From patchwork Wed May 5 12:05:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 431173 Delivered-To: patch@linaro.org Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp440972jao; Wed, 5 May 2021 05:09:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTqlyZ2O/uKFs/IDit8DoaYThL50kDp6pdqtLhKLP1J/+/nfX/z/RnC64wmlNMMBE+oQgx X-Received: by 2002:a05:6402:524d:: with SMTP id t13mr25881304edd.209.1620216542764; Wed, 05 May 2021 05:09:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620216542; cv=none; d=google.com; s=arc-20160816; b=GgBsdUADk1hW1dCZ61rJBxHaK1XPMf3vs/9szHh0ATAlgvUOiJMcGCJUcQng3rXJEn p4GB4Jw3Oj95u9QYhVHJq2BHA5Bv65oZSPOsa2z7LWgzu7lw+w54ZocOgVLhl4qSgJuE 1cwNqSUyXRdtXiwrUdtU+s71VbJkJwe/FpzYcGZkKjuXh1wHz4QZkd/Hk/BLJ+hV8KFo EAp2L+5p/CeCvQxLuzxCDsPQJ0rgCZt1Pm+MrDDQs+7gEX1eEQT/hw1Wpwgq31YFHUkx bVprPpY75CG3MH1W8DM9VRvjRb3ElsGoPBn4K8P7SNw3nPDyVjOnAyORTKH7AV6zY4lh yNCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=i4CIefQjiY0FAZmHaB72Ae2sVSYm5ZzJY0sO+WnFXK4=; b=0XxYt6DLxp7vX4uI6drFESE+O9QFJsGKsIiHka4DyJ69agLu7hcYT/95doBkGsC+7N XhG66hEhnWtvTMjsPIn6s0lKVVzg3zJNjoD3eU6czzlwV4LQaucpvaeozPSiJnvjuFTH xkpnNDSss/Jfmt2AMIcKtrvqur3fBsQ9uduBkS6QOCh8KyOXS0EfViicRZ6L1AuBKqTu QWTSbsHTR8GXCekX4qo7CJOswfpkS2ymKkr53WC42Gcb9L+PyDDp3JVLbnPiqseP3Wie fSStNV3uiCyvS4DUL8SMt1aQ7Pf61lM/nLGUO0V/guyzf5vmXpe030BUGiaX3BhZlN19 fJrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2EI0OAT3; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u17si5046911ejz.120.2021.05.05.05.09.02; Wed, 05 May 2021 05:09:02 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2EI0OAT3; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233228AbhEEMJp (ORCPT + 12 others); Wed, 5 May 2021 08:09:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:51300 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233014AbhEEMIh (ORCPT ); Wed, 5 May 2021 08:08:37 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3EEF4613BA; Wed, 5 May 2021 12:07:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620216459; bh=Igo1WVPFrmwofjl9l41M+rRDy5nT8Cc3Jia6nEkAyMA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2EI0OAT3TWDETk5jyJakRe2WMD3wTYYB5SSpnCR9ar6CcqeFAimItTyEgb79C99fE Y+TPS1RoGWe4hYQ7F7M7QOiYjP3JdZaarv95EXSyE0Jht0WwxYYaHfbzvuFq5rAkPU ZGBLgsEIbz0vMnl+GuAwCRzyqBbbocLs3TebaAuk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bjorn Andersson , "David S. Miller" Subject: [PATCH 5.10 07/29] net: qrtr: Avoid potential use after free in MHI send Date: Wed, 5 May 2021 14:05:10 +0200 Message-Id: <20210505112326.440209461@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210505112326.195493232@linuxfoundation.org> References: <20210505112326.195493232@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Bjorn Andersson commit 47a017f33943278570c072bc71681809b2567b3a upstream. It is possible that the MHI ul_callback will be invoked immediately following the queueing of the skb for transmission, leading to the callback decrementing the refcount of the associated sk and freeing the skb. As such the dereference of skb and the increment of the sk refcount must happen before the skb is queued, to avoid the skb to be used after free and potentially the sk to drop its last refcount.. Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer") Signed-off-by: Bjorn Andersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/qrtr/mhi.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/net/qrtr/mhi.c +++ b/net/qrtr/mhi.c @@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrt struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep); int rc; + if (skb->sk) + sock_hold(skb->sk); + rc = skb_linearize(skb); if (rc) goto free_skb; @@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrt if (rc) goto free_skb; - if (skb->sk) - sock_hold(skb->sk); - return rc; free_skb: + if (skb->sk) + sock_put(skb->sk); kfree_skb(skb); return rc;