Patch "af_packet: avoid erroring out after sock_init_data() in packet_create()" has been added to the 5.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    af_packet: avoid erroring out after sock_init_data() in packet_create()

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     af_packet-avoid-erroring-out-after-sock_init_data-in.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 99f268cda55fc2c64c3b3cdd9ebaa2fbcac00cab
Author: Ignat Korchagin <ignat@xxxxxxxxxxxxxx>
Date:   Mon Oct 14 16:38:00 2024 +0100

    af_packet: avoid erroring out after sock_init_data() in packet_create()
    
    [ Upstream commit 46f2a11cb82b657fd15bab1c47821b635e03838b ]
    
    After sock_init_data() the allocated sk object is attached to the provided
    sock object. On error, packet_create() frees the sk object leaving the
    dangling pointer in the sock object on return. Some other code may try
    to use this pointer and cause use-after-free.
    
    Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Signed-off-by: Ignat Korchagin <ignat@xxxxxxxxxxxxxx>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
    Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>
    Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Link: https://patch.msgid.link/20241014153808.51894-2-ignat@xxxxxxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 6aed6a36ea456..88bc4a21dda45 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3357,18 +3357,18 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
 	if (sock->type == SOCK_PACKET)
 		sock->ops = &packet_ops_spkt;
 
+	po = pkt_sk(sk);
+	err = packet_alloc_pending(po);
+	if (err)
+		goto out_sk_free;
+
 	sock_init_data(sock, sk);
 
-	po = pkt_sk(sk);
 	init_completion(&po->skb_completion);
 	sk->sk_family = PF_PACKET;
 	po->num = proto;
 	po->xmit = dev_queue_xmit;
 
-	err = packet_alloc_pending(po);
-	if (err)
-		goto out2;
-
 	packet_cached_dev_reset(po);
 
 	sk->sk_destruct = packet_sock_destruct;
@@ -3403,7 +3403,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
 	preempt_enable();
 
 	return 0;
-out2:
+out_sk_free:
 	sk_free(sk);
 out:
 	return err;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux