2017-10-31 13:24:35 -04:00
|
|
|
From 92964c79b357efd980812c4de5c1fd2ec8bb5520 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
Date: Mon, 16 May 2016 17:28:16 +0800
|
|
|
|
Subject: netlink: Fix dump skb leak/double free
|
|
|
|
|
|
|
|
When we free cb->skb after a dump, we do it after releasing the
|
|
|
|
lock. This means that a new dump could have started in the time
|
|
|
|
being and we'll end up freeing their skb instead of ours.
|
|
|
|
|
|
|
|
This patch saves the skb and module before we unlock so we free
|
|
|
|
the right memory.
|
|
|
|
|
|
|
|
Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
|
|
|
|
Reported-by: Baozeng Ding <sploving1@gmail.com>
|
|
|
|
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
|
|
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
|
---
|
|
|
|
net/netlink/af_netlink.c | 7 +++++--
|
|
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
|
|
|
|
index aeefe12..627f898 100644
|
|
|
|
--- a/net/netlink/af_netlink.c
|
|
|
|
+++ b/net/netlink/af_netlink.c
|
|
|
|
@@ -2059,6 +2059,7 @@ static int netlink_dump(struct sock *sk)
|
|
|
|
struct netlink_callback *cb;
|
|
|
|
struct sk_buff *skb = NULL;
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
+ struct module *module;
|
|
|
|
int len, err = -ENOBUFS;
|
|
|
|
int alloc_min_size;
|
|
|
|
int alloc_size;
|
|
|
|
@@ -2134,9 +2135,11 @@ static int netlink_dump(struct sock *sk)
|
|
|
|
cb->done(cb);
|
|
|
|
|
|
|
|
nlk->cb_running = false;
|
|
|
|
+ module = cb->module;
|
|
|
|
+ skb = cb->skb;
|
|
|
|
mutex_unlock(nlk->cb_mutex);
|
|
|
|
- module_put(cb->module);
|
|
|
|
- consume_skb(cb->skb);
|
|
|
|
+ module_put(module);
|
|
|
|
+ consume_skb(skb);
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
errout_skb:
|
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|