niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity
linux/net
History
Murad Masimov bca0902e61 ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt 
If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE
socket option, a refcount leak will occur in ax25_release().

Commit 9fd75b66b8 ("ax25: Fix refcount leaks caused by ax25_cb_del()")
added decrement of device refcounts in ax25_release(). In order for that
to work correctly the refcounts must already be incremented when the
device is bound to the socket. An AX25 device can be bound to a socket
by either calling ax25_bind() or setting SO_BINDTODEVICE socket option.
In both cases the refcounts should be incremented, but in fact it is done
only in ax25_bind().

This bug leads to the following issue reported by Syzkaller:

================================================================
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
Modules linked in:
CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
Call Trace:
 <TASK>
 __refcount_dec include/linux/refcount.h:336 [inline]
 refcount_dec include/linux/refcount.h:351 [inline]
 ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236
 netdev_tracker_free include/linux/netdevice.h:4156 [inline]
 netdev_put include/linux/netdevice.h:4173 [inline]
 netdev_put include/linux/netdevice.h:4169 [inline]
 ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069
 __sock_release+0xb0/0x270 net/socket.c:640
 sock_close+0x1c/0x30 net/socket.c:1408
 ...
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 ...
 </TASK>
================================================================

Fix the implementation of ax25_setsockopt() by adding increment of
refcounts for the new device bound, and decrement of refcounts for
the old unbound device.

Fixes: 9fd75b66b8 ("ax25: Fix refcount leaks caused by ax25_cb_del()")
Reported-by: syzbot+33841dc6aa3e1d86b78a@syzkaller.appspotmail.com
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Link: https://patch.msgid.link/20250203091203.1744-1-m.masimov@mt-integration.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-02-06 17:02:40 -08:00
..
6lowpan
9p net/9p/usbg: allow building as standalone module 2024-11-22 23:48:14 +09:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-04 08:06:24 -08:00
8021q net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
appletalk net: appletalk: Drop aarp_send_probe_phase1() 2025-01-20 10:08:19 +00:00
atm
ax25 ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt 2025-02-06 17:02:40 -08:00
batman-adv This cleanup patchset includes the following patches: 2025-01-18 17:57:31 -08:00
bluetooth First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
bpf bpf-next-6.14 2025-01-23 08:04:07 -08:00
bridge netfilter: br_netfilter: remove unused conditional and dead code 2025-01-19 16:41:52 +01:00
caif
can sock: support SO_PRIORITY cmsg 2024-12-16 18:13:44 -08:00
ceph ceph: allocate sparse_ext map only for sparse reads 2024-12-16 23:25:44 +01:00
core flow_dissector: use RCU protection to fetch dev_net() 2025-02-06 16:14:15 -08:00
dcb
dccp sysctl net: Remove macro checks for CONFIG_SYSCTL 2025-01-20 12:01:34 -08:00
devlink devlink: Improve the port attributes description 2025-01-02 17:10:57 -08:00
dns_resolver
dsa Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
ethernet
ethtool net: ethtool: tsconfig: Fix netlink type of hwtstamp flags 2025-02-06 16:35:21 -08:00
handshake module: Convert symbol namespace to string literal 2024-12-02 11:34:44 -08:00
hsr First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
ieee802154 net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
ife
ipv4 ipv4: icmp: convert to dev_net_rcu() 2025-02-06 16:14:15 -08:00
ipv6 ipv6: Use RCU in ip6_input() 2025-02-06 16:14:15 -08:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-11-26 10:02:53 +01:00
kcm
key
l2tp l2tp: Use inet_sk_init_flowi4() in l2tp_ip_sendmsg(). 2024-12-20 13:50:09 -08:00
l3mdev
lapb
llc sysctl net: Remove macro checks for CONFIG_SYSCTL 2025-01-20 12:01:34 -08:00
mac80211 Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-01-09 16:11:47 -08:00
mctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-12-19 11:35:07 -08:00
mpls
mptcp mptcp: blackhole only if 1st SYN retrans w/o MPC is accepted 2025-01-30 14:02:19 +01:00
ncsi net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling 2025-01-27 09:20:07 +00:00
netfilter First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
netlabel net: corrections for security_secid_to_secctx returns 2025-01-04 22:11:22 -05:00
netlink net: netlink: catch attempts to send empty messages 2024-12-19 18:06:28 -08:00
netrom netrom: check buffer length before accessing it 2024-12-23 10:04:55 -08:00
nfc NFC: nci: Add bounds checking in nci_hci_create_pipe() 2025-01-22 19:39:27 -08:00
nsh
openvswitch openvswitch: fix lockup on tx to unregistering netdev with carrier 2025-01-10 18:20:49 -08:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-01-03 16:29:29 -08:00
phonet phonet: do not call synchronize_rcu() from phonet_route_del() 2024-11-07 20:34:16 -08:00
psample psample: adjust size if rate_as_probability is set 2024-12-18 19:23:04 -08:00
qrtr
rds rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy 2025-01-09 08:53:35 -08:00
rfkill Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
rose net: rose: lock the socket in rose_bind() 2025-02-04 14:03:58 -08:00
rxrpc rxrpc: Fix race in call state changing vs recvmsg() 2025-02-05 18:47:46 -08:00
sched netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() 2025-02-05 18:14:46 -08:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-01-09 16:11:47 -08:00
shaper net: add netdev_lock() / netdev_unlock() helpers 2025-01-15 19:13:33 -08:00
smc net/smc: fix data error when recvmsg with MSG_PEEK flag 2025-01-13 18:59:00 -08:00
strparser
sunrpc assorted stuff for this merge window 2025-02-01 15:07:56 -08:00
switchdev
tipc tipc: re-order conditions in tipc_crypto_key_rcv() 2025-01-20 12:18:26 +00:00
tls tls: skip setting sk_write_space on rekey 2025-01-10 18:34:45 -08:00
unix af_unix: Use consume_skb() in connect() and sendmsg(). 2025-01-20 11:27:42 -08:00
vmw_vsock First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
wireless Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
x25
xdp xsk: Bring back busy polling support 2025-01-10 18:07:56 -08:00
xfrm ipsec-2025-01-27 2025-01-27 15:15:12 -08:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c socket: Remove unused kernel_sendmsg_locked 2025-01-14 17:29:04 -08:00
sysctl_net.c