From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Takeshi Misawa <jeliantsurux@gmail.com>,
Alexander Aring <aahringo@redhat.com>,
Stefan Schmidt <stefan@datenfreihafen.org>,
Sasha Levin <sashal@kernel.org>,
syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
Subject: [PATCH 5.10 53/96] net: Fix memory leak in ieee802154_raw_deliver
Date: Mon, 16 Aug 2021 15:02:03 +0200 [thread overview]
Message-ID: <20210816125436.726238302@linuxfoundation.org> (raw)
In-Reply-To: <20210816125434.948010115@linuxfoundation.org>
From: Takeshi Misawa <jeliantsurux@gmail.com>
[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ]
If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
Fix this, by freeing sk_receive_queue in sk->sk_destruct().
syzbot report:
BUG: memory leak
unreferenced object 0xffff88810f644600 (size 232):
comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
hex dump (first 32 bytes):
10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K.....
00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K.....
backtrace:
[<ffffffff83651d4a>] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
[<ffffffff83fe1b80>] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
[<ffffffff83fe1b80>] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
[<ffffffff8367cc7a>] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
[<ffffffff8367cd07>] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
[<ffffffff8367cdd9>] netif_receive_skb_internal net/core/dev.c:5603 [inline]
[<ffffffff8367cdd9>] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
[<ffffffff83fe6302>] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
[<ffffffff83fe6302>] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
[<ffffffff83fe6302>] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
[<ffffffff83fe6302>] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
[<ffffffff83fe59a6>] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
[<ffffffff81232aab>] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
[<ffffffff846000bf>] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
[<ffffffff81232f4c>] do_softirq kernel/softirq.c:248 [inline]
[<ffffffff81232f4c>] do_softirq+0x5c/0x80 kernel/softirq.c:235
[<ffffffff81232fc1>] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
[<ffffffff8367a9a4>] local_bh_enable include/linux/bottom_half.h:32 [inline]
[<ffffffff8367a9a4>] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
[<ffffffff8367a9a4>] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
[<ffffffff83fe2db4>] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
[<ffffffff8363af16>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<ffffffff8363af16>] sock_sendmsg+0x56/0x80 net/socket.c:674
[<ffffffff8363deec>] __sys_sendto+0x15c/0x200 net/socket.c:1977
[<ffffffff8363dfb6>] __do_sys_sendto net/socket.c:1989 [inline]
[<ffffffff8363dfb6>] __se_sys_sendto net/socket.c:1985 [inline]
[<ffffffff8363dfb6>] __x64_sys_sendto+0x26/0x30 net/socket.c:1985
Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ieee802154/socket.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index a45a0401adc5..c25f7617770c 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -984,6 +984,11 @@ static const struct proto_ops ieee802154_dgram_ops = {
.sendpage = sock_no_sendpage,
};
+static void ieee802154_sock_destruct(struct sock *sk)
+{
+ skb_queue_purge(&sk->sk_receive_queue);
+}
+
/* Create a socket. Initialise the socket, blank the addresses
* set the state.
*/
@@ -1024,7 +1029,7 @@ static int ieee802154_create(struct net *net, struct socket *sock,
sock->ops = ops;
sock_init_data(sock, sk);
- /* FIXME: sk->sk_destruct */
+ sk->sk_destruct = ieee802154_sock_destruct;
sk->sk_family = PF_IEEE802154;
/* Checksums on by default */
--
2.30.2
next prev parent reply other threads:[~2021-08-16 13:12 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 13:01 [PATCH 5.10 00/96] 5.10.60-rc1 review Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 01/96] iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 02/96] iio: adis: set GPIO reset pin direction Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 03/96] iio: humidity: hdc100x: Add margin to the conversion time Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 04/96] iio: adc: Fix incorrect exit of for-loop Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 05/96] ASoC: amd: Fix reference to PCM buffer address Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 06/96] ASoC: xilinx: " Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 07/96] ASoC: uniphier: " Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 08/96] ASoC: tlv320aic31xx: Fix jack detection after suspend Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 09/96] ASoC: intel: atom: Fix reference to PCM buffer address Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 10/96] i2c: dev: zero out array used for i2c reads from userspace Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 11/96] cifs: create sd context must be a multiple of 8 Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 12/96] scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 13/96] seccomp: Fix setting loaded filter count during TSYNC Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 14/96] net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 15/96] ARC: fp: set FPU_STATUS.FWE to enable FPU_STATUS update on context switch Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 16/96] ceph: reduce contention in ceph_check_delayed_caps() Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 17/96] ACPI: NFIT: Fix support for virtual SPA ranges Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 18/96] libnvdimm/region: Fix label activation vs errors Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 19/96] drm/amd/display: Remove invalid assert for ODM + MPC case Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 20/96] drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 21/96] drm/amdgpu: dont enable baco on boco platforms in runpm Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 22/96] ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 23/96] ieee802154: hwsim: fix GPF in hwsim_new_edge_nl Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 24/96] pinctrl: mediatek: Fix fallback behavior for bias_set_combo Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 25/96] ASoC: cs42l42: Correct definition of ADC Volume control Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 26/96] ASoC: cs42l42: Dont allow SND_SOC_DAIFMT_LEFT_J Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 27/96] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 28/96] ASoC: SOF: Intel: hda-ipc: fix reply size checking Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 29/96] ASoC: cs42l42: Fix inversion of ADC Notch Switch control Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 30/96] ASoC: cs42l42: Remove duplicate control for WNF filter frequency Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 31/96] netfilter: nf_conntrack_bridge: Fix memory leak when error Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 32/96] pinctrl: tigerlake: Fix GPIO mapping for newer version of software Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 33/96] ASoC: cs42l42: Fix LRCLK frame start edge Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 34/96] net: dsa: mt7530: add the missing RxUnicast MIB counter Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 35/96] net: mvvp2: fix short frame size on s390 Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 36/96] platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 37/96] libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 38/96] bpf: Fix integer overflow involving bucket_size Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 39/96] net: phy: micrel: Fix link detection on ksz87xx switch" Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 40/96] ppp: Fix generating ifname when empty IFLA_IFNAME is specified Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 41/96] net/smc: fix wait on already cleared link Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 42/96] net: sched: act_mirred: Reset ct info when mirror/redirect skb Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 43/96] ice: Prevent probing virtual functions Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 44/96] ice: dont remove netdev->dev_addr from uc sync list Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 45/96] iavf: Set RSS LUT and key in reset handle path Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 46/96] psample: Add a fwd declaration for skbuff Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 47/96] bareudp: Fix invalid read beyond skbs linear data Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 48/96] net/mlx5: Synchronize correct IRQ when destroying CQ Greg Kroah-Hartman
2021-08-16 13:01 ` [PATCH 5.10 49/96] net/mlx5: Fix return value from tracer initialization Greg Kroah-Hartman
2021-08-17 17:51 ` Pavel Machek
2021-08-18 7:44 ` Saeed Mahameed
2021-08-18 19:28 ` Pavel Machek
2021-08-16 13:02 ` [PATCH 5.10 50/96] drm/meson: fix colour distortion from HDR set during vendor u-boot Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 51/96] net: dsa: microchip: Fix ksz_read64() Greg Kroah-Hartman
2021-08-17 17:56 ` Pavel Machek
2021-08-17 18:20 ` Ben Hutchings
2021-08-18 19:26 ` Pavel Machek
2021-08-16 13:02 ` [PATCH 5.10 52/96] net: dsa: microchip: ksz8795: Fix VLAN filtering Greg Kroah-Hartman
2021-08-16 13:28 ` Ben Hutchings
2021-08-16 16:27 ` Greg Kroah-Hartman
2021-08-16 17:49 ` Ben Hutchings
2021-08-16 18:09 ` [PATCH 5.10 1/5] net: dsa: microchip: Fix probing KSZ87xx switch with DT node for host port Ben Hutchings
2021-08-16 18:09 ` [PATCH 5.10 2/5] net: dsa: microchip: ksz8795: Fix PVID tag insertion Ben Hutchings
2021-08-16 18:09 ` [PATCH 5.10 3/5] net: dsa: microchip: ksz8795: Reject unsupported VLAN configuration Ben Hutchings
2021-08-16 18:09 ` [PATCH 5.10 4/5] net: dsa: microchip: ksz8795: Fix VLAN untagged flag change on deletion Ben Hutchings
2021-08-16 18:09 ` [PATCH 5.10 5/5] net: dsa: microchip: ksz8795: Use software untagging on CPU port Ben Hutchings
2021-08-16 19:22 ` [PATCH 5.10 52/96] net: dsa: microchip: ksz8795: Fix VLAN filtering Greg Kroah-Hartman
2021-08-16 13:02 ` Greg Kroah-Hartman [this message]
2021-08-16 13:02 ` [PATCH 5.10 54/96] net: igmp: fix data-race in igmp_ifc_timer_expire() Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 55/96] net: dsa: lan9303: fix broken backpressure in .port_fdb_dump Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 56/96] net: dsa: lantiq: " Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 57/96] net: dsa: sja1105: " Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 58/96] net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 59/96] net: bridge: fix flags interpretation for extern learn fdb entries Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 60/96] net: bridge: fix memleak in br_add_if() Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 61/96] net: linkwatch: fix failure to restore device state across suspend/resume Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 62/96] tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 63/96] net: igmp: increase size of mr_ifc_count Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 64/96] drm/i915: Only access SFC_DONE when media domain is not fused off Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 65/96] xen/events: Fix race in set_evtchn_to_irq Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 66/96] vsock/virtio: avoid potential deadlock when vsock device remove Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 67/96] nbd: Aovid double completion of a request Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 68/96] arm64: efi: kaslr: Fix occasional random alloc (and boot) failure Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 69/96] efi/libstub: arm64: Force Image reallocation if BSS was not reserved Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 70/96] efi/libstub: arm64: Relax 2M alignment again for relocatable kernels Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 71/96] powerpc/kprobes: Fix kprobe Oops happens in booke Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 72/96] x86/tools: Fix objdump version check again Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 73/96] genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 74/96] x86/msi: Force affinity setup before startup Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 75/96] x86/ioapic: " Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 76/96] x86/resctrl: Fix default monitoring groups reporting Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 77/96] genirq/msi: Ensure deactivation on teardown Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 78/96] genirq/timings: Prevent potential array overflow in __irq_timings_store() Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 79/96] PCI/MSI: Enable and mask MSI-X early Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 80/96] PCI/MSI: Mask all unused MSI-X entries Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 81/96] PCI/MSI: Enforce that MSI-X table entry is masked for update Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 82/96] PCI/MSI: Enforce MSI[X] entry updates to be visible Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 83/96] PCI/MSI: Do not set invalid bits in MSI mask Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 84/96] PCI/MSI: Correct misleading comments Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 85/96] PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 86/96] PCI/MSI: Protect msi_desc::masked for multi-MSI Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 87/96] powerpc/smp: Fix OOPS in topology_init() Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 88/96] efi/libstub: arm64: Double check image alignment at entry Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 89/96] KVM: VMX: Use current VMCS to query WAITPKG support for MSR emulation Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 90/96] KVM: nVMX: Use vmx_need_pf_intercept() when deciding if L0 wants a #PF Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 91/96] vboxsf: Add vboxsf_[create|release]_sf_handle() helpers Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 92/96] vboxsf: Add support for the atomic_open directory-inode op Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 93/96] ceph: add some lockdep assertions around snaprealm handling Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 94/96] ceph: clean up locking annotation for ceph_get_snap_realm and __lookup_snap_realm Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 95/96] ceph: take snap_empty_lock atomically with snaprealm refcount change Greg Kroah-Hartman
2021-08-16 13:02 ` [PATCH 5.10 96/96] vmlinux.lds.h: Handle clangs module.{c,d}tor sections Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210816125436.726238302@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aahringo@redhat.com \
--cc=jeliantsurux@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stefan@datenfreihafen.org \
--cc=syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).