Commit 6edd27d2 authored by Oliver Hartkopp's avatar Oliver Hartkopp Committed by Ziyang Xuan
Browse files

can: raw: add missing refcount for memory leak fix 

mainline inclusion
from mainline-v6.5
commit c275a176
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7PM10

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c275a176e4b69868576e543409927ae75e3a3288



---------------------------

Commit ee8b94c8 ("can: raw: fix receiver memory leak") introduced
a new reference to the CAN netdevice that has assigned CAN filters.
But this new ro->dev reference did not maintain its own refcount which
lead to another KASAN use-after-free splat found by Eric Dumazet.

This patch ensures a proper refcount for the CAN nedevice.

Fixes: ee8b94c8 ("can: raw: fix receiver memory leak")
Reported-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
Link: https://lore.kernel.org/r/20230821144547.6658-3-socketcan@hartkopp.net


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Conflicts:
	net/can/raw.c
Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
parent 504924fa

net/can/raw.c

+25 −9
Original line number Diff line number Diff line
@@ -283,8 +283,10 @@ static void raw_notify(struct raw_sock *ro, unsigned long msg, 
	case NETDEV_UNREGISTER:

		lock_sock(sk);

		/* remove current filters & unregister */

		if (ro->bound)

		if (ro->bound) {

			raw_disable_allfilters(dev_net(dev), dev, sk);

			dev_put(dev);

		}



		if (ro->count > 1)

			kfree(ro->filter);
@@ -388,11 +390,13 @@ static int raw_release(struct socket *sock) 


	/* remove current filters & unregister */

	if (ro->bound) {

		if (ro->dev)

		if (ro->dev) {

			raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk);

		else

			dev_put(ro->dev);

		} else {

			raw_disable_allfilters(sock_net(sk), NULL, sk);

		}

	}



	if (ro->count > 1)

		kfree(ro->filter);
@@ -442,10 +446,10 @@ static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len) 
			goto out;

		}

		if (dev->type != ARPHRD_CAN) {

			dev_put(dev);

			err = -ENODEV;

			goto out;

			goto out_put_dev;

		}



		if (!(dev->flags & IFF_UP))

			notify_enetdown = 1;
@@ -453,7 +457,9 @@ static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len) 


		/* filters set by default/setsockopt */

		err = raw_enable_allfilters(sock_net(sk), dev, sk);

		dev_put(dev);

		if (err)

			goto out_put_dev;



	} else {

		ifindex = 0;
@@ -464,17 +470,27 @@ static int raw_bind(struct socket *sock, struct sockaddr *uaddr, int len) 
	if (!err) {

		if (ro->bound) {

			/* unregister old filters */

			if (ro->dev)

			if (ro->dev) {

				raw_disable_allfilters(dev_net(ro->dev),

						       ro->dev, sk);

			else

				/* drop reference to old ro->dev */

				dev_put(ro->dev);

			} else {

				raw_disable_allfilters(sock_net(sk), NULL, sk);

			}

		}

		ro->ifindex = ifindex;

		ro->bound = 1;

		/* bind() ok -> hold a reference for new ro->dev */

		ro->dev = dev;

		if (ro->dev)

			dev_hold(ro->dev);

	}



out_put_dev:

	/* remove potential reference from dev_get_by_index() */

	if (dev)

		dev_put(dev);

out:

	release_sock(sk);

	rtnl_unlock();