[thirdparty/kernel/stable-queue.git] / releases / 5.1.7 / llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch

From foo@baz Fri 31 May 2019 03:16:39 PM PDT
From: Eric Dumazet <edumazet@google.com>
Date: Mon, 27 May 2019 17:35:52 -0700
Subject: llc: fix skb leak in llc_build_and_send_ui_pkt()

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]

If llc_mac_hdr_init() returns an error, we must drop the skb
since no llc_build_and_send_ui_pkt() caller will take care of this.

BUG: memory leak
unreferenced object 0xffff8881202b6800 (size 2048):
  comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
  backtrace:
    [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
    [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
    [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
    [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
    [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
    [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
    [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
    [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
    [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
    [<000000008bdec225>] sock_create net/socket.c:1481 [inline]
    [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
    [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
    [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
    [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
    [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811d750d00 (size 224):
  comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff  ...$.....h+ ....
  backtrace:
    [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
    [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
    [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
    [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
    [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
    [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
    [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
    [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
    [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
    [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
    [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
    [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
    [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
    [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
    [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/llc/llc_output.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/llc/llc_output.c
+++ b/net/llc/llc_output.c
@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc
 	rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac);
 	if (likely(!rc))
 		rc = dev_queue_xmit(skb);
+	else
+		kfree_skb(skb);
 	return rc;
 }
Commit	Line	Data
ffc20820 GKH	1	From foo@baz Fri 31 May 2019 03:16:39 PM PDT
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Mon, 27 May 2019 17:35:52 -0700
	4	Subject: llc: fix skb leak in llc_build_and_send_ui_pkt()
	5
	6	From: Eric Dumazet <edumazet@google.com>
	7
	8	[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]
	9
	10	If llc_mac_hdr_init() returns an error, we must drop the skb
	11	since no llc_build_and_send_ui_pkt() caller will take care of this.
	12
	13	BUG: memory leak
	14	unreferenced object 0xffff8881202b6800 (size 2048):
	15	comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
	16	hex dump (first 32 bytes):
	17	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	18	1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
	19	backtrace:
	20	[<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
	21	[<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
	22	[<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
	23	[<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
	24	[<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
	25	[<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
	26	[<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
	27	[<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
	28	[<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
	29	[<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
	30	[<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
	31	[<000000008bdec225>] sock_create net/socket.c:1481 [inline]
	32	[<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
	33	[<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
	34	[<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
	35	[<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
	36	[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
	37	[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
	38
	39	BUG: memory leak
	40	unreferenced object 0xffff88811d750d00 (size 224):
	41	comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
	42	hex dump (first 32 bytes):
	43	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	44	00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ ....
	45	backtrace:
	46	[<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
	47	[<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
	48	[<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
	49	[<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
	50	[<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
	51	[<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
	52	[<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
	53	[<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
	54	[<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
	55	[<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
	56	[<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
	57	[<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
	58	[<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
	59	[<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
	60	[<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
	61	[<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
	62	[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
	63	[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
	64
65	Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
66	Signed-off-by: Eric Dumazet <edumazet@google.com>
67	Reported-by: syzbot <syzkaller@googlegroups.com>
68	Signed-off-by: David S. Miller <davem@davemloft.net>
69	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
70	---
71	net/llc/llc_output.c \| 2 ++
72	1 file changed, 2 insertions(+)
73
74	--- a/net/llc/llc_output.c
75	+++ b/net/llc/llc_output.c
76	@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc
77	rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac);
78	if (likely(!rc))
79	rc = dev_queue_xmit(skb);
80	+ else
81	+ kfree_skb(skb);
82	return rc;
83	}
84