mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 23:25:07 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/llc
History
Eric Biggers d634bd01b3 llc: fix sk_buff leak in llc_conn_service() 
commit b74555de21 upstream.

syzbot reported:

    BUG: memory leak
    unreferenced object 0xffff88811eb3de00 (size 224):
       comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
       hex dump (first 32 bytes):
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
         00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff  ..8$............
       backtrace:
         [<000000008d1c66a1>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
         [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
         [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
         [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
         [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
         [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
         [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
         [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140  net/llc/llc_c_ac.c:777
         [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475  [inline]
         [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
         [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640  net/llc/llc_conn.c:75
         [<00000000f27e53c1>] llc_establish_connection+0x110/0x170  net/llc/llc_if.c:109
         [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
         [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
         [...]

The bug is that most callers of llc_conn_send_pdu() assume it consumes a
reference to the skb, when actually due to commit b85ab56c3f ("llc:
properly handle dev_queue_xmit() return value") it doesn't.

Revert most of that commit, and instead make the few places that need
llc_conn_send_pdu() to *not* consume a reference call skb_get() before.

Fixes: b85ab56c3f ("llc: properly handle dev_queue_xmit() return value")
Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-06 13:06:23 +01:00
..
af_llc.c llc: do not use sk_eat_skb() 2018-12-01 09:37:27 +01:00
Kconfig llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
llc_c_ac.c llc: fix sk_buff leak in llc_conn_service() 2019-11-06 13:06:23 +01:00
llc_c_ev.c
llc_c_st.c llc: Make llc_conn_ev_qfyr_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_conn.c llc: fix sk_buff leak in llc_conn_service() 2019-11-06 13:06:23 +01:00
llc_core.c llc: use refcount_inc_not_zero() for llc_sap_find() 2018-08-07 15:54:00 -07:00
llc_if.c llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
llc_input.c locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE() 2017-10-25 11:01:08 +02:00
llc_output.c llc: fix skb leak in llc_build_and_send_ui_pkt() 2019-06-04 08:02:31 +02:00
llc_pdu.c
llc_proc.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
llc_s_ac.c llc: fix sk_buff leak in llc_sap_state_process() 2019-11-06 13:06:23 +01:00
llc_s_ev.c
llc_s_st.c llc: Make llc_sap_action_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_sap.c llc: fix sk_buff leak in llc_sap_state_process() 2019-11-06 13:06:23 +01:00
llc_station.c
Makefile llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
sysctl_net_llc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00