diff options
author | Taehee Yoo <ap420073@gmail.com> | 2022-06-02 16:01:07 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-06-06 23:27:35 +0200 |
commit | d16207f92a4a823c48b4ea953ad51f4483456768 (patch) | |
tree | 79489aee3ab060da1dd38cc81c92f51c53504336 /drivers | |
parent | amt: fix wrong usage of pskb_may_pull() (diff) | |
download | linux-d16207f92a4a823c48b4ea953ad51f4483456768.tar.xz linux-d16207f92a4a823c48b4ea953ad51f4483456768.zip |
amt: fix possible null-ptr-deref in amt_rcv()
When amt interface receives amt message, it tries to obtain amt private
data from sock.
If there is no amt private data, it frees an skb immediately.
After kfree_skb(), it increases the rx_dropped stats.
But in order to use rx_dropped, amt private data is needed.
So, it makes amt_rcv() to do not increase rx_dropped stats when it can
not obtain amt private data.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 1a1a0e80e005 ("amt: fix possible memory leak in amt_rcv()")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/amt.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/amt.c b/drivers/net/amt.c index 900948e135ad..ef483bf51033 100644 --- a/drivers/net/amt.c +++ b/drivers/net/amt.c @@ -2698,7 +2698,8 @@ static int amt_rcv(struct sock *sk, struct sk_buff *skb) amt = rcu_dereference_sk_user_data(sk); if (!amt) { err = true; - goto drop; + kfree_skb(skb); + goto out; } skb->dev = amt->dev; |