Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp3764361pxt; Tue, 10 Aug 2021 10:46:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxyfB3p6NE1u2GrcTz00swYeCoflPm5bgDndxTFDnocXfTf8VZNc4KIrA7wQbHqic4EYGfJ X-Received: by 2002:a05:6402:1514:: with SMTP id f20mr6335542edw.336.1628617597703; Tue, 10 Aug 2021 10:46:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628617597; cv=none; d=google.com; s=arc-20160816; b=LPniknaoUcf9eUeuV6lNTDFJR5jpQNPmKu9bkKpE45uyS+Lhsl5ZnU4xelhoFBcDyL tmkaf/FfI4axWeMj44qjsMQj1/HfEfqN8oJmdtJY9ktYVP1dUsw+3SqtI+Tad9e6z5/p 21uBArzZIYMkqX4RLoeE8M4Gmh1OtdyZELNuCRH2Fhf3MoRKcgLfic/yOA/TaZ1zRir5 U9axZnNiGb6xKONrgfEv30DGGdGgIhuD+VzDwvChxU7vpiksJtxabYF0dfD9BvMWXqQ4 qQWH42ybtzn2DCim/19zi/ovinrc7sftZta2L/2t06pUd2kUmMUh4IzvOIlpNYD6fW5T Iszg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=g9AjXyyfgpVLICYjj7CejpMmjjgrKVhoeyqoz4OXm/w=; b=I9pgPgQLLJ5kAZYeXTEUlWphNeACaqFpd+OlX2KCQgz45OsKe3Wd5oEhrWoONIo7k0 67OhL84zE79Zop4hAEtuxXQyPUwUcca0IGMLBgqxoMVw+BTaHtcYtOKatp4RABGerhp+ F1H4h8NY+A2fRZsvkDXvuOZ4bgMxXRwbTJ9dOiDQAjP4w8ZyfZdAo/I9xQM469iQPYRv jT8iH6FQVTWw4H/RSQuVlWsNKEHnJY1AQBPU7HNnk1BkzP3qsPtE+nkXkIkFT2F0vzq3 HYpYgu2mGNJvjuMWtirmHAxMCWfB17HaWrk4QJmJsnybnQMGRUXABPKxqCe93GioueqF BVFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FFN9qYgI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si22944969edc.86.2021.08.10.10.46.13; Tue, 10 Aug 2021 10:46:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FFN9qYgI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233134AbhHJRnz (ORCPT + 99 others); Tue, 10 Aug 2021 13:43:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:34382 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234253AbhHJRkI (ORCPT ); Tue, 10 Aug 2021 13:40:08 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 372476109F; Tue, 10 Aug 2021 17:37:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628617076; bh=R//KGMnHgn3imwAr23wCSUTcCP7r7swND//LrSgLaF8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FFN9qYgIdnIxIlEi/SAoSi9Zwbqu0Ep1w8jG6aCJTAO9k7X0vSC1fbx4C1rLkZ4Sj CSpCnzZPVSKaNJKy7vyOkLW0wP+HLIpz3orYAHS3eRsHYF1j+akmPL5iLXdkAgOuWj AVVYcchmKlVoynt6l5bSO/g2ZMpecgG7p41Fb0zE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Steffen Klassert , Sasha Levin , syzbot+fb347cf82c73a90efcca@syzkaller.appspotmail.com Subject: [PATCH 5.10 004/135] net: xfrm: fix memory leak in xfrm_user_rcv_msg Date: Tue, 10 Aug 2021 19:28:58 +0200 Message-Id: <20210810172955.821047403@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210810172955.660225700@linuxfoundation.org> References: <20210810172955.660225700@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 7c1a80e80cde008f271bae630d28cf684351e807 ] Syzbot reported memory leak in xfrm_user_rcv_msg(). The problem was is non-freed skb's frag_list. In skb_release_all() skb_release_data() will be called only in case of skb->head != NULL, but netlink_skb_destructor() sets head to NULL. So, allocated frag_list skb should be freed manualy, since consume_skb() won't take care of it Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator") Reported-and-tested-by: syzbot+fb347cf82c73a90efcca@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/xfrm/xfrm_user.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 45f86a97eaf2..6f97665b632e 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2751,6 +2751,16 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, err = link->doit(skb, nlh, attrs); + /* We need to free skb allocated in xfrm_alloc_compat() before + * returning from this function, because consume_skb() won't take + * care of frag_list since netlink destructor sets + * sbk->head to NULL. (see netlink_skb_destructor()) + */ + if (skb_has_frag_list(skb)) { + kfree_skb(skb_shinfo(skb)->frag_list); + skb_shinfo(skb)->frag_list = NULL; + } + err: kvfree(nlh64); return err; -- 2.30.2