mirror of
https://github.com/torvalds/linux.git
synced 2025-11-04 02:30:34 +02:00
b74555de21
syzbot reported:
BUG: memory leak
unreferenced object 0xffff88811eb3de00 (size 224):
comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff ..8$............
backtrace:
[<000000008d1c66a1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
[<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
[<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
[<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
[<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777
[<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
[<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
[<000000001372ae17>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75
[<00000000f27e53c1>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109
[<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
[<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
[...]
The bug is that most callers of llc_conn_send_pdu() assume it consumes a
reference to the skb, when actually due to commit b85ab56c3f ("llc:
properly handle dev_queue_xmit() return value") it doesn't.
Revert most of that commit, and instead make the few places that need
llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
Fixes: b85ab56c3f ("llc: properly handle dev_queue_xmit() return value")
Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
119 lines
4.1 KiB
C
119 lines
4.1 KiB
C
#ifndef LLC_CONN_H
|
|
#define LLC_CONN_H
|
|
/*
|
|
* Copyright (c) 1997 by Procom Technology, Inc.
|
|
* 2001, 2002 by Arnaldo Carvalho de Melo <acme@conectiva.com.br>
|
|
*
|
|
* This program can be redistributed or modified under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation.
|
|
* This program is distributed without any warranty or implied warranty
|
|
* of merchantability or fitness for a particular purpose.
|
|
*
|
|
* See the GNU General Public License for more details.
|
|
*/
|
|
#include <linux/timer.h>
|
|
#include <net/llc_if.h>
|
|
#include <net/sock.h>
|
|
#include <linux/llc.h>
|
|
|
|
#define LLC_EVENT 1
|
|
#define LLC_PACKET 2
|
|
|
|
#define LLC2_P_TIME 2
|
|
#define LLC2_ACK_TIME 1
|
|
#define LLC2_REJ_TIME 3
|
|
#define LLC2_BUSY_TIME 3
|
|
|
|
struct llc_timer {
|
|
struct timer_list timer;
|
|
unsigned long expire; /* timer expire time */
|
|
};
|
|
|
|
struct llc_sock {
|
|
/* struct sock must be the first member of llc_sock */
|
|
struct sock sk;
|
|
struct sockaddr_llc addr; /* address sock is bound to */
|
|
u8 state; /* state of connection */
|
|
struct llc_sap *sap; /* pointer to parent SAP */
|
|
struct llc_addr laddr; /* lsap/mac pair */
|
|
struct llc_addr daddr; /* dsap/mac pair */
|
|
struct net_device *dev; /* device to send to remote */
|
|
u32 copied_seq; /* head of yet unread data */
|
|
u8 retry_count; /* number of retries */
|
|
u8 ack_must_be_send;
|
|
u8 first_pdu_Ns;
|
|
u8 npta;
|
|
struct llc_timer ack_timer;
|
|
struct llc_timer pf_cycle_timer;
|
|
struct llc_timer rej_sent_timer;
|
|
struct llc_timer busy_state_timer; /* ind busy clr at remote LLC */
|
|
u8 vS; /* seq# next in-seq I-PDU tx'd*/
|
|
u8 vR; /* seq# next in-seq I-PDU rx'd*/
|
|
u32 n2; /* max nbr re-tx's for timeout*/
|
|
u32 n1; /* max nbr octets in I PDU */
|
|
u8 k; /* tx window size; max = 127 */
|
|
u8 rw; /* rx window size; max = 127 */
|
|
u8 p_flag; /* state flags */
|
|
u8 f_flag;
|
|
u8 s_flag;
|
|
u8 data_flag;
|
|
u8 remote_busy_flag;
|
|
u8 cause_flag;
|
|
struct sk_buff_head pdu_unack_q; /* PUDs sent/waiting ack */
|
|
u16 link; /* network layer link number */
|
|
u8 X; /* a temporary variable */
|
|
u8 ack_pf; /* this flag indicates what is
|
|
the P-bit of acknowledge */
|
|
u8 failed_data_req; /* recognize that already exist a
|
|
failed llc_data_req_handler
|
|
(tx_buffer_full or unacceptable
|
|
state */
|
|
u8 dec_step;
|
|
u8 inc_cntr;
|
|
u8 dec_cntr;
|
|
u8 connect_step;
|
|
u8 last_nr; /* NR of last pdu received */
|
|
u32 rx_pdu_hdr; /* used for saving header of last pdu
|
|
received and caused sending FRMR.
|
|
Used for resending FRMR */
|
|
u32 cmsg_flags;
|
|
struct hlist_node dev_hash_node;
|
|
};
|
|
|
|
static inline struct llc_sock *llc_sk(const struct sock *sk)
|
|
{
|
|
return (struct llc_sock *)sk;
|
|
}
|
|
|
|
static __inline__ void llc_set_backlog_type(struct sk_buff *skb, char type)
|
|
{
|
|
skb->cb[sizeof(skb->cb) - 1] = type;
|
|
}
|
|
|
|
static __inline__ char llc_backlog_type(struct sk_buff *skb)
|
|
{
|
|
return skb->cb[sizeof(skb->cb) - 1];
|
|
}
|
|
|
|
struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority,
|
|
struct proto *prot, int kern);
|
|
void llc_sk_stop_all_timers(struct sock *sk, bool sync);
|
|
void llc_sk_free(struct sock *sk);
|
|
|
|
void llc_sk_reset(struct sock *sk);
|
|
|
|
/* Access to a connection */
|
|
int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
|
|
void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
|
|
void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
|
|
void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
|
|
void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
|
|
int llc_conn_remove_acked_pdus(struct sock *conn, u8 nr, u16 *how_many_unacked);
|
|
struct sock *llc_lookup_established(struct llc_sap *sap, struct llc_addr *daddr,
|
|
struct llc_addr *laddr);
|
|
void llc_sap_add_socket(struct llc_sap *sap, struct sock *sk);
|
|
void llc_sap_remove_socket(struct llc_sap *sap, struct sock *sk);
|
|
|
|
u8 llc_data_accept_state(u8 state);
|
|
void llc_build_offset_table(void);
|
|
#endif /* LLC_CONN_H */
|