From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Biggers <ebiggers@google.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 144/174] llc: fix another potential sk_buff leak in llc_ui_sendmsg()
Date: Thu, 16 Jan 2020 12:42:21 -0500 [thread overview]
Message-ID: <20200116174251.24326-144-sashal@kernel.org> (raw)
In-Reply-To: <20200116174251.24326-1-sashal@kernel.org>
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit fc8d5db10cbe1338a52ebc74e7feab9276721774 ]
All callers of llc_conn_state_process() except llc_build_and_send_pkt()
(via llc_ui_sendmsg() -> llc_ui_send_data()) assume that it always
consumes a reference to the skb. Fix this caller to do the same.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/llc/af_llc.c | 34 ++++++++++++++++++++--------------
net/llc/llc_conn.c | 2 ++
net/llc/llc_if.c | 12 ++++++++----
3 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index c153fc2883a8..69f1558dfcb7 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -111,22 +111,26 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr)
*
* Send data via reliable llc2 connection.
* Returns 0 upon success, non-zero if action did not succeed.
+ *
+ * This function always consumes a reference to the skb.
*/
static int llc_ui_send_data(struct sock* sk, struct sk_buff *skb, int noblock)
{
struct llc_sock* llc = llc_sk(sk);
- int rc = 0;
if (unlikely(llc_data_accept_state(llc->state) ||
llc->remote_busy_flag ||
llc->p_flag)) {
long timeout = sock_sndtimeo(sk, noblock);
+ int rc;
rc = llc_ui_wait_for_busy_core(sk, timeout);
+ if (rc) {
+ kfree_skb(skb);
+ return rc;
+ }
}
- if (unlikely(!rc))
- rc = llc_build_and_send_pkt(sk, skb);
- return rc;
+ return llc_build_and_send_pkt(sk, skb);
}
static void llc_ui_sk_init(struct socket *sock, struct sock *sk)
@@ -896,7 +900,7 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
DECLARE_SOCKADDR(struct sockaddr_llc *, addr, msg->msg_name);
int flags = msg->msg_flags;
int noblock = flags & MSG_DONTWAIT;
- struct sk_buff *skb;
+ struct sk_buff *skb = NULL;
size_t size = 0;
int rc = -EINVAL, copied = 0, hdrlen;
@@ -905,10 +909,10 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
lock_sock(sk);
if (addr) {
if (msg->msg_namelen < sizeof(*addr))
- goto release;
+ goto out;
} else {
if (llc_ui_addr_null(&llc->addr))
- goto release;
+ goto out;
addr = &llc->addr;
}
/* must bind connection to sap if user hasn't done it. */
@@ -916,7 +920,7 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
/* bind to sap with null dev, exclusive. */
rc = llc_ui_autobind(sock, addr);
if (rc)
- goto release;
+ goto out;
}
hdrlen = llc->dev->hard_header_len + llc_ui_header_len(sk, addr);
size = hdrlen + len;
@@ -925,12 +929,12 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
copied = size - hdrlen;
rc = -EINVAL;
if (copied < 0)
- goto release;
+ goto out;
release_sock(sk);
skb = sock_alloc_send_skb(sk, size, noblock, &rc);
lock_sock(sk);
if (!skb)
- goto release;
+ goto out;
skb->dev = llc->dev;
skb->protocol = llc_proto_type(addr->sllc_arphrd);
skb_reserve(skb, hdrlen);
@@ -940,29 +944,31 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
if (sk->sk_type == SOCK_DGRAM || addr->sllc_ua) {
llc_build_and_send_ui_pkt(llc->sap, skb, addr->sllc_mac,
addr->sllc_sap);
+ skb = NULL;
goto out;
}
if (addr->sllc_test) {
llc_build_and_send_test_pkt(llc->sap, skb, addr->sllc_mac,
addr->sllc_sap);
+ skb = NULL;
goto out;
}
if (addr->sllc_xid) {
llc_build_and_send_xid_pkt(llc->sap, skb, addr->sllc_mac,
addr->sllc_sap);
+ skb = NULL;
goto out;
}
rc = -ENOPROTOOPT;
if (!(sk->sk_type == SOCK_STREAM && !addr->sllc_ua))
goto out;
rc = llc_ui_send_data(sk, skb, noblock);
+ skb = NULL;
out:
- if (rc) {
- kfree_skb(skb);
-release:
+ kfree_skb(skb);
+ if (rc)
dprintk("%s: failed sending from %02X to %02X: %d\n",
__func__, llc->laddr.lsap, llc->daddr.lsap, rc);
- }
release_sock(sk);
return rc ? : copied;
}
diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index d861b74ad068..5d653f5261c5 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -55,6 +55,8 @@ int sysctl_llc2_busy_timeout = LLC2_BUSY_TIME * HZ;
* (executing it's actions and changing state), upper layer will be
* indicated or confirmed, if needed. Returns 0 for success, 1 for
* failure. The socket lock has to be held before calling this function.
+ *
+ * This function always consumes a reference to the skb.
*/
int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
{
diff --git a/net/llc/llc_if.c b/net/llc/llc_if.c
index 6daf391b3e84..fc4d2bd8816f 100644
--- a/net/llc/llc_if.c
+++ b/net/llc/llc_if.c
@@ -38,6 +38,8 @@
* closed and -EBUSY when sending data is not permitted in this state or
* LLC has send an I pdu with p bit set to 1 and is waiting for it's
* response.
+ *
+ * This function always consumes a reference to the skb.
*/
int llc_build_and_send_pkt(struct sock *sk, struct sk_buff *skb)
{
@@ -46,20 +48,22 @@ int llc_build_and_send_pkt(struct sock *sk, struct sk_buff *skb)
struct llc_sock *llc = llc_sk(sk);
if (unlikely(llc->state == LLC_CONN_STATE_ADM))
- goto out;
+ goto out_free;
rc = -EBUSY;
if (unlikely(llc_data_accept_state(llc->state) || /* data_conn_refuse */
llc->p_flag)) {
llc->failed_data_req = 1;
- goto out;
+ goto out_free;
}
ev = llc_conn_ev(skb);
ev->type = LLC_CONN_EV_TYPE_PRIM;
ev->prim = LLC_DATA_PRIM;
ev->prim_type = LLC_PRIM_TYPE_REQ;
skb->dev = llc->dev;
- rc = llc_conn_state_process(sk, skb);
-out:
+ return llc_conn_state_process(sk, skb);
+
+out_free:
+ kfree_skb(skb);
return rc;
}
--
2.20.1
next prev parent reply other threads:[~2020-01-16 17:49 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200116174251.24326-1-sashal@kernel.org>
2020-01-16 17:40 ` [PATCH AUTOSEL 4.4 058/174] net: sh_eth: fix a missing check of of_get_phy_mode Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 069/174] dccp: Fix memleak in __feat_register_sp Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 072/174] ehea: Fix a copy-paste err in ehea_init_port_res Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 076/174] tipc: set sysctl_tipc_rmem and named_timeout right range Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 079/174] 6lowpan: Off by one handling ->nexthdr Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 082/174] packet: in recvmsg msg_name return at least sizeof sockaddr_ll Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 089/174] netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 098/174] inet: frags: call inet_frags_fini() after unregister_pernet_subsys() Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 102/174] net/af_iucv: always register net_device notifier Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 109/174] net: pasemi: fix an use-after-free in pasemi_mac_phy_init() Sasha Levin
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 111/174] libertas_tf: Use correct channel range in lbtf_geo_init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 125/174] mac80211: minstrel_ht: fix per-group max throughput rate initialization Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 133/174] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 134/174] net: sonic: return NETDEV_TX_OK if failed to map buffer Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 137/174] net: sonic: replace dev_kfree_skb in sonic_send_packet Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 138/174] net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 140/174] net: hisilicon: Fix signedness bug in hix5hd2_dev_probe() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 141/174] net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 142/174] net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 143/174] mac80211: accept deauth frames in IBSS mode Sasha Levin
2020-01-16 17:42 ` Sasha Levin [this message]
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 145/174] llc: fix sk_buff refcounting in llc_conn_state_process() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 146/174] net: stmmac: fix length of PTP clock's name string Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 150/174] net: qca_spi: Move reset_count to struct qcaspi Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 151/174] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 155/174] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 157/174] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 162/174] net: neigh: use long type to store jiffies delta Sasha Levin
2020-01-16 17:42 ` [PATCH AUTOSEL 4.4 164/174] packet: fix data-race in fanout_flow_is_huge() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116174251.24326-144-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ebiggers@google.com \
--cc=jakub.kicinski@netronome.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).