leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7a62ed6136
linux/net
History
Kuniyuki Iwashima 7a62ed6136 af_unix: Fix memory leaks of the whole sk due to OOB skb. 
syzbot reported a sequence of memory leaks, and one of them indicated we
failed to free a whole sk:

  unreferenced object 0xffff8880126e0000 (size 1088):
    comm "syz-executor419", pid 326, jiffies 4294773607 (age 12.609s)
    hex dump (first 32 bytes):
      00 00 00 00 00 00 00 00 7d 00 00 00 00 00 00 00  ........}.......
      01 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
    backtrace:
      [<000000006fefe750>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:1970
      [<0000000074006db5>] sk_alloc+0x3b/0x800 net/core/sock.c:2029
      [<00000000728cd434>] unix_create1+0xaf/0x920 net/unix/af_unix.c:928
      [<00000000a279a139>] unix_create+0x113/0x1d0 net/unix/af_unix.c:997
      [<0000000068259812>] __sock_create+0x2ab/0x550 net/socket.c:1516
      [<00000000da1521e1>] sock_create net/socket.c:1566 [inline]
      [<00000000da1521e1>] __sys_socketpair+0x1a8/0x550 net/socket.c:1698
      [<000000007ab259e1>] __do_sys_socketpair net/socket.c:1751 [inline]
      [<000000007ab259e1>] __se_sys_socketpair net/socket.c:1748 [inline]
      [<000000007ab259e1>] __x64_sys_socketpair+0x97/0x100 net/socket.c:1748
      [<000000007dedddc1>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      [<000000007dedddc1>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
      [<000000009456679f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

We can reproduce this issue by creating two AF_UNIX SOCK_STREAM sockets,
send()ing an OOB skb to each other, and close()ing them without consuming
the OOB skbs.

  int skpair[2];

  socketpair(AF_UNIX, SOCK_STREAM, 0, skpair);

  send(skpair[0], "x", 1, MSG_OOB);
  send(skpair[1], "x", 1, MSG_OOB);

  close(skpair[0]);
  close(skpair[1]);

Currently, we free an OOB skb in unix_sock_destructor() which is called via
__sk_free(), but it's too late because the receiver's unix_sk(sk)->oob_skb
is accounted against the sender's sk->sk_wmem_alloc and __sk_free() is
called only when sk->sk_wmem_alloc is 0.

In the repro sequences, we do not consume the OOB skb, so both two sk's
sock_put() never reach __sk_free() due to the positive sk->sk_wmem_alloc.
Then, no one can consume the OOB skb nor call __sk_free(), and we finally
leak the two whole sk.

Thus, we must free the unconsumed OOB skb earlier when close()ing the
socket.

Fixes: 314001f0bf ("af_unix: Add OOB support")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-10-03 08:00:50 +01:00
..
6lowpan net: 6lowpan: constify lowpan_nhc structures 2022-06-09 21:53:28 +02:00
9p iov_iter stuff, part 2, rebased 2022-08-08 20:04:35 -07:00
802
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-14 15:27:35 -07:00
appletalk net: remove noblock parameter from skb_recv_datagram() 2022-04-06 13:45:26 +01:00
atm net: SO_RCVMARK socket option for SO_MARK with recvmsg() 2022-04-28 13:08:15 -07:00
ax25 net: avoid overflow when rose /proc displays timer information. 2022-08-05 19:00:02 -07:00
batman-adv batman-adv: Fix hang up with small MTU hard-interface 2022-08-20 14:17:45 +02:00
bluetooth Bluetooth: hci_sync: Fix hci_read_buffer_size_sync 2022-09-02 14:01:28 -07:00
bpf bpf: Allow calling bpf_prog_test kfuncs in tracing programs 2022-08-09 18:46:11 -07:00
bpfilter uaccess: remove CONFIG_SET_FS 2022-02-25 09:36:06 +01:00
bridge netfilter: ebtables: fix memory leak when blob is malformed 2022-09-20 23:50:03 +02:00
caif caif: Fix bitmap data type in "struct caifsock" 2022-07-22 12:51:45 +01:00
can can: j1939: j1939_session_destroy(): fix memory leak of skbs 2022-08-09 09:05:06 +02:00
ceph libceph: clean up ceph_osdc_start_request prototype 2022-08-03 14:05:39 +02:00
core Revert "net: set proper memcg for net_init hooks allocations" 2022-09-28 09:20:37 -07:00
dcb net: dcb: disable softirqs in dcbnl_flush_dev() 2022-03-03 08:01:55 -08:00
dccp dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock 2022-08-01 12:11:56 -07:00
decnet dn_route: replace "jiffies-now>0" with "jiffies!=now" 2022-07-29 20:12:49 -07:00
dns_resolver
dsa net: dsa: hellcreek: Print warning only once 2022-08-31 19:54:04 -07:00
ethernet net: ethernet: set default assignment identifier to NET_NAME_ENUM 2022-04-07 21:04:03 -07:00
ethtool net: delete extra space and tab in blank line 2022-07-25 19:38:31 -07:00
hsr treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_30.RULE (part 2) 2022-06-10 14:51:35 +02:00
ieee802154 net/ieee802154: fix uninit value bug in dgram_sendmsg 2022-09-16 10:53:55 +01:00
ife
ipv4 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-09-30 13:09:11 +01:00
ipv6 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-09-30 13:09:11 +01:00
iucv net: keep sk->sk_forward_alloc as small as possible 2022-06-10 16:21:27 -07:00
kcm kcm: fix strp_init() order and cleanup 2022-08-31 12:16:44 -07:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-08-24 12:51:50 +01:00
l2tp l2tp: l2tp_debugfs: fix Clang -Wformat warnings 2022-07-08 12:14:36 +01:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-15 14:27:24 -07:00
lapb
llc net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
mac80211 A few late-comer fixes: 2022-09-27 16:52:45 -07:00
mac802154 net: mac802154: Fix a condition in the receive path 2022-08-29 11:10:22 +02:00
mctp Networking changes for 5.19. 2022-05-25 12:22:58 -07:00
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-08-29 13:02:27 +01:00
mptcp mptcp: fix unreleased socket in accept queue 2022-09-28 19:05:21 -07:00
ncsi net/ncsi: use proper "mellanox" DT vendor prefix 2022-06-23 20:51:06 -07:00
netfilter netfilter: nf_ct_ftp: fix deadlock when nat rewrite is needed 2022-09-20 23:50:03 +02:00
netlabel netlabel: fix typo in comment 2022-08-10 09:24:41 +01:00
netlink net: genl: fix error path memory leak in policy dumping 2022-08-18 10:20:48 -07:00
netrom net: remove noblock parameter from skb_recv_datagram() 2022-04-06 13:45:26 +01:00
nfc net: nfc: Directly use ida_alloc()/free() 2022-05-28 15:28:47 +01:00
nsh
openvswitch openvswitch: fix memory leak at failed datapath creation 2022-08-26 19:26:30 -07:00
packet net/af_packet: check len when min_header_len equals to 0 2022-07-29 12:09:27 +01:00
phonet net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
psample
qrtr net: qrtr: start MHI channel after endpoit creation 2022-08-15 11:21:42 +01:00
rds net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() 2022-10-03 07:56:02 +01:00
rfkill rfkill: make new event layout opt-in 2022-03-18 13:09:17 +02:00
rose rose: check NULL rose_loopback_neigh->loopback 2022-08-22 14:24:54 +01:00
rxrpc rxrpc: Remove rxrpc_get_reply_time() which is no longer used 2022-09-01 11:44:13 +01:00
sched net: sched: act_ct: fix possible refcount leak in tcf_ct_init() 2022-09-26 12:40:39 -07:00
sctp sctp: handle the error returned from sctp_auth_asoc_init_active_key 2022-09-30 12:36:40 +01:00
smc net/smc: Stop the CLC flow if no link to map buffers on 2022-09-22 12:53:53 +02:00
strparser strparser: pad sk_skb_cb to avoid straddling cachelines 2022-07-08 18:38:44 -07:00
sunrpc NFS client bugfixes for Linux 6.0 2022-09-12 17:53:46 -04:00
switchdev net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
tipc tipc: fix shift wrapping bug in map_get() 2022-09-02 12:26:29 +01:00
tls tls: rx: react to strparser initialization errors 2022-08-17 10:24:00 +01:00
unix af_unix: Fix memory leaks of the whole sk due to OOB skb. 2022-10-03 08:00:50 +01:00
vmw_vsock vhost/vsock: Use kvmalloc/kvfree for larger packets. 2022-09-29 18:34:08 -07:00
wireless wifi: cfg80211: fix MCS divisor value 2022-09-27 10:26:55 +02:00
x25 net/x25: fix call timeouts in blocking connects 2022-08-08 20:48:51 -07:00
xdp xsk: Fix corrupted packets for XDP_SHARED_UMEM 2022-08-15 17:26:07 +02:00
xfrm xfrm: Reinject transport-mode packets through workqueue 2022-09-28 09:04:12 +02:00
compat.c net: clear msg_get_inq in __get_compat_msghdr() 2022-09-20 08:23:20 -07:00
devres.c
Kconfig page_pool: Add allocation stats 2022-03-03 09:55:28 +00:00
Kconfig.debug net: CONFIG_DEBUG_NET depends on CONFIG_NET 2022-06-02 10:15:05 -07:00
Makefile
socket.c net: Fix a data-race around sysctl_somaxconn. 2022-08-24 13:46:58 +01:00
sysctl_net.c