All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 6.6/6.1 0/1] pppoe: Fix memory leak in pppoe_sendmsg()
@ 2024-04-15 11:51 Gavrilov Ilia
  2024-04-15 11:51 ` [PATCH 6.6/6.1 1/1] " Gavrilov Ilia
  0 siblings, 1 reply; 3+ messages in thread
From: Gavrilov Ilia @ 2024-04-15 11:51 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman
  Cc: Michal Ostrowski, Guillaume Nault, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, netdev, linux-kernel, lvc-project

syzbot reports a memory leak in pppoe_sendmsg in 6.6 and 6.1 stable
releases. The problem has been fixed by the following patch which can be
cleanly applied to the 6.6 and 6.1 branches.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller

Gavrilov Ilia (1):
  pppoe: Fix memory leak in pppoe_sendmsg()

 drivers/net/ppp/pppoe.c | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

-- 
2.39.2

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 6.6/6.1 1/1] pppoe: Fix memory leak in pppoe_sendmsg()
  2024-04-15 11:51 [PATCH 6.6/6.1 0/1] pppoe: Fix memory leak in pppoe_sendmsg() Gavrilov Ilia
@ 2024-04-15 11:51 ` Gavrilov Ilia
  0 siblings, 0 replies; 3+ messages in thread
From: Gavrilov Ilia @ 2024-04-15 11:51 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman
  Cc: Michal Ostrowski, Guillaume Nault, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, netdev, linux-kernel, lvc-project,
	syzbot+6bdfd184eac7709e5cc9

From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>

commit dc34ebd5c018b0edf47f39d11083ad8312733034 upstream.

syzbot reports a memory leak in pppoe_sendmsg [1].

The problem is in the pppoe_recvmsg() function that handles errors
in the wrong order. For the skb_recv_datagram() function, check
the pointer to skb for NULL first, and then check the 'error' variable,
because the skb_recv_datagram() function can set 'error'
to -EAGAIN in a loop but return a correct pointer to socket buffer
after a number of attempts, though 'error' remains set to -EAGAIN.

skb_recv_datagram
      __skb_recv_datagram          // Loop. if (err == -EAGAIN) then
                                   // go to the next loop iteration
          __skb_try_recv_datagram  // if (skb != NULL) then return 'skb'
                                   // else if a signal is received then
                                   // return -EAGAIN

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.

Link: https://syzkaller.appspot.com/bug?extid=6bdfd184eac7709e5cc9 [1]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+6bdfd184eac7709e5cc9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6bdfd184eac7709e5cc9
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Link: https://lore.kernel.org/r/20240214085814.3894917-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
 drivers/net/ppp/pppoe.c | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index ba8b6bd8233c..96cca4ee470a 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -1007,26 +1007,21 @@ static int pppoe_recvmsg(struct socket *sock, struct msghdr *m,
 	struct sk_buff *skb;
 	int error = 0;
 
-	if (sk->sk_state & PPPOX_BOUND) {
-		error = -EIO;
-		goto end;
-	}
+	if (sk->sk_state & PPPOX_BOUND)
+		return -EIO;
 
 	skb = skb_recv_datagram(sk, flags, &error);
-	if (error < 0)
-		goto end;
+	if (!skb)
+		return error;
 
-	if (skb) {
-		total_len = min_t(size_t, total_len, skb->len);
-		error = skb_copy_datagram_msg(skb, 0, m, total_len);
-		if (error == 0) {
-			consume_skb(skb);
-			return total_len;
-		}
+	total_len = min_t(size_t, total_len, skb->len);
+	error = skb_copy_datagram_msg(skb, 0, m, total_len);
+	if (error == 0) {
+		consume_skb(skb);
+		return total_len;
 	}
 
 	kfree_skb(skb);
-end:
 	return error;
 }
 
-- 
2.39.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 6.6/6.1 1/1] pppoe: Fix memory leak in pppoe_sendmsg()
  2024-03-20 14:36 [PATCH 6.6/6.1 0/1] " Gavrilov Ilia
@ 2024-03-20 14:36 ` Gavrilov Ilia
  0 siblings, 0 replies; 3+ messages in thread
From: Gavrilov Ilia @ 2024-03-20 14:36 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman
  Cc: Michal Ostrowski, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, netdev, linux-kernel, lvc-project,
	syzbot+6bdfd184eac7709e5cc9, Guillaume Nault

From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>

commit dc34ebd5c018b0edf47f39d11083ad8312733034 upstream.

syzbot reports a memory leak in pppoe_sendmsg [1].

The problem is in the pppoe_recvmsg() function that handles errors
in the wrong order. For the skb_recv_datagram() function, check
the pointer to skb for NULL first, and then check the 'error' variable,
because the skb_recv_datagram() function can set 'error'
to -EAGAIN in a loop but return a correct pointer to socket buffer
after a number of attempts, though 'error' remains set to -EAGAIN.

skb_recv_datagram
      __skb_recv_datagram          // Loop. if (err == -EAGAIN) then
                                   // go to the next loop iteration
          __skb_try_recv_datagram  // if (skb != NULL) then return 'skb'
                                   // else if a signal is received then
                                   // return -EAGAIN

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.

Link: https://syzkaller.appspot.com/bug?extid=6bdfd184eac7709e5cc9 [1]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+6bdfd184eac7709e5cc9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6bdfd184eac7709e5cc9
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Link: https://lore.kernel.org/r/20240214085814.3894917-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
 drivers/net/ppp/pppoe.c | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index ba8b6bd8233c..96cca4ee470a 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -1007,26 +1007,21 @@ static int pppoe_recvmsg(struct socket *sock, struct msghdr *m,
 	struct sk_buff *skb;
 	int error = 0;
 
-	if (sk->sk_state & PPPOX_BOUND) {
-		error = -EIO;
-		goto end;
-	}
+	if (sk->sk_state & PPPOX_BOUND)
+		return -EIO;
 
 	skb = skb_recv_datagram(sk, flags, &error);
-	if (error < 0)
-		goto end;
+	if (!skb)
+		return error;
 
-	if (skb) {
-		total_len = min_t(size_t, total_len, skb->len);
-		error = skb_copy_datagram_msg(skb, 0, m, total_len);
-		if (error == 0) {
-			consume_skb(skb);
-			return total_len;
-		}
+	total_len = min_t(size_t, total_len, skb->len);
+	error = skb_copy_datagram_msg(skb, 0, m, total_len);
+	if (error == 0) {
+		consume_skb(skb);
+		return total_len;
 	}
 
 	kfree_skb(skb);
-end:
 	return error;
 }
 
-- 
2.39.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-15 11:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-15 11:51 [PATCH 6.6/6.1 0/1] pppoe: Fix memory leak in pppoe_sendmsg() Gavrilov Ilia
2024-04-15 11:51 ` [PATCH 6.6/6.1 1/1] " Gavrilov Ilia
  -- strict thread matches above, loose matches on Subject: below --
2024-03-20 14:36 [PATCH 6.6/6.1 0/1] " Gavrilov Ilia
2024-03-20 14:36 ` [PATCH 6.6/6.1 1/1] " Gavrilov Ilia

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.