From patchwork Wed May 5 12:06:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 431202 Delivered-To: patch@linaro.org Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp441784jao; Wed, 5 May 2021 05:10:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzQLxwMf0fSkKEg6hRl9RlNnGTQWs9galDKbZzDuCmwE0VHvsNKL0q9Bmx+MrWl8V6MlVcb X-Received: by 2002:adf:d1e1:: with SMTP id g1mr38146486wrd.401.1620216602889; Wed, 05 May 2021 05:10:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620216602; cv=none; d=google.com; s=arc-20160816; b=B1PhPp15k5tqtAyFxogrDWjOZWlrXG2xSuLk3nvFSyB797rbajwkTugzBvuRgOAgqI GZF67ey7ueGhoXg7LQm9Hf6CYK2NNlhZc8LLn9AJgLyJsv9uDHyjXkCv6REyi27A7Okp D200U7EcO9xMdDTiCRg7LPtM9KbXazIIW9jJ7WAkLafEVgFiAmD7QGlBFCT++DCe3Q3r 1d4tIvrwyo2ZhFRgnGjIcFNIXxu3BK6FtFvTwUZfychTZKq7cU2nL6uZ/fpnLxjONkQH bGBA8vmvpl502o9MYX7Ig8rhV93Cd3+XFHhpuC4/+g+IwzEzF32do/yHpk4+RJyVLc+i 0tgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=i4CIefQjiY0FAZmHaB72Ae2sVSYm5ZzJY0sO+WnFXK4=; b=QvKY9LF7ikHyDxgG4tjOPNVm8ruZFlf2jfhxp7jvCM2Lt/e2aiMMhq3MIl7DdbmeFF aalP4kfJmJSacJBawuJRxGngy/N8mwBADLwVOTiHuPCfX8kKPxbyBuSofbu9/Pa0jKbt lfneZ0SfQ9UCwRro91RM+/PtcUpE90ZvOj8wLref3TYuyEF4lLzFMSdpyYqHg8G7mzpW wiMlK4+RoSYT+OMjcG8CzwuQze+37PPAKMJwkxHg+ISG28I6CM2R5/YidrvMksYeCZVe 1YZIER0KQG1Z8VtxCPoAeXRnFYK6IsAoUN+Nq/SSQbWHfH4MBcNz3G0d6RXXaVLKAVz8 +G5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=d4Gx5K1K; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a23si5455359ejb.73.2021.05.05.05.10.02; Wed, 05 May 2021 05:10:02 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=d4Gx5K1K; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232910AbhEEMKO (ORCPT + 12 others); Wed, 5 May 2021 08:10:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:50832 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231437AbhEEMJc (ORCPT ); Wed, 5 May 2021 08:09:32 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6C009613EC; Wed, 5 May 2021 12:08:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620216497; bh=Igo1WVPFrmwofjl9l41M+rRDy5nT8Cc3Jia6nEkAyMA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=d4Gx5K1K7r9Kzg8/0GQkl4UUPZrkpxFUWXVRQVQ8QUnhyx0bBcIGARyP/ZDd/Igqs 7GluLnR1fxPVleyPVYVLpwa/O+ouCDfwKUU4qQK0ytd1buX9VCgcWkqXDQaKeziOx0 biI/icVT0RsdCfWtmDKfHYesux5oRRjMjzECTtDU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bjorn Andersson , "David S. Miller" Subject: [PATCH 5.12 07/17] net: qrtr: Avoid potential use after free in MHI send Date: Wed, 5 May 2021 14:06:02 +0200 Message-Id: <20210505112325.195251818@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210505112324.956720416@linuxfoundation.org> References: <20210505112324.956720416@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Bjorn Andersson commit 47a017f33943278570c072bc71681809b2567b3a upstream. It is possible that the MHI ul_callback will be invoked immediately following the queueing of the skb for transmission, leading to the callback decrementing the refcount of the associated sk and freeing the skb. As such the dereference of skb and the increment of the sk refcount must happen before the skb is queued, to avoid the skb to be used after free and potentially the sk to drop its last refcount.. Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer") Signed-off-by: Bjorn Andersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/qrtr/mhi.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/net/qrtr/mhi.c +++ b/net/qrtr/mhi.c @@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrt struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep); int rc; + if (skb->sk) + sock_hold(skb->sk); + rc = skb_linearize(skb); if (rc) goto free_skb; @@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrt if (rc) goto free_skb; - if (skb->sk) - sock_hold(skb->sk); - return rc; free_skb: + if (skb->sk) + sock_put(skb->sk); kfree_skb(skb); return rc;