Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3008738imu; Sun, 9 Dec 2018 15:01:35 -0800 (PST) X-Google-Smtp-Source: AFSGD/VGt6a5aY3hb565Xj3gNvL3cDY/ckU60c1xNvzrKDUW4OzlbiIN+1+0mhnn6x+9UTL83BB2 X-Received: by 2002:a63:8b41:: with SMTP id j62mr9083573pge.182.1544396495292; Sun, 09 Dec 2018 15:01:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544396495; cv=none; d=google.com; s=arc-20160816; b=IiWyfYSURvPoaW/hMXUfY2bhbsJyPode7zmHuPhVmj5PgTMQX9CA+GftPxY6SQog7u tLJ8ntepoO5mzYAKVvT0x4Ix1cbL9on7VccqjrtJNFTqaTuwnrCi6ek0JMS0C8fnUGBY /W2oc2Fd8/1zr4UHgU2trOi/UQ12M/sOunRWETRqFuwjb9G7EHal5kIgZ8Qzd6c63NsN uWR9ND4Fds6J+ceSCBJqHRKVRruqDs+fnvOdxzZNugU1pVoWnMGR3K+m2YN4M92KD7pT poSwZheoAxIB4Ki2zKvJCxiwd1StlOv3aT7+5SUWA/nwehU0ggYx1Qa0thL4cRYvH7VJ R1Gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=1Kw+HCkd6MeZtHQB3HX4N3eGsBxk48dhdv5Wz6nIE4I=; b=g8pJIRUEnsJ9rN93S7IblofRZQ8eRPTSSIhNX7/xd51Yjc50m3grFG4nGEQakFND0K nzTflpCM3/eP4oDxPyoBGoWFPPZvxNeqCQIjWcqs3y00oFWnE7bmPlsFrfwMZPl5IH/P wFEv+YHmzmgM78gpwaYayk1go3iYktVJATWc8Aod/Faru61246ij5k0qwCyCXixm4vKN U6omGiwNiijBn2S36Pj5jp0ubvJHjvHwVG+JI4Ncuq9jUgQrj02hlryJCaA2NGSUAD4k ee/hsRITaDM/2n0/LhfvGgV38cwOJpZOz7YmLRGSUkjjhAZKrCvhwoBfiRylSDTuSh8l BYmQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g11si8473421plt.4.2018.12.09.15.01.19; Sun, 09 Dec 2018 15:01:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728505AbeLIWOK (ORCPT + 99 others); Sun, 9 Dec 2018 17:14:10 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:38022 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728266AbeLIWOI (ORCPT ); Sun, 9 Dec 2018 17:14:08 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW738-0002ih-EA; Sun, 09 Dec 2018 21:55:43 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72f-0003T9-Cj; Sun, 09 Dec 2018 21:55:13 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Sabrina Dubroca" , "Steffen Klassert" , "Thadeu Lima de Souza Cascardo" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 185/328] xfrm6: call kfree_skb when skb is toobig In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Thadeu Lima de Souza Cascardo commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 upstream. After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching and reporting on xmit"), some too big skbs might be potentially passed down to __xfrm6_output, causing it to fail to transmit but not free the skb, causing a leak of skb, and consequentially a leak of dst references. After running pmtu.sh, that shows as failure to unregister devices in a namespace: [ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1 The fix is to call kfree_skb in case of transmit failures. Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error") Signed-off-by: Thadeu Lima de Souza Cascardo Reviewed-by: Sabrina Dubroca Signed-off-by: Steffen Klassert Signed-off-by: Ben Hutchings --- net/ipv6/xfrm6_output.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c @@ -158,9 +158,11 @@ static int __xfrm6_output(struct sk_buff if (toobig && xfrm6_local_dontfrag(skb)) { xfrm6_local_rxpmtu(skb, mtu); + kfree_skb(skb); return -EMSGSIZE; } else if (!skb->ignore_df && toobig && skb->sk) { xfrm_local_error(skb, mtu); + kfree_skb(skb); return -EMSGSIZE; }