All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stefan Schmidt <stefan@datenfreihafen.org>
To: Alexander Aring <alex.aring@gmail.com>, Jakub Kicinski <kuba@kernel.org>
Cc: Takeshi Misawa <jeliantsurux@gmail.com>,
	David Howells <dhowells@redhat.com>,
	"open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
	linux-wpan - ML <linux-wpan@vger.kernel.org>
Subject: Re: [PATCH net] net: Fix memory leak in ieee802154_raw_deliver
Date: Tue, 10 Aug 2021 12:49:26 +0200	[thread overview]
Message-ID: <47581b9b-4def-40be-88cb-6357516f9eb3@datenfreihafen.org> (raw)
In-Reply-To: <CAB_54W4DK3uo+q7vRC2Vzrs5BENq2L_ukkkewiSXMNaSBiTsEQ@mail.gmail.com>

Hello.

On 09.08.21 15:06, Alexander Aring wrote:
> Hi,
> 
> On Thu, 5 Aug 2021 at 09:50, Jakub Kicinski <kuba@kernel.org> wrote:
>>
>> On Thu, 5 Aug 2021 16:54:14 +0900 Takeshi Misawa wrote:
>>> If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
>>> Fix this, by freeing sk_receive_queue in sk->sk_destruct().
>>>
>>> syzbot report:
>>> BUG: memory leak
>>> unreferenced object 0xffff88810f644600 (size 232):
>>>    comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
>>>    hex dump (first 32 bytes):
>>>      10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff  .}K......}K.....
>>>      00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff  ........@|K.....
>>>    backtrace:
>>>      [<ffffffff83651d4a>] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
>>>      [<ffffffff83fe1b80>] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
>>>      [<ffffffff83fe1b80>] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
>>>      [<ffffffff8367cc7a>] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
>>>      [<ffffffff8367cd07>] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
>>>      [<ffffffff8367cdd9>] netif_receive_skb_internal net/core/dev.c:5603 [inline]
>>>      [<ffffffff8367cdd9>] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
>>>      [<ffffffff83fe6302>] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
>>>      [<ffffffff83fe6302>] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
>>>      [<ffffffff83fe6302>] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
>>>      [<ffffffff83fe6302>] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
>>>      [<ffffffff83fe59a6>] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
>>>      [<ffffffff81232aab>] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
>>>      [<ffffffff846000bf>] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
>>>      [<ffffffff81232f4c>] do_softirq kernel/softirq.c:248 [inline]
>>>      [<ffffffff81232f4c>] do_softirq+0x5c/0x80 kernel/softirq.c:235
>>>      [<ffffffff81232fc1>] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
>>>      [<ffffffff8367a9a4>] local_bh_enable include/linux/bottom_half.h:32 [inline]
>>>      [<ffffffff8367a9a4>] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
>>>      [<ffffffff8367a9a4>] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
>>>      [<ffffffff83fe2db4>] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
>>>      [<ffffffff8363af16>] sock_sendmsg_nosec net/socket.c:654 [inline]
>>>      [<ffffffff8363af16>] sock_sendmsg+0x56/0x80 net/socket.c:674
>>>      [<ffffffff8363deec>] __sys_sendto+0x15c/0x200 net/socket.c:1977
>>>      [<ffffffff8363dfb6>] __do_sys_sendto net/socket.c:1989 [inline]
>>>      [<ffffffff8363dfb6>] __se_sys_sendto net/socket.c:1985 [inline]
>>>      [<ffffffff8363dfb6>] __x64_sys_sendto+0x26/0x30 net/socket.c:1985
>>>
>>> Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
>>> Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
>>> Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
> 
> Acked-by: Alexander Aring <aahringo@redhat.com>


This patch has been applied to the wpan tree and will be
part of the next pull request to net. Thanks!

regards
Stefan Schmidt

      reply	other threads:[~2021-08-10 10:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-05  7:54 [PATCH net] net: Fix memory leak in ieee802154_raw_deliver Takeshi Misawa
2021-08-05 13:50 ` Jakub Kicinski
2021-08-09 13:06   ` Alexander Aring
2021-08-10 10:49     ` Stefan Schmidt [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47581b9b-4def-40be-88cb-6357516f9eb3@datenfreihafen.org \
    --to=stefan@datenfreihafen.org \
    --cc=alex.aring@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=jeliantsurux@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-wpan@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.