2d04f32c88
[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]
If llc_mac_hdr_init() returns an error, we must drop the skb
since no llc_build_and_send_ui_pkt() caller will take care of this.
BUG: memory leak
unreferenced object 0xffff8881202b6800 (size 2048):
comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
backtrace:
[<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
[<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
[<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
[<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
[<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
[<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
[<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
[<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
[<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
[<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
[<000000008bdec225>] sock_create net/socket.c:1481 [inline]
[<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
[<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
[<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
[<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811d750d00 (size 224):
comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ ....
backtrace:
[<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
[<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
[<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
[<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
[<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
[<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
[<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
[<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
[<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
[<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
[<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
[<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
[<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
81 lines
2.3 KiB
C
81 lines
2.3 KiB
C
/*
|
|
* llc_output.c - LLC minimal output path
|
|
*
|
|
* Copyright (c) 1997 by Procom Technology, Inc.
|
|
* 2001-2003 by Arnaldo Carvalho de Melo <acme@conectiva.com.br>
|
|
*
|
|
* This program can be redistributed or modified under the terms of the
|
|
* GNU General Public License version 2 as published by the Free Software
|
|
* Foundation.
|
|
* This program is distributed without any warranty or implied warranty
|
|
* of merchantability or fitness for a particular purpose.
|
|
*
|
|
* See the GNU General Public License version 2 for more details.
|
|
*/
|
|
|
|
#include <linux/if_arp.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/export.h>
|
|
#include <net/llc.h>
|
|
#include <net/llc_pdu.h>
|
|
|
|
/**
|
|
* llc_mac_hdr_init - fills MAC header fields
|
|
* @skb: Address of the frame to initialize its MAC header
|
|
* @sa: The MAC source address
|
|
* @da: The MAC destination address
|
|
*
|
|
* Fills MAC header fields, depending on MAC type. Returns 0, If MAC type
|
|
* is a valid type and initialization completes correctly 1, otherwise.
|
|
*/
|
|
int llc_mac_hdr_init(struct sk_buff *skb,
|
|
const unsigned char *sa, const unsigned char *da)
|
|
{
|
|
int rc = -EINVAL;
|
|
|
|
switch (skb->dev->type) {
|
|
case ARPHRD_ETHER:
|
|
case ARPHRD_LOOPBACK:
|
|
rc = dev_hard_header(skb, skb->dev, ETH_P_802_2, da, sa,
|
|
skb->len);
|
|
if (rc > 0)
|
|
rc = 0;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
return rc;
|
|
}
|
|
|
|
/**
|
|
* llc_build_and_send_ui_pkt - unitdata request interface for upper layers
|
|
* @sap: sap to use
|
|
* @skb: packet to send
|
|
* @dmac: destination mac address
|
|
* @dsap: destination sap
|
|
*
|
|
* Upper layers calls this function when upper layer wants to send data
|
|
* using connection-less mode communication (UI pdu).
|
|
*
|
|
* Accept data frame from network layer to be sent using connection-
|
|
* less mode communication; timeout/retries handled by network layer;
|
|
* package primitive as an event and send to SAP event handler
|
|
*/
|
|
int llc_build_and_send_ui_pkt(struct llc_sap *sap, struct sk_buff *skb,
|
|
unsigned char *dmac, unsigned char dsap)
|
|
{
|
|
int rc;
|
|
llc_pdu_header_init(skb, LLC_PDU_TYPE_U, sap->laddr.lsap,
|
|
dsap, LLC_PDU_CMD);
|
|
llc_pdu_init_as_ui_cmd(skb);
|
|
rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac);
|
|
if (likely(!rc))
|
|
rc = dev_queue_xmit(skb);
|
|
else
|
|
kfree_skb(skb);
|
|
return rc;
|
|
}
|
|
|
|
EXPORT_SYMBOL(llc_mac_hdr_init);
|
|
EXPORT_SYMBOL(llc_build_and_send_ui_pkt);
|