• Eric Dumazet's avatar
    llc: fix skb leak in llc_build_and_send_ui_pkt() · 7d536940
    Eric Dumazet authored
    BugLink: https://bugs.launchpad.net/bugs/1832661
    
    [ Upstream commit 8fb44d60 ]
    
    If llc_mac_hdr_init() returns an error, we must drop the skb
    since no llc_build_and_send_ui_pkt() caller will take care of this.
    
    BUG: memory leak
    unreferenced object 0xffff8881202b6800 (size 2048):
      comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
      backtrace:
        [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
        [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
        [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
        [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
        [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
        [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
        [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
        [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
        [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
        [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
        [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
        [<000000008bdec225>] sock_create net/socket.c:1481 [inline]
        [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
        [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
        [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
        [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
        [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
        [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    BUG: memory leak
    unreferenced object 0xffff88811d750d00 (size 224):
      comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff  ...$.....h+ ....
      backtrace:
        [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
        [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
        [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
        [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
        [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
        [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
        [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
        [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
        [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
        [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
        [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
        [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
        [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
        [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
        [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
        [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
        [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
        [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    7d536940
llc_output.c 2.29 KB