Hi,
On Thu, 5 Aug 2021 at 09:50, Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Thu, 5 Aug 2021 16:54:14 +0900 Takeshi Misawa wrote:
> > If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
> > Fix this, by freeing sk_receive_queue in sk->sk_destruct().
> >
> > syzbot report:
> > BUG: memory leak
> > unreferenced object 0xffff88810f644600 (size 232):
> > comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
> > hex dump (first 32 bytes):
> > 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K.....
> > 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K.....
> > backtrace:
> > [<ffffffff83651d4a>] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
> > [<ffffffff83fe1b80>] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
> > [<ffffffff83fe1b80>] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
> > [<ffffffff8367cc7a>] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
> > [<ffffffff8367cd07>] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
> > [<ffffffff8367cdd9>] netif_receive_skb_internal net/core/dev.c:5603 [inline]
> > [<ffffffff8367cdd9>] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
> > [<ffffffff83fe6302>] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
> > [<ffffffff83fe6302>] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
> > [<ffffffff83fe6302>] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
> > [<ffffffff83fe6302>] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
> > [<ffffffff83fe59a6>] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
> > [<ffffffff81232aab>] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
> > [<ffffffff846000bf>] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
> > [<ffffffff81232f4c>] do_softirq kernel/softirq.c:248 [inline]
> > [<ffffffff81232f4c>] do_softirq+0x5c/0x80 kernel/softirq.c:235
> > [<ffffffff81232fc1>] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
> > [<ffffffff8367a9a4>] local_bh_enable include/linux/bottom_half.h:32 [inline]
> > [<ffffffff8367a9a4>] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
> > [<ffffffff8367a9a4>] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
> > [<ffffffff83fe2db4>] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
> > [<ffffffff8363af16>] sock_sendmsg_nosec net/socket.c:654 [inline]
> > [<ffffffff8363af16>] sock_sendmsg+0x56/0x80 net/socket.c:674
> > [<ffffffff8363deec>] __sys_sendto+0x15c/0x200 net/socket.c:1977
> > [<ffffffff8363dfb6>] __do_sys_sendto net/socket.c:1989 [inline]
> > [<ffffffff8363dfb6>] __se_sys_sendto net/socket.c:1985 [inline]
> > [<ffffffff8363dfb6>] __x64_sys_sendto+0x26/0x30 net/socket.c:1985
> >
> > Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
> > Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Signed-off-by: Takeshi Misawa <jeliantsurux@xxxxxxxxx>
Acked-by: Alexander Aring <aahringo@xxxxxxxxxx>
Tested with one of the c reproducers. Doesn't occur anymore. I see
other socket implementations e.g. af_can.c which do similar things.
Thank you so much for fixing this issue!
- Alex
