This Linux kernel change "netrom: hold sock when setting skb->destructor" is included in the Linux 4.9.187 release. This change is authored by Cong Wang <xiyou.wangcong [at] gmail.com> on Mon Jul 22 20:41:22 2019 -0700. The commit for this change in Linux stable tree is 496c606 (patch) which is from upstream commit 4638faa. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 4638faa.
netrom: hold sock when setting skb->destructor [ Upstream commit 4638faac032756f7eab5524be7be56bee77e426b ] sock_efree() releases the sock refcnt, if we don't hold this refcnt when setting skb->destructor to it, the refcnt would not be balanced. This leads to several bug reports from syzbot. I have checked other users of sock_efree(), all of them hold the sock refcnt. Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()") Reported-and-tested-by: <firstname.lastname@example.org> Reported-and-tested-by: <email@example.com> Reported-and-tested-by: <firstname.lastname@example.org> Reported-and-tested-by: <email@example.com> Cc: Ralf Baechle <firstname.lastname@example.org> Signed-off-by: Cong Wang <email@example.com> Signed-off-by: David S. Miller <firstname.lastname@example.org> Signed-off-by: Greg Kroah-Hartman <email@example.com>
There is one line of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.
net/netrom/af_netrom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index 699fd83..e588898 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -968,6 +968,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) window = skb->data; + sock_hold(make); skb->sk = make; skb->destructor = sock_efree; make->sk_state = TCP_ESTABLISHED;