Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4006401ybi; Mon, 3 Jun 2019 04:12:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqz0AYIazjWMUq5ig7QOYk9va3VTuD79qrMIrENXBL6gmm3QMNh9K/D7GQBCFVlRFzfq1oMa X-Received: by 2002:a17:902:e48d:: with SMTP id cj13mr29342445plb.156.1559560365771; Mon, 03 Jun 2019 04:12:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559560365; cv=none; d=google.com; s=arc-20160816; b=llyYERo4tgtwi65CrHqlps1dEwkCCids2Fdu7GhO0bqAnWzmPjUJO55pVHrG4RR5f+ dB+GlEK2Mk0R0s9Y/GPXmQwEQI66P7+4PY8ctNHgiMdP/Ew0eykQna/OcOdNcxWZHlsA LP0lV/FWdsFuFD+CRE4lJZl4hlw/TIGmwlOpvdSoxd052TfI16YoSVU9T9QCuckPCDJU dBHSQItLovx7+nXmkAINEQYtUhBiRhCE72spsyunl/nyNZfolJoU+UxACUyXnxOqvRZm cf+LWpWvxg1uqdWDWTd1oaxsBkktQG0kJLU2h95VrlhKcywK0ZuuO/Fg8ui18PCNBj3c tVFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=J5iywuU7c2m6D9P4BTlFdp6OHm6dVb90wdJrysLn/f8=; b=pnOq6Ys9Spun16lcfbtfOLB0TNpkjWS55zEW1KqflReladJhHUod992MRn98ySpiTI h9OosqE+zjSRmp96NQaHi5XPnrtzy3gI5KfAsx3EgcoTuv+IOvzSLQbCV20bxKDnSUU0 JgP03ZNoPwvT2LsMn3SzP/Jb+8xu5wVW357QPBIIcViL2MQnSLIQ824Dkcgjeyneux0w UsPJ0/Kp5UYwX3OfXCpXxlZwrl80YS2efWH5X4350dNhoSbS9ShmSVEMDWQjsOM8coNX 9K82FgoZsugSfc+OevM658Tr2CkGx22mPxcT+6hwJNCF0Y83pUuAUTXixSLY+ZPPu6Lf apoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zTJJ94u6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g10si15186634pgq.36.2019.06.03.04.12.26; Mon, 03 Jun 2019 04:12:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zTJJ94u6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728563AbfFCJME (ORCPT + 99 others); Mon, 3 Jun 2019 05:12:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:57408 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728554AbfFCJMA (ORCPT ); Mon, 3 Jun 2019 05:12:00 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F362B27E79; Mon, 3 Jun 2019 09:11:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559553119; bh=yvSmm+w6lX77wNa90A/+99wgzkko2UVyotwyWPTNxgc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zTJJ94u6lcDHYy/7WJarGZybIDx/rBi3/x0dD2acbAoUQSfjWbnfKPdU52/YdbXEg +KglXi7GhSVVfan0u72Kmed0r8RWMvZFche8i+NoBjBVyi05FRSUpCf3+aU86xQE0n d4rB6RuYvndgkCY9pai92JXtR+ycEmQUcUADam/E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 5.0 08/36] llc: fix skb leak in llc_build_and_send_ui_pkt() Date: Mon, 3 Jun 2019 11:08:56 +0200 Message-Id: <20190603090521.505143571@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190603090520.998342694@linuxfoundation.org> References: <20190603090520.998342694@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ] If llc_mac_hdr_init() returns an error, we must drop the skb since no llc_build_and_send_ui_pkt() caller will take care of this. BUG: memory leak unreferenced object 0xffff8881202b6800 (size 2048): comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline] [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline] [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline] [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669 [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline] [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608 [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662 [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950 [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173 [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430 [<000000008bdec225>] sock_create net/socket.c:1481 [inline] [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523 [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline] [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline] [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530 [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811d750d00 (size 224): comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ .... backtrace: [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline] [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline] [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline] [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline] [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671 [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline] [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline] [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972 [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/llc/llc_output.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/llc/llc_output.c +++ b/net/llc/llc_output.c @@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac); if (likely(!rc)) rc = dev_queue_xmit(skb); + else + kfree_skb(skb); return rc; }