From: Hawkins Jiawei <yin31149@gmail.com>
To: luiz.dentz@gmail.com
Cc: 18801353760@163.com, davem@davemloft.net, edumazet@google.com,
johan.hedberg@gmail.com, kuba@kernel.org,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
luiz.von.dentz@intel.com, marcel@holtmann.org,
netdev@vger.kernel.org, pabeni@redhat.com,
syzbot+8f819e36e01022991cfa@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, yin31149@gmail.com
Subject: Re: [PATCH] Bluetooth: L2CAP: Fix memory leak in vhci_write
Date: Tue, 18 Oct 2022 09:16:00 +0800 [thread overview]
Message-ID: <20221018011601.3619-1-yin31149@gmail.com> (raw)
In-Reply-To: <CABBYNZ+ycRfx3JQNwfCzXBP3G=+a=5qkdExkC2rV5+wiHUBTeA@mail.gmail.com>
On Tue, 18 Oct 2022 at 04:01, Luiz Augusto von Dentz <luiz.dentz@gmail.com> wrote:
>
> Hi Hawkins,
>
> On Mon, Oct 17, 2022 at 12:47 AM Hawkins Jiawei <yin31149@gmail.com> wrote:
> >
> > Syzkaller reports a memory leak as follows:
> > ====================================
> > BUG: memory leak
> > unreferenced object 0xffff88810d81ac00 (size 240):
> > [...]
> > hex dump (first 32 bytes):
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > backtrace:
> > [<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418
> > [<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]
> > [<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]
> > [<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]
> > [<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511
> > [<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]
> > [<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]
> > [<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578
> > [<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631
> > [<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > [<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > ====================================
> >
> > HCI core will uses hci_rx_work() to process frame, which is queued to
> > the hdev->rx_q tail in hci_recv_frame() by HCI driver.
> >
> > Yet the problem is that, HCI core does not free the skb after handling
> > ACL data packets. To be more specific, when start fragment does not
> > contain the L2CAP length, HCI core just reads possible bytes and
> > finishes frame process in l2cap_recv_acldata(), without freeing the skb,
> > which triggers the above memory leak.
> >
> > This patch solves it by releasing the relative skb, after processing the
> > above case in l2cap_recv_acldata()
> >
> > Fixes: 4d7ea8ee90e4 ("Bluetooth: L2CAP: Fix handling fragmented length")
> > Link: https://lore.kernel.org/all/0000000000000d0b1905e6aaef64@google.com/
> > Reported-and-tested-by: syzbot+8f819e36e01022991cfa@syzkaller.appspotmail.com
> > Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
> > ---
> > net/bluetooth/l2cap_core.c | 7 +++----
> > 1 file changed, 3 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> > index 1f34b82ca0ec..e0a00854c02e 100644
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -8426,9 +8426,8 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
> > * expected length.
> > */
> > if (skb->len < L2CAP_LEN_SIZE) {
> > - if (l2cap_recv_frag(conn, skb, conn->mtu) < 0)
> > - goto drop;
> > - return;
> > + l2cap_recv_frag(conn, skb, conn->mtu);
> > + goto drop;
>
> Let us use break; instead of goto drop since we have copied the skb into rx_sbk.
Thanks for your suggestion. I will refactor this patch as you suggested.
>
> > }
> >
> > len = get_unaligned_le16(skb->data) + L2CAP_HDR_SIZE;
> > @@ -8472,7 +8471,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
> >
> > /* Header still could not be read just continue */
> > if (conn->rx_skb->len < L2CAP_LEN_SIZE)
> > - return;
> > + goto drop;
> > }
> >
> > if (skb->len > conn->rx_len) {
> > --
> > 2.25.1
> >
>
>
> --
> Luiz Augusto von Dentz
prev parent reply other threads:[~2022-10-18 1:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-17 7:44 [PATCH] Bluetooth: L2CAP: Fix memory leak in vhci_write Hawkins Jiawei
2022-10-17 8:37 ` bluez.test.bot
2022-10-17 20:01 ` [PATCH] " Luiz Augusto von Dentz
2022-10-18 1:16 ` Hawkins Jiawei [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221018011601.3619-1-yin31149@gmail.com \
--to=yin31149@gmail.com \
--cc=18801353760@163.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=johan.hedberg@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+8f819e36e01022991cfa@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox