From patchwork Wed May 5 12:05:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 431204 Delivered-To: patch@linaro.org Received: by 2002:a02:c901:0:0:0:0:0 with SMTP id t1csp442247jao; Wed, 5 May 2021 05:10:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxn5UZhODexJ1vBG4miu/RrMvDSphNYqhjBbVGv5nbCxraczghiuKsjNeBP01k+LoZ6I8yU X-Received: by 2002:aa7:d801:: with SMTP id v1mr19397051edq.349.1620216633088; Wed, 05 May 2021 05:10:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620216633; cv=none; d=google.com; s=arc-20160816; b=wwN/ebYnLLBm20qqPSy4ULYkKlbxNXmmtBwj0xiDhVnsprmbKfECda1S6culmvvy1z CNevSWjppU6V3VjEd6HVnXxhmLU82agFnWxd8BQGGl81tyh+uA6wIjxd2Y9Bf4KPUsuT 3350n6DaDMxUMrr2MhX+SYx5cmOmcrm0feSl9tyqJeuCuWXCBzi9/yjTbjcNlFUwRUOw POWeDwrbQeFhC8775yRcm3BtNKPcIqp4Ei8DEUpF8wKg1a1VT0Qm4vyXbzZG0w+zAyyj L5goUhK55Nna06jSyv6Ji7L6MLy8UkDXGctKMv9tA7NhtxuBqL5gJn8w4VQ8ldwiGdKt wHaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=i4CIefQjiY0FAZmHaB72Ae2sVSYm5ZzJY0sO+WnFXK4=; b=oftDvB167jXCtAstpZq3mmsxatm783xNCd4HqQcLO3a+ehKdg3yi56xKaGZYZQr/DF PKDEx9/P2BPauWWQjm4mOhz+0R+NIGxt+DmHQLPKCwFHx7zc7AZ/6J1LaPuFHYZcGdzH PJavyN7lAdB3/+x1YiDqVPm2wvzSfB2/Ewkjy+KqCLSStNPCwTV4rIf9mw9Ka5WZsFqO eYHLu/TZMGVUVCHOl7U8AVgE7HF/1jxW7FMftO4Okc4bIksnfkzVq/eLN+oJQdeJF2kh 4bBJHWdTaOMzwuF/uOYhAhMm6/wM6x6edigtGF0gYFhxnm5s8H8fDItU7//E6P9CMUrw 39/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qazFcW9m; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a23si5455359ejb.73.2021.05.05.05.10.32; Wed, 05 May 2021 05:10:33 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qazFcW9m; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233627AbhEEMLT (ORCPT + 12 others); Wed, 5 May 2021 08:11:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:55378 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233637AbhEEMKE (ORCPT ); Wed, 5 May 2021 08:10:04 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B2A6D613DD; Wed, 5 May 2021 12:09:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620216548; bh=Igo1WVPFrmwofjl9l41M+rRDy5nT8Cc3Jia6nEkAyMA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qazFcW9mZrzMu1Qk/iOEx+4jJnswdR/sJwEGaCcq47F9P9NfF8nU9pZNsMdTeZ2nW HPg8ntHrbhzqIhzelPDQoSeu1dANypxZ7wolOCIcWlHNKOjFh8V/BlrzFSoQlZ7OUt 31PAsslMFotjPSXqiTJLp4zL3F1VoBQejG3VuZ30= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bjorn Andersson , "David S. Miller" Subject: [PATCH 5.11 08/31] net: qrtr: Avoid potential use after free in MHI send Date: Wed, 5 May 2021 14:05:57 +0200 Message-Id: <20210505112326.938601623@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210505112326.672439569@linuxfoundation.org> References: <20210505112326.672439569@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Bjorn Andersson commit 47a017f33943278570c072bc71681809b2567b3a upstream. It is possible that the MHI ul_callback will be invoked immediately following the queueing of the skb for transmission, leading to the callback decrementing the refcount of the associated sk and freeing the skb. As such the dereference of skb and the increment of the sk refcount must happen before the skb is queued, to avoid the skb to be used after free and potentially the sk to drop its last refcount.. Fixes: 6e728f321393 ("net: qrtr: Add MHI transport layer") Signed-off-by: Bjorn Andersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/qrtr/mhi.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/net/qrtr/mhi.c +++ b/net/qrtr/mhi.c @@ -50,6 +50,9 @@ static int qcom_mhi_qrtr_send(struct qrt struct qrtr_mhi_dev *qdev = container_of(ep, struct qrtr_mhi_dev, ep); int rc; + if (skb->sk) + sock_hold(skb->sk); + rc = skb_linearize(skb); if (rc) goto free_skb; @@ -59,12 +62,11 @@ static int qcom_mhi_qrtr_send(struct qrt if (rc) goto free_skb; - if (skb->sk) - sock_hold(skb->sk); - return rc; free_skb: + if (skb->sk) + sock_put(skb->sk); kfree_skb(skb); return rc;