asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/net/llc
History
Eric Biggers 3f3f7409f0 llc: fix sk_buff leak in llc_sap_state_process() 
commit c6ee11c39fcc1fb55130748990a8f199e76263b4 upstream.

syzbot reported:

    BUG: memory leak
    unreferenced object 0xffff888116270800 (size 224):
       comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s)
       hex dump (first 32 bytes):
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
         00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff  . .*.....@=*....
       backtrace:
         [<000000004d41b4cc>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
         [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline]
         [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline]
         [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
         [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
         [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline]
         [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250  net/core/skbuff.c:5327
         [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0  net/core/sock.c:2225
         [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
         [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
         [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline]
         [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671
         [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
	 [...]

The bug is that llc_sap_state_process() always takes an extra reference
to the skb, but sometimes neither llc_sap_next_state() nor
llc_sap_state_process() itself drops this reference.

Fix it by changing llc_sap_next_state() to never consume a reference to
the skb, rather than sometimes do so and sometimes not.  Then remove the
extra skb_get() and kfree_skb() from llc_sap_state_process().

Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-06 13:06:23 +01:00
..
af_llc.c llc: do not use sk_eat_skb() 2018-12-01 09:37:27 +01:00
Kconfig llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
llc_c_ac.c llc: delete timers synchronously in llc_sk_free() 2018-04-22 14:55:03 -04:00
llc_c_ev.c
llc_c_st.c llc: Make llc_conn_ev_qfyr_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_conn.c llc: set SOCK_RCU_FREE in llc_sap_add_socket() 2018-10-15 22:01:37 -07:00
llc_core.c llc: use refcount_inc_not_zero() for llc_sap_find() 2018-08-07 15:54:00 -07:00
llc_if.c llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
llc_input.c locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE() 2017-10-25 11:01:08 +02:00
llc_output.c llc: fix skb leak in llc_build_and_send_ui_pkt() 2019-06-04 08:02:31 +02:00
llc_pdu.c
llc_proc.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
llc_s_ac.c llc: fix sk_buff leak in llc_sap_state_process() 2019-11-06 13:06:23 +01:00
llc_s_ev.c
llc_s_st.c llc: Make llc_sap_action_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_sap.c llc: fix sk_buff leak in llc_sap_state_process() 2019-11-06 13:06:23 +01:00
llc_station.c llc2: Collapse remainder of state machine into simple if-else if-statement 2012-09-17 13:04:19 -04:00
Makefile llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
sysctl_net_llc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00