Cong Wang 7d31e5722c tipc: fix the skb_unshare() in tipc_buf_append() ... [ Upstream commit ed42989eab ] skb_unshare() drops a reference count on the old skb unconditionally, so in the failure case, we end up freeing the skb twice here. And because the skb is allocated in fclone and cloned by caller tipc_msg_reassemble(), the consequence is actually freeing the original skb too, thus triggered the UAF by syzbot. Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy(). Fixes: ff48b6222e ("tipc: use skb_unshare() instead in tipc_buf_append()") Reported-and-tested-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com Cc: Jon Maloy <jmaloy@redhat.com> Cc: Ying Xue <ying.xue@windriver.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-10-29 09:57:24 +01:00
..
addr.c	tipc: initialise addr_trail_end when setting node addresses	2019-08-11 21:40:04 -07:00
addr.h
bcast.c	tipc: fix potential hanging after b/rcast changing	2020-01-23 08:22:44 +01:00
bcast.h	tipc: fix a null pointer deref	2019-03-21 09:56:55 -07:00
bearer.c	tipc: add loopback device tracking	2019-08-08 22:11:39 -07:00
bearer.h	tipc: add loopback device tracking	2019-08-08 22:11:39 -07:00
core.c	tipc: fix ordering of tipc module init and exit routine	2019-12-18 16:08:36 +01:00
core.h	tipc: add back tipc prefix to log messages	2019-11-14 18:03:03 -08:00
diag.c	tipc: switch to rhashtable iterator	2018-08-29 18:04:54 -07:00
discover.c	tipc: fix lockdep warning when reinitilaizing sockets	2018-11-17 22:01:31 -08:00
discover.h
eth_media.c
group.c	tipc: Fix memory leak in tipc_group_create_member()	2020-09-26 18:03:13 +02:00
group.h	tipc: extend sock diag for group communication	2018-06-30 21:05:42 +09:00
ib_media.c
Kconfig	docs: kbuild: convert docs to ReST and rename to *.rst	2019-06-14 14:21:21 -06:00
link.c	tipc: reduce sensitive to retransmit failures	2020-01-26 10:01:00 +01:00
link.h	tipc: fix missing Name entries due to half-failover	2019-05-04 00:59:51 -04:00
Makefile	tipc: enable tracepoints in tipc	2018-12-19 11:49:24 -08:00
monitor.c	tipc: update mon's self addr when node addr generated	2020-01-26 10:01:00 +01:00
monitor.h	tipc: update mon's self addr when node addr generated	2020-01-26 10:01:00 +01:00
msg.c	tipc: fix the skb_unshare() in tipc_buf_append()	2020-10-29 09:57:24 +01:00
msg.h	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-08-19 11:54:03 -07:00
name_distr.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-09-15 14:17:27 +02:00
name_distr.h
name_table.c	netlink: make nla_nest_start() add NLA_F_NESTED flag	2019-04-27 17:03:44 -04:00
name_table.h	tipc: eliminate message disordering during binding table update	2018-10-22 19:29:12 -07:00
net.c	tipc: update mon's self addr when node addr generated	2020-01-26 10:01:00 +01:00
net.h	tipc: fix lockdep warning when reinitilaizing sockets	2018-11-17 22:01:31 -08:00
netlink.c	tipc: add missing attribute validation for MTU property	2020-03-18 07:17:45 +01:00
netlink.h
netlink_compat.c	tipc: fix uninit skb->data in tipc_nl_compat_dumpit()	2020-09-03 11:26:40 +02:00
node.c	tipc: clean up skb list lock handling on send path	2019-08-18 14:01:07 -07:00
node.h	tipc: optimize link synching mechanism	2019-07-25 15:55:47 -07:00
socket.c	tipc: fix link overflow issue at socket shutdown	2020-10-01 13:17:24 +02:00
socket.h	tipc: add trace_events for tipc socket	2018-12-19 11:49:24 -08:00
subscr.c
subscr.h	tipc: fix modprobe tipc failed after switch order of device registration	2019-05-20 10:45:43 -07:00
sysctl.c	proc/sysctl: add shared variables for range check	2019-07-18 17:08:07 -07:00
topsrv.c	tipc: fix memory leak in service subscripting	2020-10-01 13:18:00 +02:00
topsrv.h
trace.c	tipc: remove unneeded semicolon in trace.c	2019-01-17 22:04:43 -08:00
trace.h	tipc: add trace_events for tipc bearer	2018-12-19 11:49:25 -08:00
udp_media.c	tipc: block BH before using dst_cache	2020-06-03 08:21:03 +02:00
udp_media.h