Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp333659pxb; Mon, 16 Aug 2021 06:32:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzegpC366VSLnki8qh2CsMys1DLeLstVjyvlo3gci5QIC8HNbdsdtUB7Y7OUeJ8tVr8qxLP X-Received: by 2002:a92:b111:: with SMTP id t17mr12078088ilh.208.1629120762789; Mon, 16 Aug 2021 06:32:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629120762; cv=none; d=google.com; s=arc-20160816; b=JztODgVBn7nIVLVRAfk6ua7APMU4pH+EGc5uqFD98LObTRevRYjMFWT6fga9Sb7Equ /8sQjQptyRfM23HvI+u/2a0nqL4rnb1e4v38YAsVzSTdyocvpdgQn78dbAN1YvKJfDNg y2oPPUoBaYdPUnEXWB1MoeYXD12JkfmfsJ6pKsJPhvKjxEx2tVtW+nDOdAIMi1U/qmDS g08EavQZxT4IwDwo/fAWbiT2O1kPzW4+1PMJQNaF2iyeHvFMFY1YdqMwejxeyLBjfSw5 wsy+8D1AI9EI/sChkTH7/CaP+zcfUXZaF5K/gp3jrohd/fF/vLt4ZAu+2x2w/uYU72vy ojYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QU5GI+rSfqBNqPlNgZ+2BiWvHZmCJ2tfa+v///g1/hs=; b=mzcV7zio4unmYWoTsZZJLCLY18ACrkfEszQT+7AFEEe3WpDQJDXHls42i76LiJ6g31 hXPc89yPRQzRSFzPcNEZJT/D+Y9aWgSFs//Ex7amAk7Xu96lNtkEQyYR8kT8Z2PUtNx8 NPo2Es2zR5sRMoh4uQptGwyAHjIRr5tw8K+NWHn+bhl5Y/Ni/gqcaPAKca+k2dmTtqva 0yJkqtWG+vRg5eq37RPZsQF9up/qwq+GY18QioZ5bRETonQSBxZ8sLyb4Rbrf2Iri9G+ /rlx3TPlVA5IetVMlxfzTnLvIvBl8FH6G5RUVRRDmepLM9n1esbxqwkf2oyR7nTJCv9O fTMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ffpZ4KYQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id az34si12363319jab.63.2021.08.16.06.32.31; Mon, 16 Aug 2021 06:32:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ffpZ4KYQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240121AbhHPNaq (ORCPT + 99 others); Mon, 16 Aug 2021 09:30:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:43334 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240647AbhHPNT7 (ORCPT ); Mon, 16 Aug 2021 09:19:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 656D5632C8; Mon, 16 Aug 2021 13:15:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1629119706; bh=RYrcGiuN1XgqYILElz1dObV+4Wp7klA+3ZnmfUl+RQg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ffpZ4KYQ/Njzf49ZMJqt+PJ9R+0B3gIlP/FRjviZGocyfDHi/TxaEzX5mhQ+NHSSa mCKlKcNNPI5TC/13jFI680NUPUlDc1pCHLnjBR6jagVUhNmCUkCFP11awooaXZjRGS HDHKBF1Dmufhib9+4d0L6jzLtcLRWSL/cD/1sazc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takeshi Misawa , Alexander Aring , Stefan Schmidt , Sasha Levin , syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com Subject: [PATCH 5.13 098/151] net: Fix memory leak in ieee802154_raw_deliver Date: Mon, 16 Aug 2021 15:02:08 +0200 Message-Id: <20210816125447.304727706@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210816125444.082226187@linuxfoundation.org> References: <20210816125444.082226187@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takeshi Misawa [ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ] If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked. Fix this, by freeing sk_receive_queue in sk->sk_destruct(). syzbot report: BUG: memory leak unreferenced object 0xffff88810f644600 (size 232): comm "softirq", pid 0, jiffies 4294967032 (age 81.270s) hex dump (first 32 bytes): 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K..... 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K..... backtrace: [] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496 [] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline] [] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070 [] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384 [] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498 [] netif_receive_skb_internal net/core/dev.c:5603 [inline] [] netif_receive_skb+0x59/0x260 net/core/dev.c:5662 [] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline] [] ieee802154_subif_frame net/mac802154/rx.c:102 [inline] [] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline] [] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284 [] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35 [] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557 [] __do_softirq+0xbf/0x2ab kernel/softirq.c:345 [] do_softirq kernel/softirq.c:248 [inline] [] do_softirq+0x5c/0x80 kernel/softirq.c:235 [] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198 [] local_bh_enable include/linux/bottom_half.h:32 [inline] [] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline] [] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221 [] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295 [] sock_sendmsg_nosec net/socket.c:654 [inline] [] sock_sendmsg+0x56/0x80 net/socket.c:674 [] __sys_sendto+0x15c/0x200 net/socket.c:1977 [] __do_sys_sendto net/socket.c:1989 [inline] [] __se_sys_sendto net/socket.c:1985 [inline] [] __x64_sys_sendto+0x26/0x30 net/socket.c:1985 Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation") Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com Signed-off-by: Takeshi Misawa Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin --- net/ieee802154/socket.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index a45a0401adc5..c25f7617770c 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -984,6 +984,11 @@ static const struct proto_ops ieee802154_dgram_ops = { .sendpage = sock_no_sendpage, }; +static void ieee802154_sock_destruct(struct sock *sk) +{ + skb_queue_purge(&sk->sk_receive_queue); +} + /* Create a socket. Initialise the socket, blank the addresses * set the state. */ @@ -1024,7 +1029,7 @@ static int ieee802154_create(struct net *net, struct socket *sock, sock->ops = ops; sock_init_data(sock, sk); - /* FIXME: sk->sk_destruct */ + sk->sk_destruct = ieee802154_sock_destruct; sk->sk_family = PF_IEEE802154; /* Checksums on by default */ -- 2.30.2