linux

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2024-12-29 17:23:36 +00:00

History

Eric Biggers b74555de21 llc: fix sk_buff leak in llc_conn_service() syzbot reported: BUG: memory leak unreferenced object 0xffff88811eb3de00 (size 224): comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff ..8$............ backtrace: [<000000008d1c66a1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline] [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline] [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline] [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54 [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777 [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline] [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75 [<00000000f27e53c1>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109 [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477 [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840 [...] The bug is that most callers of llc_conn_send_pdu() assume it consumes a reference to the skb, when actually due to commit `b85ab56c3f` ("llc: properly handle dev_queue_xmit() return value") it doesn't. Revert most of that commit, and instead make the few places that need llc_conn_send_pdu() to not consume a reference call skb_get() before. Fixes: `b85ab56c3f` ("llc: properly handle dev_queue_xmit() return value") Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>		2019-10-08 13:23:05 -07:00
..
af_llc.c	llc: Check address length before reading address field	2019-04-12 10:25:03 -07:00
Kconfig	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
llc_c_ac.c	llc: fix sk_buff leak in llc_conn_service()	2019-10-08 13:23:05 -07:00
llc_c_ev.c	net: replace remaining __FUNCTION__ occurrences	2008-03-05 20:47:47 -08:00
llc_c_st.c	llc: Make llc_conn_ev_qfyr_t function pointer arrays const	2014-12-10 15:21:24 -05:00
llc_conn.c	llc: fix sk_buff leak in llc_conn_service()	2019-10-08 13:23:05 -07:00
llc_core.c	llc: avoid blocking in llc_sap_close()	2018-09-13 09:04:58 -07:00
llc_if.c	llc: fix whitespace issues	2018-07-24 14:10:42 -07:00
llc_input.c	locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE()	2017-10-25 11:01:08 +02:00
llc_output.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 281	2019-06-05 17:36:36 +02:00
llc_pdu.c	[LLC]: skb allocation size for responses	2008-03-31 21:02:47 -07:00
llc_proc.c	proc: introduce proc_create_seq{,_data}	2018-05-16 07:23:35 +02:00
llc_s_ac.c	llc: fix sk_buff leak in llc_sap_state_process()	2019-10-08 13:23:05 -07:00
llc_s_ev.c	Linux-2.6.12-rc2	2005-04-16 15:20:36 -07:00
llc_s_st.c	llc: Make llc_sap_action_t function pointer arrays const	2014-12-10 15:21:24 -05:00
llc_sap.c	llc: fix sk_buff leak in llc_sap_state_process()	2019-10-08 13:23:05 -07:00
llc_station.c	llc2: Collapse remainder of state machine into simple if-else if-statement	2012-09-17 13:04:19 -04:00
Makefile	llc: fix whitespace issues	2018-07-24 14:10:42 -07:00
sysctl_net_llc.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00