Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp332256ybi; Fri, 7 Jun 2019 08:46:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqzVSo2IwUIR6MrSl1GCfkb3zGYQ4WZf8P1dIJaTe4IeSJPBN+OnNOk8yPrkfSOBpWTdbMoy X-Received: by 2002:a62:1bd1:: with SMTP id b200mr35326652pfb.210.1559922385243; Fri, 07 Jun 2019 08:46:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559922385; cv=none; d=google.com; s=arc-20160816; b=q9azmD7J8yVfkcbmUQmTwvtwPfOT0bGht8Z+11omKRhXavJYJSrDxOcGMeQ4gB46dA mfXUTD9kT5aPOWG/Y/EuG/rrVQTyAEfZwj3JclwJi2h4G4F25xjrM3AnvGXIXbPHWONi kBN1XWJZouvTwlxufLRQN1ebc2ZIbEn9bOG1mrJ14/8jbO73jiWP4TroQzvgSSfTI2Dt PZacsHzAl25R2FNK9KPAc4+k2LbUOQiN19HEIC2U1HOrWBnDVQ9PqGiE/ioid88tGGzk +6zjCoRsPnJNl805BCSVSroCasWoWMYO6eXe9O/2lEx1ITCX2r1yTyCus/OwxMDQfyKi 0jFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=J5iywuU7c2m6D9P4BTlFdp6OHm6dVb90wdJrysLn/f8=; b=H2Au8PhIp8t3kCRbZ6+DRy4H1KuCUiLfZSaDyUTay/8KGqqyp9elcIy9MkOFX+5O8m 023gvibbLuABppKz69UJVsktItx4m+OV5rfEHkzn496jH680AoX2yb5lMbAWooyolKMK iKZN2L/3NZI/yl3rGUjRP7YcLZjErjQCiEUb/0p14g1jJiO6QsKTSbaA9toQ/uZt8k/U 05Hn9lugRjv76zPxMQETviv1DNKoLw/rRMzrJqlVFksIQg7QOvFumulmoci8Z7vvxoHh fJQ5w4QZB7gbkxlQLPNk+X2w4RCY3JOq3MEYnK0MR1oL8Zi3Gd9TLuHXNwDYtunbCo9w yXzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1a1XLRVM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w36si2185199pgl.540.2019.06.07.08.46.07; Fri, 07 Jun 2019 08:46:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1a1XLRVM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730551AbfFGPmU (ORCPT + 99 others); Fri, 7 Jun 2019 11:42:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:52660 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730512AbfFGPmO (ORCPT ); Fri, 7 Jun 2019 11:42:14 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D4DBA212F5; Fri, 7 Jun 2019 15:42:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559922133; bh=yvSmm+w6lX77wNa90A/+99wgzkko2UVyotwyWPTNxgc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1a1XLRVMxkMG8LxsLY4udAcM8gQTPam6vuwXWIsg2MyNpgXf57ZskuDG728VYdm7/ ATEKH1ykDQP0AJWqYu87GrtggPoVKtzj8St1Rm6nh37k4pC0k0IXFFovO8n22WoLCL CwT4fGV3eagcSad7w2m+yHQDmY/s9jMavNdoVd0U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.14 03/69] llc: fix skb leak in llc_build_and_send_ui_pkt() Date: Fri, 7 Jun 2019 17:38:44 +0200 Message-Id: <20190607153848.673330020@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190607153848.271562617@linuxfoundation.org> References: <20190607153848.271562617@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ] If llc_mac_hdr_init() returns an error, we must drop the skb since no llc_build_and_send_ui_pkt() caller will take care of this. BUG: memory leak unreferenced object 0xffff8881202b6800 (size 2048): comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline] [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline] [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline] [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669 [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline] [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608 [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662 [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950 [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173 [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430 [<000000008bdec225>] sock_create net/socket.c:1481 [inline] [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523 [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline] [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline] [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530 [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811d750d00 (size 224): comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ .... backtrace: [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline] [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline] [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline] [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline] [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671 [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline] [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline] [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972 [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/llc/llc_output.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/llc/llc_output.c +++ b/net/llc/llc_output.c @@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac); if (likely(!rc)) rc = dev_queue_xmit(skb); + else + kfree_skb(skb); return rc; }