From patchwork Wed Apr 21 17:40:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 425300 Delivered-To: patch@linaro.org Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp529930jao; Wed, 21 Apr 2021 10:39:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcxdBEJla1sEax3gdVoZtkXyZRkgKvkhQiXpaFow+CfqKbL+28hEzGqh4rhOhW2C6BloD6 X-Received: by 2002:a17:906:170f:: with SMTP id c15mr33666133eje.358.1619026798337; Wed, 21 Apr 2021 10:39:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619026798; cv=none; d=google.com; s=arc-20160816; b=WIuTUsx8L82ipy1I+OkwUI2IkKcQz+wix/JKEDComPkIsi8avc3lEAPs8odcBpw8ev 8dnG1TxJFf9fdZ3a4NI+pBL4VKWnBBp3RLrO2854auTfA8AUFpCAz1wsFArzcHHFUGTm WNqlbDFsjR1dAGutN0oTluklEs2zQD/pFYvAGGnyD9EWn7uBmsk+QODK1axSX+IhMAzK 6/AGd5UXYDPTwA1tEicMxW5bhfcqpD4L2jYph4PKB1eBoZkKGJp6JyFdtnDbu6FXtXVL 7pEYIBeOtWYxXyaHYdOJN3/qSdrYO4UifrR6ppOVuY8CMsKKw9nmAA2XS65KM7tpXR3o l9mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=2NIvDL/pnxWG/XSWH6ctMJRwrsiMqVjZJOoDaRoJS8c=; b=wGGObOFpitju+zcidLU3nUj6DxNH3S0cA5iGWScGtTUtTqAqOX5p+425nqAYmIUW4J E39vrg1X63DQ3ZV8OznR7InW9UwxhcFP8JFQdW9hLqsOpFd3/wiZ/QRrun97rO13ZS5p gIa7Pp2TpKyYAAImJCoyRUYTpxVU5Q20AduMGVRT/HhuWc/9VEhvR8oa1rV40Cd6TdFw gN9TWbPfP5zqa3HRz7RyaGOykfqzv7BPmlTn3R64Gp2+poafg6ShJ4TKF6jc+1bbNPp4 gaDbG7TImD7r7rxbcfUQbD93Ybi7PQr2ItwLxN0qbck1FqUd6AKnuKt8kqOYSdWtRN2B wDYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gOY34zMK; spf=pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qo18si2354886ejb.713.2021.04.21.10.39.58; Wed, 21 Apr 2021 10:39:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=gOY34zMK; spf=pass (google.com: domain of linux-arm-msm-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244812AbhDURka (ORCPT + 16 others); Wed, 21 Apr 2021 13:40:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244754AbhDURk2 (ORCPT ); Wed, 21 Apr 2021 13:40:28 -0400 Received: from mail-oo1-xc35.google.com (mail-oo1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3137AC06138B for ; Wed, 21 Apr 2021 10:39:54 -0700 (PDT) Received: by mail-oo1-xc35.google.com with SMTP id s1-20020a4ac1010000b02901cfd9170ce2so9370331oop.12 for ; Wed, 21 Apr 2021 10:39:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2NIvDL/pnxWG/XSWH6ctMJRwrsiMqVjZJOoDaRoJS8c=; b=gOY34zMKpKy19sMBflS95m2MN3RgmXslX4/+ftWEiEVP1DHf+TSCC3zUfL4ROg23v+ 9b3/+vRixP/giuz63hBEzXMciraTCQLIP7sMBwZc+bR/LBhqKDMNQiElzOgwKRSsnHNY pHBIt8Jm4t4VOz9NC4qeX8ALH7ClGgjZFNpxCj0ykypTE4fuRxx+3DAKHmUIJ2DZHPjh a9IeSzoKfhGotdS/TkbrXIQzwMPmfRn4jHDlOAy0rt+AdslndDxB6DvTjWHd0HzekQ77 zZh5bUv/SUye4oycQS0cgYTkQs3n+ZRKtvoVtgRZHmmRfoImqqF5XjCYAczktkeYD5HP cjrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2NIvDL/pnxWG/XSWH6ctMJRwrsiMqVjZJOoDaRoJS8c=; b=dHIy68ZaVvB/PlHZ+hv/n9C7GrTshn3fS0C+CbXDKISEWG/Gd2jsG8AZJO7TKRhgmS iMcIiiSWpKt+8E4An9Ek9nzhdMnxGDbrSOgTkcenLVPnvXtHy+wVnpZgi/Kx/2wLm4lN sYULitS+RojzSbKSbcpkcsb5saXadagTrlo9hlr8BHf57y1mRMO0QTtzlIzln7m7j66z t+VYxVNI+gQNIG8E603FAxuybkzS8giZ80n4i/vbJS9B1o4D0GhJfHbwTGVZSUQe9fH4 a/xF0/knIYqC4j7bPqU0ksc8vyTeDRi+rsQQWcwii5pxoBTdb4X8qjQSOADcbXif/OFV dX1Q== X-Gm-Message-State: AOAM533dOfW8Ge4lO1jEmCty+5Q2mA264Dtl4pg+RrN8hnn+dx/fviaJ asqOF/V1ZfkeHjYeC0tLVsp85w== X-Received: by 2002:a4a:dc11:: with SMTP id p17mr21288861oov.50.1619026793532; Wed, 21 Apr 2021 10:39:53 -0700 (PDT) Received: from localhost.localdomain (104-57-184-186.lightspeed.austtx.sbcglobal.net. [104.57.184.186]) by smtp.gmail.com with ESMTPSA id q130sm595947oif.40.2021.04.21.10.39.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Apr 2021 10:39:53 -0700 (PDT) From: Bjorn Andersson To: Manivannan Sadhasivam , "David S. Miller" , Jakub Kicinski Cc: linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] net: qrtr: Avoid potential use after free in MHI send Date: Wed, 21 Apr 2021 10:40:07 -0700 Message-Id: <20210421174007.2954194-1-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org It is possible that the MHI ul_callback will be invoked immediately following the queueing of the skb for transmission, leading to the callback decrementing the refcount of the associated sk and freeing the skb. As such the dereference of skb and the increment of the sk refcount must happen before the skb is queued, to avoid the skb to be used after free and potentially the sk to drop its last refcount.. Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer") Signed-off-by: Bjorn Andersson --- net/qrtr/mhi.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) -- 2.29.2 Reviewed-by: Manivannan Sadhasivam diff --git a/net/qrtr/mhi.c b/net/qrtr/mhi.c index 2bf2b1943e61..fa611678af05 100644 --- a/net/qrtr/mhi.c +++ b/net/qrtr/mhi.c @@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrtr_endpoint *ep, struct sk_buff *skb) struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep); int rc; + if (skb->sk) + sock_hold(skb->sk); + rc = skb_linearize(skb); if (rc) goto free_skb; @@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrtr_endpoint *ep, struct sk_buff *skb) if (rc) goto free_skb; - if (skb->sk) - sock_hold(skb->sk); - return rc; free_skb: + if (skb->sk) + sock_put(skb->sk); kfree_skb(skb); return rc;