net/llc: avoid BUG_ON() in skb_orphan() (42b52783) · Commits · e / devices / android_kernel_fairphone_FP3

[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ] It seems nobody used LLC since linux-3.12. Fortunately fuzzers like syzkaller still know how to run this code, otherwise it would be no fun. Setting skb->sk without skb->destructor leads to all kinds of bugs, we now prefer to be very strict about it. Ideally here we would use skb_set_owner() but this helper does not exist yet, only CAN seems to have a private helper for that. Fixes: ("net: add a temporary sanity check in skb_orphan()") Signed-off-by:

Eric Dumazet <edumazet@google.com> Reported-by:

Andrey Konovalov <andreyknvl@google.com> Signed-off-by:

David S. Miller <davem@davemloft.net> Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net/llc/llc_conn.c

+3 −0

Original line number	Original line	Diff line number	Diff line
	@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap sap, struct sk_buff skb)
	* another trick required to cope with how the PROCOM state		* another trick required to cope with how the PROCOM state
	* machine works. -acme		* machine works. -acme
	*/		*/
			skb_orphan(skb);
			sock_hold(sk);
	skb->sk = sk;		skb->sk = sk;
			skb->destructor = sock_efree;
	}		}
	if (!sock_owned_by_user(sk))		if (!sock_owned_by_user(sk))
	llc_conn_rcv(sk, skb);		llc_conn_rcv(sk, skb);

net/llc/llc_sap.c

+3 −0

Original line number	Original line	Diff line number	Diff line
	@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap sap, struct sk_buff skb,

	ev->type = LLC_SAP_EV_TYPE_PDU;		ev->type = LLC_SAP_EV_TYPE_PDU;
	ev->reason = 0;		ev->reason = 0;
			skb_orphan(skb);
			sock_hold(sk);
	skb->sk = sk;		skb->sk = sk;
			skb->destructor = sock_efree;
	llc_sap_state_process(sap, skb);		llc_sap_state_process(sap, skb);
	}		}