[PATCH 4.4 094/158] netrom: hold sock when setting skb->destructor

2 Aug 2019

From: Cong Wang xiyou.wangcong@gmail.com
[ Upstream commit 4638faac032756f7eab5524be7be56bee77e426b ]
sock_efree() releases the sock refcnt, if we don't hold this refcnt
when setting skb->destructor to it, the refcnt would not be balanced.
This leads to several bug reports from syzbot.
I have checked other users of sock_efree(), all of them hold the
sock refcnt.
Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()")
Reported-and-tested-by: syzbot+622bdabb128acc33427d@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+6eaef7158b19e3fec3a0@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+9399c158fcc09b21d0d2@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+a34e5f3d0300163f0c87@syzkaller.appspotmail.com
Cc: Ralf Baechle ralf@linux-mips.org
Signed-off-by: Cong Wang xiyou.wangcong@gmail.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 net/netrom/af_netrom.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -968,6 +968,7 @@ int nr_rx_frame(struct sk_buff *skb, str
window = skb->data[20];
+	sock_hold(make);
    skb->sk             = make;
    skb->destructor     = sock_efree;
    make->sk_state	    = TCP_ESTABLISHED;

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 4.4 094/158] netrom: hold sock when setting skb->destructor