LfQeOTZoaOg== X-Google-Smtp-Source: AGHT+IF1rJSwk/0Nub9FO95llNN37N636OS+UcfGgyU/3VBHQtNIyoKpUTiUBwPomUcszXdNeEdz X-Received: by 2002:a05:6e02:17c7:b0:375:8b0e:4442 with SMTP id e9e14a558f8ab-375cd0cc3f4mr44034185ab.19.1718267784989; Thu, 13 Jun 2024 01:36:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718267784; cv=pass; d=google.com; s=arc-20160816; b=wK8DUFJ8bad04FSoKMo9+W9+iTJlLmoB6rR7LSC9ogG7lCFu8zsVnrxyJYlkzQzrC1 cnAnr4ayjIvGw5Pv4m+5kBRrYTZwNmewCBkZMUAsikWK0DqRDR1Mze5BnWlDVX25tM/P SfI02sYecNUW7YlmYe/3LdCqjhIAAAcq1TtAxyLMBE1j+RnM/8BQj/c2gyr8fYUkLhfG Bsfpdm4+b6GmTjf2LM7N7U+E2Rt22sjFbP2i+Zh2vIkxsefGuX10Zp/nBG4n9VYktmJn RpTDT7CKOAxxySDrY0fOGGBY9HgIFkN2nN6m0j8t2ZRDKPAsbU5CJ6fOhY3Q77y0iFS1 26rA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :content-transfer-encoding:content-language:accept-language :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature:dkim-filter; bh=oo8drzFyG4Hzb+eqS7LNMdqVQKwL1Fiq/olKasRjJWo=; fh=iwQjVZauaoVDVUy0xpzX6ySjdQ0eg20jD/4Bg6Hevy4=; b=0HX0xG5vt/zHonB9P71GiYNFnE/2GFzSiwuGTQvXvl2Ux2pPanf43qPj6CzL2jeCek QQuVUFGB7yBqhMcSwRfdYq6NLYq/vHxv/N1qVOjAwAzm8CNosMd55t59Z3PTKnMXCJPn aACTgqpBbMCUd9V89WoT+aGQaMXIfYTL4Jktsn3fbDhx2lNCZMnWszSHpcoBm+x7qYf6 Mn/ManGtYAYVRXJ6njLYfYKe4s473OhRnYefmkW3uiv33TE+OlfAjYgKUeAUjHa4L03p +0dyZB57pQnL36wmBeDxYMBEmcDr+/PvJS21mbzDd1iyzbj1cAcPsZkKNT8MVRC5Mo4c zXlA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=oVuF5vp6; arc=pass (i=1 spf=pass spfdomain=infotecs.ru dkim=pass dkdomain=infotecs.ru dmarc=pass fromdomain=infotecs.ru); spf=pass (google.com: domain of linux-kernel+bounces-212830-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-212830-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6fee453c481si826019a12.537.2024.06.13.01.36.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jun 2024 01:36:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-212830-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=oVuF5vp6; arc=pass (i=1 spf=pass spfdomain=infotecs.ru dkim=pass dkdomain=infotecs.ru dmarc=pass fromdomain=infotecs.ru); spf=pass (google.com: domain of linux-kernel+bounces-212830-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-212830-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9566C283D5D for ; Thu, 13 Jun 2024 08:36:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EDD931411C6; Thu, 13 Jun 2024 08:33:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=infotecs.ru header.i=@infotecs.ru header.b="oVuF5vp6" Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4013713D51F; Thu, 13 Jun 2024 08:33:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.244.183.115 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718267588; cv=none; b=c31cFa9QTV3dR+U/cyUtoKflU94J29rG9lrt3NIALN13uFrg6atMkYBBU5lDM/Yf1SnPBHdKqE8lu7wyYqbYRCWGRy4puy7xRPnRS2KCvj7EyaRroNkbfHgDsaXPLGfPZtele/mGJ0j3FF1N99BtQAGGfntwkMnAGz+wc814gh8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718267588; c=relaxed/simple; bh=WBaYJfUtlcUcFAQlqDG8THMVEzZuOrVh6+fK22tTrDw=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=SUvxC4FPHCwjy78M0ibR01D0BdNUK4jT8qXWEoELxyM/3MZ83IXEZsUXPhemfJ9FtuQT8HyRnwo+0UvKRVose0nDQ/arZisiNTRn1HLwKfa06vU56laYs5TSFwao5SESkaTyayYD12CyJFo7s2GarbTaBP17x3bsBAcD1zk5DBA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=infotecs.ru; spf=pass smtp.mailfrom=infotecs.ru; dkim=pass (1024-bit key) header.d=infotecs.ru header.i=@infotecs.ru header.b=oVuF5vp6; arc=none smtp.client-ip=91.244.183.115 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=infotecs.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=infotecs.ru Received: from mx0.infotecs-nt (localhost [127.0.0.1]) by mx0.infotecs.ru (Postfix) with ESMTP id 651B81210842; Thu, 13 Jun 2024 11:23:01 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru 651B81210842 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx; t=1718266981; bh=oo8drzFyG4Hzb+eqS7LNMdqVQKwL1Fiq/olKasRjJWo=; h=From:To:CC:Subject:Date:From; b=oVuF5vp65gdnBm1j1P3aukOUOAOR1R1O/DYw4oebM+tSOvkj0dMXz7lWNMIqwMGD6 VG6aBG6thXtW6oFsTfTTQYcCjI8u3QxrAeuOOWKiabMe45Amneka5+vxg069uIGBf4 nPE6cAH2MvFTDsWIWiU822JMDf7X3+kZVANm/U3k= Received: from msk-exch-01.infotecs-nt (msk-exch-01.infotecs-nt [10.0.7.191]) by mx0.infotecs-nt (Postfix) with ESMTP id 6106C30633BB; Thu, 13 Jun 2024 11:23:01 +0300 (MSK) From: Gavrilov Ilia To: Ralf Baechle CC: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Kuniyuki Iwashima , "linux-hams@vger.kernel.org" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "lvc-project@linuxtesting.org" , "syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com" Subject: [PATCH net] netrom: Fix a memory leak in nr_heartbeat_expiry() Thread-Topic: [PATCH net] netrom: Fix a memory leak in nr_heartbeat_expiry() Thread-Index: AQHavWrnUklO6dAj90uZJ5G3G/q5DQ== Date: Thu, 13 Jun 2024 08:23:00 +0000 Message-ID: <20240613082300.294668-1-Ilia.Gavrilov@infotecs.ru> Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-KLMS-Rule-ID: 5 X-KLMS-Message-Action: clean X-KLMS-AntiSpam-Status: not scanned, disabled by settings X-KLMS-AntiSpam-Interceptor-Info: not scanned X-KLMS-AntiPhishing: Clean, bases: 2024/06/13 06:55:00 X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2024/06/13 04:40:00 #25585389 X-KLMS-AntiVirus-Status: Clean, skipped syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state =3D NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state =3D NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state =3D=3D TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=3Dd327a1f3b12e1e206c16 Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd327a1f3b12e1e206c16 Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") Signed-off-by: Gavrilov Ilia --- net/netrom/nr_timer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c index 4e7c968cde2d..5e3ca068f04e 100644 --- a/net/netrom/nr_timer.c +++ b/net/netrom/nr_timer.c @@ -121,7 +121,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) is accepted() it isn't 'dead' so doesn't get removed. */ if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state =3D=3D TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { - sock_hold(sk); + if (sk->sk_state =3D=3D TCP_LISTEN) + sock_hold(sk); bh_unlock_sock(sk); nr_destroy_socket(sk); goto out; --=20 2.39.2