Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2916090pxb; Tue, 24 Aug 2021 10:31:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxjNvHAcnBPZHtVFRwyVHN4pvSsOhazt6pbe2gpsoSTafit61dlhwHnJfqIeNff7ExGwu69 X-Received: by 2002:a02:1083:: with SMTP id 125mr35231563jay.34.1629826272756; Tue, 24 Aug 2021 10:31:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629826272; cv=none; d=google.com; s=arc-20160816; b=H1ktkBy16fwZ22ynYHFLYJtevOAZx1TFjTMWQPWa0YNcMofhj/SWz2rJrFLK3OKZ52 /Nw0UfLEJmsZB/j9EKdEQenXl1rbalcIhdpnpgWhNQMrtWYDh7jc5w4tN2psEVGQg2Ls U+NN0QVzhtpbU9ObbKbr9uGfm3pJILYBVIZ5FLpI9M+isnpw60mNdG+Anejm5cW3FF5y KnLYgboxWnOCT45SeVCzPhN0QvIwW6uwpnzg2ivLTJ9ShdxHTOuveCVI4Zg0TVMIpuRA oI8apupJ3Rlf6whPh4pvfhFt/1z/PIi7d5aNfkpWoEMJJUN5qn/5xyqwYWoVLUXpkcUy snxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=A0PAVR8LxoMg9p6SgPCYfA9IbSBv9pWA+bvePszGwig=; b=ElmaQllcWjmQECYA/1m/Z+6yaYxrioDjydgXV6wxCGexJk9JELvUMbjvLMFKYcOod8 2gqxwcrP3s9t9UxxL+NPJFAndDp+k50qBL3n3ktg2nGyKEhhoXJ9X5sfStM1+VN5tJSy I4/wy9rZ6ImZFj6Au/+PGjoPr7ZEvZdfc21saow83Fj1+u8ncEhy8j54GAaV4n+cwkIs jv6ZNttWkuAGHAwV06/TIIEGuupOiJk1ciTLZLFlxECcqCY19wQTDy8bpGFH+jVSQqV9 CyFykzgle8vBw5so9jcGQ6YnX9NFMKzmNpIupbfekPHvXr4DP4UIz4NnNPNBVCFwafm+ rg7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VMmXKRaH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s15si17587668jaj.78.2021.08.24.10.31.00; Tue, 24 Aug 2021 10:31:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=VMmXKRaH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241395AbhHXRam (ORCPT + 99 others); Tue, 24 Aug 2021 13:30:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:34268 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241178AbhHXR1U (ORCPT ); Tue, 24 Aug 2021 13:27:20 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A07AA61B4B; Tue, 24 Aug 2021 17:05:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1629824711; bh=2h3ljlZYIBgNVEXjKt6mkgoIpaJorRhKoWLK5q6s3JY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VMmXKRaHb1Pigy8o+TrccUdIh+7V8j4YhsE1yQCxNpLwVnigmafUW/MipOWi3bwcE /n4Rq5SDZ+mA3WfbTf8Euyovth0G5Kd4wgaj2neTRBTjyChmvsYLgPMbm1mHkf0phB 6G6BbYjE6ub5YEvH0HOIdHcO2MvPZd9Tj0YNLhKkmBk96dLqQF9QHRMLZyYuAtW/so sSnmMQT3qMdysTHs/rv6fgvZ2J4yezEqfP9EzIBADnt5gfQRqdpx+hRdvETRbaE9HV eQcxM0fNp2vOPIfSS/16n0YW506quAio4JUuN16yxZGi5q2QdEa7kx3CAQNNJ4ga5n sl+c+nqHwwJ6Q== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Takeshi Misawa , syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com, Alexander Aring , Stefan Schmidt , Sasha Levin Subject: [PATCH 4.14 13/64] net: Fix memory leak in ieee802154_raw_deliver Date: Tue, 24 Aug 2021 13:04:06 -0400 Message-Id: <20210824170457.710623-14-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210824170457.710623-1-sashal@kernel.org> References: <20210824170457.710623-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.245-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-4.14.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 4.14.245-rc1 X-KernelTest-Deadline: 2021-08-26T17:04+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takeshi Misawa [ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ] If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked. Fix this, by freeing sk_receive_queue in sk->sk_destruct(). syzbot report: BUG: memory leak unreferenced object 0xffff88810f644600 (size 232): comm "softirq", pid 0, jiffies 4294967032 (age 81.270s) hex dump (first 32 bytes): 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K..... 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K..... backtrace: [] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496 [] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline] [] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070 [] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384 [] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498 [] netif_receive_skb_internal net/core/dev.c:5603 [inline] [] netif_receive_skb+0x59/0x260 net/core/dev.c:5662 [] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline] [] ieee802154_subif_frame net/mac802154/rx.c:102 [inline] [] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline] [] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284 [] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35 [] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557 [] __do_softirq+0xbf/0x2ab kernel/softirq.c:345 [] do_softirq kernel/softirq.c:248 [inline] [] do_softirq+0x5c/0x80 kernel/softirq.c:235 [] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198 [] local_bh_enable include/linux/bottom_half.h:32 [inline] [] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline] [] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221 [] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295 [] sock_sendmsg_nosec net/socket.c:654 [inline] [] sock_sendmsg+0x56/0x80 net/socket.c:674 [] __sys_sendto+0x15c/0x200 net/socket.c:1977 [] __do_sys_sendto net/socket.c:1989 [inline] [] __se_sys_sendto net/socket.c:1985 [inline] [] __x64_sys_sendto+0x26/0x30 net/socket.c:1985 Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation") Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com Signed-off-by: Takeshi Misawa Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP Signed-off-by: Stefan Schmidt Signed-off-by: Sasha Levin --- net/ieee802154/socket.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index e95004b507d3..9d46d9462129 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -985,6 +985,11 @@ static const struct proto_ops ieee802154_dgram_ops = { #endif }; +static void ieee802154_sock_destruct(struct sock *sk) +{ + skb_queue_purge(&sk->sk_receive_queue); +} + /* Create a socket. Initialise the socket, blank the addresses * set the state. */ @@ -1025,7 +1030,7 @@ static int ieee802154_create(struct net *net, struct socket *sock, sock->ops = ops; sock_init_data(sock, sk); - /* FIXME: sk->sk_destruct */ + sk->sk_destruct = ieee802154_sock_destruct; sk->sk_family = PF_IEEE802154; /* Checksums on by default */ -- 2.30.2