diff mbox series

[4.14,035/210] netfilter: nf_queue: fix socket leak

Message ID	20221024112958.115275475@linuxfoundation.org
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, "fw@strlen.de, avimalin@gmail.com, Vimal Agrawal" <vimal.agrawal@sophos.com>, Florian Westphal <fw@strlen.de>, Vimal Agrawal <vimal.agrawal@sophos.com> Subject: [PATCH 4.14 035/210] netfilter: nf_queue: fix socket leak Date: Mon, 24 Oct 2022 13:29:12 +0200 Message-Id: <20221024112958.115275475@linuxfoundation.org> In-Reply-To: <20221024112956.797777597@linuxfoundation.org> References: <20221024112956.797777597@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| [4.14,002/210] usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS [4.14,003/210] uas: ignore UAS for Thinkplus chips [4.14,004/210] net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 [4.14,005/210] ntfs: fix BUG_ON in ntfs_lookup_inode_by_name() [4.14,006/210] mmc: moxart: fix 4-bit bus width and remove 8-bit bus width [4.14,007/210] mm/page_alloc: fix race condition between build_all_zonelists and page allocation [4.14,008/210] mm: prevent page_frag_alloc() from corrupting the memory [4.14,009/210] mm/migrate_device.c: flush TLB while holding PTL [4.14,010/210] soc: sunxi: sram: Actually claim SRAM regions [4.14,011/210] soc: sunxi: sram: Fix debugfs info for A64 SRAM C [4.14,012/210] Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in suspend/resume time" [4.14,013/210] Input: melfas_mip4 - fix return value check in mip4_probe() [4.14,014/210] usbnet: Fix memory leak in usbnet_disconnect() [4.14,015/210] nvme: add new line after variable declatation [4.14,016/210] nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices [4.14,017/210] selftests: Fix the if conditions of in test_extra_filter() [4.14,018/210] clk: iproc: Minor tidy up of iproc pll data structures [4.14,019/210] clk: iproc: Do not rely on node name for correct PLL setup [4.14,020/210] Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 [4.14,021/210] i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() [4.14,022/210] ARM: fix function graph tracer and unwinder dependencies [4.14,023/210] fs: fix UAF/GPF bug in nilfs_mdt_destroy [4.14,024/210] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property [4.14,025/210] dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure [4.14,026/210] ARM: dts: fix Moxa SDIO compatible, remove sdhci misnomer [4.14,027/210] net/ieee802154: fix uninit value bug in dgram_sendmsg [4.14,028/210] um: Cleanup syscall_handler_t cast in syscalls_32.h [4.14,029/210] um: Cleanup compiler warning in arch/x86/um/tls_32.c [4.14,030/210] usb: mon: make mmapped memory read only [4.14,031/210] USB: serial: ftdi_sio: fix 300 bps rate for SIO [4.14,032/210] mmc: core: Replace with already defined values for readability [4.14,033/210] mmc: core: Terminate infinite loop in SD-UHS voltage switch [4.14,034/210] rpmsg: qcom: glink: replace strncpy() with strscpy_pad() [4.14,035/210] netfilter: nf_queue: fix socket leak [4.14,036/210] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() [4.14,037/210] nilfs2: fix leak of nilfs_root in case of writer thread creation failure [4.14,038/210] nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure [4.14,039/210] ceph: dont truncate file in atomic_open [4.14,040/210] random: clamp credited irq bits to maximum mixed [4.14,041/210] ALSA: hda: Fix position reporting on Poulsbo [4.14,042/210] scsi: stex: Properly zero out the passthrough command structure [4.14,043/210] USB: serial: qcserial: add new usb-id for Dell branded EM7455 [4.14,044/210] random: restore O_NONBLOCK support [4.14,045/210] random: avoid reading two cache lines on irq randomness [4.14,046/210] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate [4.14,047/210] Input: xpad - add supported devices as contributed on github [4.14,048/210] Input: xpad - fix wireless 360 controller breaking after suspend [4.14,049/210] random: use expired timer rather than wq for mixing fast pool [4.14,050/210] ALSA: oss: Fix potential deadlock at unregistration [4.14,051/210] ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() [4.14,052/210] ALSA: usb-audio: Fix potential memory leaks [4.14,053/210] ALSA: usb-audio: Fix NULL dererence at error path [4.14,054/210] iio: dac: ad5593r: Fix i2c read protocol requirements [4.14,055/210] fs: dlm: fix race between test_bit() and queue_work() [4.14,056/210] fs: dlm: handle -EBUSY first in lock arg validation [4.14,057/210] HID: multitouch: Add memory barriers [4.14,058/210] quota: Check next/prev free block number after reading from quota file [4.14,059/210] regulator: qcom_rpm: Fix circular deferral regression [4.14,060/210] Revert "fs: check FMODE_LSEEK to control internal pipe splicing" [4.14,061/210] parisc: fbdev/stifb: Align graphics memory size to 4MB [4.14,062/210] UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK [4.14,063/210] PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge [4.14,064/210] fbdev: smscufx: Fix use-after-free in ufx_ops_open() [4.14,065/210] nilfs2: fix use-after-free bug of struct nilfs_root [4.14,066/210] nilfs2: fix lockdep warnings in page operations for btree nodes [4.14,067/210] nilfs2: fix lockdep warnings during disk space reclamation [4.14,068/210] ext4: avoid crash when inline data creation follows DIO write [4.14,069/210] ext4: fix null-ptr-deref in ext4_write_info [4.14,070/210] ext4: make ext4_lazyinit_thread freezable [4.14,071/210] ext4: place buffer head allocation before handle start [4.14,072/210] livepatch: fix race between fork and KLP transition [4.14,073/210] ftrace: Properly unset FTRACE_HASH_FL_MOD [4.14,074/210] ring-buffer: Allow splice to read previous partially read pages [4.14,075/210] ring-buffer: Check pending waiters when doing wake ups as well [4.14,076/210] ring-buffer: Fix race between reset page and reading page [4.14,077/210] KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility [4.14,078/210] KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" [4.14,079/210] gcov: support GCC 12.1 and newer compilers [4.14,080/210] selinux: use "grep -E" instead of "egrep" [4.14,081/210] sh: machvec: Use char[] for section boundaries [4.14,082/210] wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() [4.14,083/210] wifi: mac80211: allow bw change during channel switch in mesh [4.14,084/210] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() [4.14,085/210] spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume() [4.14,086/210] spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime() [4.14,087/210] wifi: rtl8xxxu: Fix skb misuse in TX queue selection [4.14,088/210] wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration [4.14,089/210] net: fs_enet: Fix wrong check in do_pd_setup [4.14,090/210] spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe [4.14,091/210] netfilter: nft_fib: Fix for rpath check with VRF devices [4.14,092/210] spi: s3c64xx: Fix large transfers with DMA [4.14,093/210] vhost/vsock: Use kvmalloc/kvfree for larger packets. [4.14,094/210] mISDN: fix use-after-free bugs in l1oip timer handlers [4.14,095/210] tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited [4.14,096/210] net: rds: dont hold sock lock when cancelling work from rds_tcp_reset_callbacks() [4.14,097/210] bnx2x: fix potential memory leak in bnx2x_tpa_stop() [4.14,098/210] drm/mipi-dsi: Detach devices when removing the host [4.14,099/210] platform/x86: msi-laptop: Fix old-ec check for backlight registering [4.14,100/210] platform/x86: msi-laptop: Fix resource cleanup [4.14,101/210] drm/bridge: megachips: Fix a null pointer dereference bug [4.14,102/210] mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() [4.14,103/210] ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API [4.14,104/210] ALSA: dmaengine: increment buffer pointer atomically [4.14,105/210] mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() [4.14,106/210] memory: of: Fix refcount leak bug in of_get_ddr_timings() [4.14,107/210] soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() [4.14,108/210] soc: qcom: smem_state: Add refcounting for the state->of_node [4.14,109/210] ARM: dts: turris-omnia: Fix mpp26 pin name and comment [4.14,110/210] ARM: dts: kirkwood: lsxl: fix serial line [4.14,111/210] ARM: dts: kirkwood: lsxl: remove first ethernet port [4.14,112/210] ARM: Drop CMDLINE_* dependency on ATAGS [4.14,113/210] ARM: dts: exynos: fix polarity of VBUS GPIO of Origen [4.14,114/210] iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX [4.14,115/210] iio: inkern: only release the device node when done with it [4.14,116/210] iio: ABI: Fix wrong format of differential capacitance channel ABI. [4.14,117/210] clk: oxnas: Hold reference returned by of_get_parent() [4.14,118/210] clk: tegra: Fix refcount leak in tegra210_clock_init [4.14,119/210] clk: tegra: Fix refcount leak in tegra114_clock_init [4.14,120/210] clk: tegra20: Fix refcount leak in tegra20_clock_init [4.14,121/210] HSI: omap_ssi: Fix refcount leak in ssi_probe [4.14,122/210] HSI: omap_ssi_port: Fix dma_map_sg error check [4.14,123/210] media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop [4.14,124/210] tty: xilinx_uartps: Fix the ignore_status [4.14,125/210] media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init [4.14,126/210] RDMA/rxe: Fix "kernel NULL pointer dereference" error [4.14,127/210] RDMA/rxe: Fix the error caused by qp->sk [4.14,128/210] dyndbg: fix module.dyndbg handling [4.14,129/210] dyndbg: let query-modname override actual module name [4.14,130/210] ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting() [4.14,131/210] ata: fix ata_id_has_devslp() [4.14,132/210] ata: fix ata_id_has_ncq_autosense() [4.14,133/210] ata: fix ata_id_has_dipm() [4.14,134/210] md/raid5: Ensure stripe_fill happens on non-read IO with journal [4.14,135/210] xhci: Dont show warning for reinit on known broken suspend [4.14,136/210] usb: gadget: function: fix dangling pnp_string in f_printer.c [4.14,137/210] drivers: serial: jsm: fix some leaks in probe [4.14,138/210] phy: qualcomm: call clk_disable_unprepare in the error handling [4.14,139/210] firmware: google: Test spinlock on panic path to avoid lockups [4.14,140/210] serial: 8250: Fix restoring termios speed after suspend [4.14,141/210] fsi: core: Check error number after calling ida_simple_get [4.14,142/210] mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe() [4.14,143/210] mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() [4.14,144/210] mfd: lp8788: Fix an error handling path in lp8788_probe() [4.14,145/210] mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init() [4.14,146/210] mfd: sm501: Add check for platform_driver_register() [4.14,147/210] dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup() [4.14,148/210] spmi: pmic-arb: correct duplicate APID to PPID mapping logic [4.14,149/210] clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration [4.14,150/210] clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe [4.14,151/210] mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg [4.14,152/210] powerpc/math_emu/efp: Include module.h [4.14,153/210] powerpc/sysdev/fsl_msi: Add missing of_node_put() [4.14,154/210] powerpc/pci_dn: Add missing of_node_put() [4.14,155/210] powerpc/powernv: add missing of_node_put() in opal_export_attrs() [4.14,156/210] powerpc: Fix SPE Power ISA properties for e500v1 platforms [4.14,157/210] iommu/omap: Fix buffer overflow in debugfs [4.14,158/210] iommu/iova: Fix module config properly [4.14,159/210] crypto: cavium - prevent integer overflow loading firmware [4.14,160/210] f2fs: fix race condition on setting FI_NO_EXTENT flag [4.14,161/210] ACPI: video: Add Toshiba Satellite/Portege Z830 quirk [4.14,162/210] MIPS: BCM47XX: Cast memcmp() of function to (void *) [4.14,163/210] powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue [4.14,164/210] thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash [4.14,165/210] x86/entry: Work around Clang __bdos() bug [4.14,166/210] NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data [4.14,167/210] wifi: brcmfmac: fix invalid address access when enabling SCAN log level [4.14,168/210] openvswitch: Fix double reporting of drops in dropwatch [4.14,169/210] openvswitch: Fix overreporting of drops in dropwatch [4.14,170/210] tcp: annotate data-race around tcp_md5sig_pool_populated [4.14,171/210] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() [4.14,172/210] xfrm: Update ipcomp_scratches with NULL when freed [4.14,173/210] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() [4.14,174/210] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() [4.14,175/210] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times [4.14,176/210] can: bcm: check the result of can_send() in bcm_can_tx() [4.14,177/210] wifi: rt2x00: dont run Rt5592 IQ calibration on MT7620 [4.14,178/210] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 [4.14,179/210] wifi: rt2x00: set SoC wmac clock register [4.14,180/210] wifi: rt2x00: correctly set BBP register 86 for MT7620 [4.14,181/210] net: If sock is dead dont access socks sk_wq in sk_stream_wait_memory [4.14,182/210] Bluetooth: L2CAP: Fix user-after-free [4.14,183/210] r8152: Rate limit overflow messages [4.14,184/210] drm: Use size_t type for len variable in drm_copy_field() [4.14,185/210] drm: Prevent drm_copy_field() to attempt copying a NULL pointer [4.14,186/210] drm/vc4: vec: Fix timings for VEC modes [4.14,187/210] platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading [4.14,188/210] drm/amdgpu: fix initial connector audio value [4.14,189/210] ARM: dts: imx7d-sdb: config the max pressure for tsc2046 [4.14,190/210] ARM: dts: imx6q: add missing properties for sram [4.14,191/210] ARM: dts: imx6dl: add missing properties for sram [4.14,192/210] ARM: dts: imx6qp: add missing properties for sram [4.14,193/210] ARM: dts: imx6sl: add missing properties for sram [4.14,194/210] media: cx88: Fix a null-ptr-deref bug in buffer_prepare() [4.14,195/210] scsi: 3w-9xxx: Avoid disabling device if failing to enable it [4.14,196/210] nbd: Fix hung when signal interrupts nbd_start_device_ioctl() [4.14,197/210] HID: roccat: Fix use-after-free in roccat_read() [4.14,198/210] md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d [4.14,199/210] usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() [4.14,200/210] usb: musb: Fix musb_gadget.c rxstate overflow bug [4.14,201/210] Revert "usb: storage: Add quirk for Samsung Fit flash" [4.14,202/210] usb: idmouse: fix an uninit-value in idmouse_open [4.14,203/210] perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc [4.14,204/210] net: ieee802154: return -EINVAL for unknown addr type [4.14,205/210] net/ieee802154: dont warn zero-sized raw_sendmsg() [4.14,206/210] ext4: continue to expand file system when the target size doesnt reach [4.14,207/210] md: Replace snprintf with scnprintf [4.14,208/210] efi: libstub: drop pointless get_memory_map() call [4.14,209/210] inet: fully convert sk->sk_rx_dst to RCU rules [4.14,210/210] thermal: intel_powerclamp: Use first online CPU as control_cpu

Commit Message

Greg KH Oct. 24, 2022, 11:29 a.m. UTC

  From: Vimal Agrawal <avimalin@gmail.com>

Removal of the sock_hold got lost when backporting commit 4d05239203fa
("netfilter: nf_queue: fix possible use-after-free") to 4.14

This was causing a socket leak and was caught by kmemleak.
Tested by running kmemleak again with this fix.

Fixes: ef97921ccdc2 ("netfilter: nf_queue: fix possible use-after-free") in 4.14
Signed-off-by: Vimal Agrawal <vimal.agrawal@sophos.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_queue.c |    2 --
 1 file changed, 2 deletions(-)

diff mbox series

Patch

--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -91,8 +91,6 @@  bool nf_queue_entry_get_refs(struct nf_q
 		dev_hold(state->in);
 	if (state->out)
 		dev_hold(state->out);
-	if (state->sk)
-		sock_hold(state->sk);
 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 	if (entry->skb->nf_bridge) {
 		struct net_device *physdev;