From patchwork Fri Mar 8 07:25:55 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1053388 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="vJj5y6vq"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44Fzbq1ZVYz9s7h for ; Fri, 8 Mar 2019 18:27:35 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726450AbfCHH0E (ORCPT ); Fri, 8 Mar 2019 02:26:04 -0500 Received: from mail-pf1-f196.google.com ([209.85.210.196]:43142 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726275AbfCHH0E (ORCPT ); Fri, 8 Mar 2019 02:26:04 -0500 Received: by mail-pf1-f196.google.com with SMTP id q17so13494514pfh.10 for ; Thu, 07 Mar 2019 23:26:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=EkYSTsq7vNN/xKu+hziJ5ym/gI3Id2bkDmkCq71j8rs=; b=vJj5y6vqawWT2qjGBkzHLjYTisyEMg4wrkc+rBzCk/FIULFOSMTzXj4omWZwFtPFBs eSQSM+3kzKHP0APRujUjxLf8dg2LprC0i/pgUnIh6VnWp0JuNtWimTNWVLsXSnS5hi5g WGKcJJqZ/LjdrJDW37Q8XAj4YmeR4jooRpcODzQ9Tz9F3VrjIL5omGtlM8/AhfwfUILq Ov9e7JIMtRMElQlrDCKMOR/3QUIVZ1QMCI4bLZpoHhhpZXAxuiM8BlLfQDKWKYFAyltX Nt+6QntqZhd0r2jPmV3s6lY4bht7IT/AM6tQCCjf374Ktzc/aMNJu4y3rlgq8xS6591v E7vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=EkYSTsq7vNN/xKu+hziJ5ym/gI3Id2bkDmkCq71j8rs=; b=ecYv9DbmxuN+aDZnyoa7V6a/2cVzXGIE6q3k7WXCLsOmMbGOV2UAD8ENG3MB3i7Nbo qu2Qb2UXD5XZvtyGDakqqoCnT698hJkmMUdJAVBhRrofTX6/oDn3cf8zyOwD6yLDhEeL g5q6NvnOSFPaRMU40csWy9T2FqMaqUFt6Ssky6qh8CTpZY9CtD2wqIV2hT+rXKrC1tQs sLKOpbRuPu9V1rFKOH09bng21vk99Mk00QesQeYi0caDOO8WLYGlaj4TXzVVtZgd6o3d oEIYNIJj90hylXJWqUNqBvBCsJNZf7uzAi7U4sFnS8FMaq692AVyj7IK6XEIZR4NgGat I0Zg== X-Gm-Message-State: APjAAAUYnShC8XKsGjN7IWKXBnZKbhg1u+6BezUUwjz6/i8FOF/B9JrI cxsWgnagG4a6Vw7Cr9c1chCkH0KW X-Google-Smtp-Source: APXvYqw6VfnVtDMDCWq4MbdKJnlkdKguBMwQRFvL0yHVLcQiAQCbEiIbPtdg+3HufnEjn8lajcIuog== X-Received: by 2002:a17:902:848b:: with SMTP id c11mr16546960plo.279.1552029963558; Thu, 07 Mar 2019 23:26:03 -0800 (PST) Received: from localhost ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id y14sm16630242pgs.47.2019.03.07.23.26.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Mar 2019 23:26:02 -0800 (PST) From: Xin Long To: network dev Cc: davem@davemloft.net, Dmitry Kozlov Subject: [PATCH net] pptp: dst_release sk_dst_cache in pptp_sock_destruct Date: Fri, 8 Mar 2019 15:25:55 +0800 Message-Id: <102f4ec1ec622e054bb226f7b31e739c31e795ff.1552029955.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org sk_setup_caps() is called to set sk->sk_dst_cache in pptp_connect, so we have to dst_release(sk->sk_dst_cache) in pptp_sock_destruct, otherwise, the dst refcnt will leak. It can be reproduced by this syz log: r1 = socket$pptp(0x18, 0x1, 0x2) bind$pptp(r1, &(0x7f0000000100)={0x18, 0x2, {0x0, @local}}, 0x1e) connect$pptp(r1, &(0x7f0000000000)={0x18, 0x2, {0x3, @remote}}, 0x1e) Consecutive dmesg warnings will occur: unregister_netdevice: waiting for lo to become free. Usage count = 1 Fixes: 00959ade36ac ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)") Reported-by: Xiumei Mu Signed-off-by: Xin Long --- drivers/net/ppp/pptp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c index 8f09edd..76172c2 100644 --- a/drivers/net/ppp/pptp.c +++ b/drivers/net/ppp/pptp.c @@ -532,6 +532,7 @@ static void pptp_sock_destruct(struct sock *sk) pppox_unbind_sock(sk); } skb_queue_purge(&sk->sk_receive_queue); + dst_release(rcu_dereference_check(sk->sk_dst_cache, 1)); } static int pptp_create(struct net *net, struct socket *sock, int kern)