[Kernel-packages] [Bug 1953022] Re: refcount leak in pep_sock_accept

Wed, 02 Feb 2022 19:20:50 -0800 

It looks like I lost track of this browser tab a lot longer than I
expected.

Thanks Hangyu Hua for the fixes! :)

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1953022

Title:
  refcount leak in pep_sock_accept

Status in linux package in Ubuntu:
  New

Bug description:
  sock_hold(sk) is invoked in pep_sock_accept(),but __sock_put() is not
  invoked in subsequent failure branches(pep_accept_conn() != 0).

  static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp,
                                    bool kern)
  {
        struct pep_sock *pn = pep_sk(sk), *newpn;
        struct sock *newsk = NULL;
        struct sk_buff *skb;
        struct pnpipehdr *hdr;
        struct sockaddr_pn dst, src;
        int err;
        u16 peer_type;
        u8 pipe_handle, enabled, n_sb;
        u8 aligned = 0;
  ...
        newsk = sk_alloc(sock_net(sk), PF_PHONET, GFP_KERNEL, sk->sk_prot,
                         kern);
        if (!newsk) {
                pep_reject_conn(sk, skb, PN_PIPE_ERR_OVERLOAD, GFP_KERNEL);
                err = -ENOBUFS;
                goto drop;
        }
  ...
        sock_hold(sk);    <---- here,sk->sk_refcnt++
        newpn->listener = sk;
        skb_queue_head_init(&newpn->ctrlreq_queue);
        newpn->pipe_handle = pipe_handle;
        atomic_set(&newpn->tx_credits, 0);
        newpn->ifindex = 0;
        newpn->peer_type = peer_type;
        newpn->rx_credits = 0;
        newpn->rx_fc = newpn->tx_fc = PN_LEGACY_FLOW_CONTROL;
        newpn->init_enable = enabled;
        newpn->aligned = aligned;

        err = pep_accept_conn(newsk, skb);
        if (err) {
                sock_put(newsk);    <---- before sock_put(newsk) may need 
sk->sk_refcnt--
                newsk = NULL;
                goto drop;
        }
        sk_add_node(newsk, &pn->hlist);
  drop:
        release_sock(sk);
        kfree_skb(skb);
        *errp = err;
        return newsk;
  }


  My suggestion for the patch:

  static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp,
                                    bool kern)
  {
  ...
        err = pep_accept_conn(newsk, skb);
        if (err) {
  +++             __sock_put(sk);
                sock_put(newsk);   
                newsk = NULL;
                goto drop;
        }
        sk_add_node(newsk, &pn->hlist);
  drop:
        release_sock(sk);
        kfree_skb(skb);
        *errp = err;
        return newsk;
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1953022/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to