Exact

Exact Union RegExp

Cong Wang 77cffe70bc tipc: fix the skb_unshare() in tipc_buf_append() ... [ Upstream commit ed42989eab57d619667d7e87dfbd8fe207db54fe ] skb_unshare() drops a reference count on the old skb unconditionally, so in the failure case, we end up freeing the skb twice here. And because the skb is allocated in fclone and cloned by caller tipc_msg_reassemble(), the consequence is actually freeing the original skb too, thus triggered the UAF by syzbot. Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy(). Fixes: ff48b6222e65 ("tipc: use skb_unshare() instead in tipc_buf_append()") Reported-and-tested-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com Cc: Jon Maloy <jmaloy@redhat.com> Cc: Ying Xue <ying.xue@windriver.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-10-29 09:03:00 +01:00
..
addr.c	tipc: simplify include dependencies	2015-05-14 12:24:45 -04:00
addr.h	tipc: simplify include dependencies	2015-05-14 12:24:45 -04:00
bcast.c	tipc: unlock in error path	2016-03-03 15:07:07 -08:00
bcast.h	tipc: clean up unused code and structures	2015-10-24 06:56:47 -07:00
bearer.c	tipc: check minimum bearer MTU	2017-04-30 05:49:28 +02:00
bearer.h	tipc: check minimum bearer MTU	2017-04-30 05:49:28 +02:00
core.c	tipc: fix ordering of tipc module init and exit routine	2019-12-21 10:35:39 +01:00
core.h	tipc: make dist queue pernet	2017-04-30 05:49:27 +02:00
discover.c	tipc: let neighbor discoverer tranmsit consumable buffers	2015-10-24 06:56:44 -07:00
discover.h	tipc: involve namespace infrastructure	2015-01-12 16:24:32 -05:00
eth_media.c	tipc: make media address offset a common define	2015-02-27 18:18:48 -05:00
ib_media.c	tipc: rename media/msg related definitions	2015-02-27 18:18:48 -05:00
Kconfig	tipc: add ip/udp media type	2015-03-05 22:08:42 -05:00
link.c	tipc: fix skb may be leaky in tipc_link_input	2019-12-05 15:27:07 +01:00
link.h	tipc: fix link attribute propagation bug	2017-11-18 11:11:07 +01:00
Makefile	tipc: add ip/udp media type	2015-03-05 22:08:42 -05:00
msg.c	tipc: fix the skb_unshare() in tipc_buf_append()	2020-10-29 09:03:00 +01:00
msg.h	tipc: let broadcast packet reception use new link receive function	2015-10-24 06:56:37 -07:00
name_distr.c	tipc: add NULL pointer check before calling kfree_rcu	2019-09-21 07:12:41 +02:00
name_distr.h	tipc: resolve race problem at unicast message reception	2015-02-05 16:00:02 -08:00
name_table.c	tipc: rename functions defined in subscr.c	2015-05-04 15:04:00 -04:00
name_table.h	tipc: convert legacy nl name table dump to nl compat	2015-02-09 13:20:48 -08:00
net.c	tipc: add policy for TIPC_NLA_NET_ADDR	2018-04-29 07:50:06 +02:00
net.h	tipc: make tipc node table aware of net namespace	2015-01-12 16:24:32 -05:00
netlink.c	tipc: move and rename the legacy nl api to "nl compat"	2015-02-09 13:20:47 -08:00
netlink.h	tipc: move and rename the legacy nl api to "nl compat"	2015-02-09 13:20:47 -08:00
netlink_compat.c	tipc: fix uninit skb->data in tipc_nl_compat_dumpit()	2020-09-03 11:19:22 +02:00
node.c	tipc: correct error in node fsm	2017-04-30 05:49:27 +02:00
node.h	tipc: clean up unused code and structures	2015-10-24 06:56:47 -07:00
server.c	tipc: fix memory leak in tipc_accept_from_sock()	2017-12-16 10:33:56 +01:00
server.h	tipc: make subscriber server support net namespace	2015-01-12 16:24:33 -05:00
socket.c	tipc: fix socket timer deadlock	2017-04-30 05:49:28 +02:00
socket.h	tipc: clean up socket layer message reception	2015-07-26 16:31:50 -07:00
subscr.c	tipc: fix modprobe tipc failed after switch order of device registration -v2	2019-06-11 12:24:07 +02:00
subscr.h	tipc: fix modprobe tipc failed after switch order of device registration -v2	2019-06-11 12:24:07 +02:00
sysctl.c	tipc: set sysctl_tipc_rmem and named_timeout right range	2020-01-29 10:21:42 +01:00
udp_media.c	net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup	2020-05-20 08:11:37 +02:00