]>
Commit | Line | Data |
---|---|---|
e67c8b9f GKH |
1 | From foo@baz Fri 31 May 2019 03:16:57 PM PDT |
2 | From: Eric Dumazet <edumazet@google.com> | |
3 | Date: Mon, 27 May 2019 17:35:52 -0700 | |
4 | Subject: llc: fix skb leak in llc_build_and_send_ui_pkt() | |
5 | ||
6 | From: Eric Dumazet <edumazet@google.com> | |
7 | ||
8 | [ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ] | |
9 | ||
10 | If llc_mac_hdr_init() returns an error, we must drop the skb | |
11 | since no llc_build_and_send_ui_pkt() caller will take care of this. | |
12 | ||
13 | BUG: memory leak | |
14 | unreferenced object 0xffff8881202b6800 (size 2048): | |
15 | comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s) | |
16 | hex dump (first 32 bytes): | |
17 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
18 | 1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ | |
19 | backtrace: | |
20 | [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] | |
21 | [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline] | |
22 | [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline] | |
23 | [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline] | |
24 | [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669 | |
25 | [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline] | |
26 | [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608 | |
27 | [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662 | |
28 | [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950 | |
29 | [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173 | |
30 | [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430 | |
31 | [<000000008bdec225>] sock_create net/socket.c:1481 [inline] | |
32 | [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523 | |
33 | [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline] | |
34 | [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline] | |
35 | [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530 | |
36 | [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 | |
37 | [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
38 | ||
39 | BUG: memory leak | |
40 | unreferenced object 0xffff88811d750d00 (size 224): | |
41 | comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s) | |
42 | hex dump (first 32 bytes): | |
43 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ | |
44 | 00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ .... | |
45 | backtrace: | |
46 | [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] | |
47 | [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline] | |
48 | [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline] | |
49 | [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 | |
50 | [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 | |
51 | [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline] | |
52 | [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 | |
53 | [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 | |
54 | [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 | |
55 | [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 | |
56 | [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline] | |
57 | [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671 | |
58 | [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 | |
59 | [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline] | |
60 | [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline] | |
61 | [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972 | |
62 | [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 | |
63 | [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
64 | ||
65 | Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") | |
66 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
67 | Reported-by: syzbot <syzkaller@googlegroups.com> | |
68 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
69 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
70 | --- | |
71 | net/llc/llc_output.c | 2 ++ | |
72 | 1 file changed, 2 insertions(+) | |
73 | ||
74 | --- a/net/llc/llc_output.c | |
75 | +++ b/net/llc/llc_output.c | |
76 | @@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc | |
77 | rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac); | |
78 | if (likely(!rc)) | |
79 | rc = dev_queue_xmit(skb); | |
80 | + else | |
81 | + kfree_skb(skb); | |
82 | return rc; | |
83 | } | |
84 |