Commit 62dba282 authored by Kuniyuki Iwashima's avatar Kuniyuki Iwashima Committed by Jakub Kicinski
Browse files

atm: clip: Fix memory leak of struct clip_vcc. 



ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to
vcc->user_back.

The code assumes that vcc_destroy_socket() passes NULL skb
to vcc->push() when the socket is close()d, and then clip_push()
frees clip_vcc.

However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in
atm_init_atmarp(), resulting in memory leak.

Let's serialise two ioctl() by lock_sock() and check vcc->push()
in atm_init_atmarp() to prevent memleak.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250704062416.1613927-3-kuniyu@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 706cc364

net/atm/clip.c

+8 −0
Original line number Diff line number Diff line
@@ -645,6 +645,9 @@ static struct atm_dev atmarpd_dev = { 


static int atm_init_atmarp(struct atm_vcc *vcc)

{

	if (vcc->push == clip_push)

		return -EINVAL;



	mutex_lock(&atmarpd_lock);

	if (atmarpd) {

		mutex_unlock(&atmarpd_lock);
@@ -669,6 +672,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc) 
static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)

{

	struct atm_vcc *vcc = ATM_SD(sock);

	struct sock *sk = sock->sk;

	int err = 0;



	switch (cmd) {
@@ -689,14 +693,18 @@ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 
		err = clip_create(arg);

		break;

	case ATMARPD_CTRL:

		lock_sock(sk);

		err = atm_init_atmarp(vcc);

		if (!err) {

			sock->state = SS_CONNECTED;

			__module_get(THIS_MODULE);

		}

		release_sock(sk);

		break;

	case ATMARP_MKIP:

		lock_sock(sk);

		err = clip_mkip(vcc, arg);

		release_sock(sk);

		break;

	case ATMARP_SETENTRY:

		err = clip_setentry(vcc, (__force __be32)arg);