Commit 6740236d authored Jan 08, 2019 by Jason Gunthorpe Committed by Greg Kroah-Hartman Jan 23, 2019

packet: Do not leak dev refcounts on error exit



[ Upstream commit d972f3dce8d161e2142da0ab1ef25df00e2f21a9 ]

'dev' is non NULL when the addr_len check triggers so it must goto a label
that does the dev_put otherwise dev will have a leaked refcount.

This bug causes the ib_ipoib module to become unloadable when using
systemd-network as it triggers this check on InfiniBand links.

Fixes: 99137b7888f4 ("packet: validate address length")
Reported-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent b4683849

net/packet/af_packet.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2666,7 +2666,7 @@ static int tpacket_snd(struct packet_sock po, struct msghdr msg)
		addr = saddr->sll_halen ? saddr->sll_addr : NULL;
		dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
		if (addr && dev && saddr->sll_halen < dev->addr_len)
		goto out;
		goto out_put;
		}

		err = -ENXIO;
		@@ -2866,7 +2866,7 @@ static int packet_snd(struct socket sock, struct msghdr msg, size_t len)
		addr = saddr->sll_halen ? saddr->sll_addr : NULL;
		dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
		if (addr && dev && saddr->sll_halen < dev->addr_len)
		goto out;
		goto out_unlock;
		}

		err = -ENXIO;