Re: [PATCH] net/x25: Fix x25_neigh refcnt leak when reveiving frame
From: Yuehaibing
Date: Thu Apr 23 2020 - 03:14:27 EST
On 2020/4/23 13:13, Xiyu Yang wrote:
> x25_lapb_receive_frame() invokes x25_get_neigh(), which returns a
> reference of the specified x25_neigh object to "nb" with increased
> refcnt.
>
> When x25_lapb_receive_frame() returns, local variable "nb" becomes
> invalid, so the refcount should be decreased to keep refcount balanced.
>
> The reference counting issue happens in one path of
> x25_lapb_receive_frame(). When pskb_may_pull() returns false, the
> function forgets to decrease the refcnt increased by x25_get_neigh(),
> causing a refcnt leak.
>
> Fix this issue by calling x25_neigh_put() when pskb_may_pull() returns
> false.
>
Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs")
> Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
> Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
> ---
> net/x25/x25_dev.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c
> index 00e782335cb0..25bf72ee6cad 100644
> --- a/net/x25/x25_dev.c
> +++ b/net/x25/x25_dev.c
> @@ -115,8 +115,10 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev,
> goto drop;
> }
>
> - if (!pskb_may_pull(skb, 1))
> + if (!pskb_may_pull(skb, 1)) {
> + x25_neigh_put(nb);
> return 0;
> + }
>
> switch (skb->data[0]) {
>
>