korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 16:24:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
7c9524d929
linux/net
History
Hawkins Jiawei 7c9524d929 Bluetooth: L2CAP: Fix memory leak in vhci_write 
Syzkaller reports a memory leak as follows:
====================================
BUG: memory leak
unreferenced object 0xffff88810d81ac00 (size 240):
  [...]
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418
    [<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]
    [<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]
    [<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]
    [<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511
    [<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]
    [<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]
    [<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578
    [<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631
    [<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
====================================

HCI core will uses hci_rx_work() to process frame, which is queued to
the hdev->rx_q tail in hci_recv_frame() by HCI driver.

Yet the problem is that, HCI core may not free the skb after handling
ACL data packets. To be more specific, when start fragment does not
contain the L2CAP length, HCI core just copies skb into conn->rx_skb and
finishes frame process in l2cap_recv_acldata(), without freeing the skb,
which triggers the above memory leak.

This patch solves it by releasing the relative skb, after processing
the above case in l2cap_recv_acldata().

Fixes: 4d7ea8ee90 ("Bluetooth: L2CAP: Fix handling fragmented length")
Link: https://lore.kernel.org/all/0000000000000d0b1905e6aaef64@google.com/
Reported-and-tested-by: syzbot+8f819e36e01022991cfa@syzkaller.appspotmail.com
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2022-11-02 14:16:00 -07:00
..
6lowpan net: 6lowpan: constify lowpan_nhc structures 2022-06-09 21:53:28 +02:00
9p net/9p: clarify trans_fd parse_opt failure handling 2022-10-07 21:23:09 +09:00
802 treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
8021q net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
appletalk
atm net/atm: fix proc_mpc_write incorrect return value 2022-10-15 11:08:36 +01:00
ax25 ax25: move from strlcpy with unused retval to strscpy 2022-08-22 17:55:50 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-09-22 13:02:10 -07:00
bluetooth Bluetooth: L2CAP: Fix memory leak in vhci_write 2022-11-02 14:16:00 -07:00
bpf selftests/bpf: Add tests for kfunc returning a memory pointer 2022-09-07 11:05:17 -07:00
bpfilter
bridge net: bridge: assign path_cost for 2.5G and 5G link speed 2022-09-30 12:35:29 +01:00
caif caif: move from strlcpy with unused retval to strscpy 2022-08-22 17:57:35 -07:00
can can: j1939: transport: j1939_session_skb_drop_old(): spin_unlock_irqrestore() before kfree_skb() 2022-10-27 13:34:23 +02:00
ceph Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
core net: do not sense pfmemalloc status in skb_append_pagefrags() 2022-10-27 11:25:13 -07:00
dcb
dccp treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
dns_resolver
dsa net: dsa: fall back to default tagger if we can't load the one from DT 2022-10-28 21:58:30 -07:00
ethernet net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
ethtool ethtool: eeprom: fix null-deref on genl_info in dump 2022-10-24 19:08:07 -07:00
hsr net: hsr: avoid possible NULL deref in skb_clone() 2022-10-18 19:18:27 -07:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife
ipv4 net: also flag accepted sockets supporting msghdr originated zerocopy 2022-10-28 20:21:25 -07:00
ipv6 udp: advertise ipv6 udp support for msghdr::ubuf_info 2022-10-28 20:21:25 -07:00
iucv net: keep sk->sk_forward_alloc as small as possible 2022-06-10 16:21:27 -07:00
kcm kcm: do not sense pfmemalloc status in kcm_sendpage() 2022-10-27 11:25:13 -07:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-08-24 12:51:50 +01:00
l2tp genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
l3mdev
lapb
llc net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
mac80211 Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
mac802154 mac802154: Fix LQI recording 2022-10-24 11:07:39 +02:00
mctp mctp: prevent double key removal and unref 2022-10-12 13:30:50 +01:00
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-08-29 13:02:27 +01:00
mptcp mptcp: fix abba deadlock on fastopen 2022-10-24 21:13:56 -07:00
ncsi genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netfilter netlink: introduce bigendian integer types 2022-11-01 21:29:06 -07:00
netlabel genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink genetlink: limit the use of validation workarounds to old ops 2022-10-27 08:20:21 -07:00
netrom
nfc NFC: hci: Split memcpy() of struct hcp_message flexible array 2022-09-27 07:45:18 -07:00
nsh
openvswitch net: openvswitch: add missing .resv_start_op 2022-10-28 20:19:53 -07:00
packet treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
phonet
psample genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
qrtr net: qrtr: start MHI channel after endpoit creation 2022-08-15 11:21:42 +01:00
rds treewide: use get_random_{u8,u16}() when possible, part 2 2022-10-11 17:42:58 -06:00
rfkill
rose rose: Fix NULL pointer dereference in rose_send_frame() 2022-11-02 11:57:30 +00:00
rxrpc rxrpc: remove rxrpc_max_call_lifetime declaration 2022-09-19 17:58:47 -07:00
sched net: sched: Fix use after free in red_enqueue() 2022-10-31 11:55:39 +00:00
sctp treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
smc net/smc: Fix an error code in smc_lgr_create() 2022-10-15 11:12:12 +01:00
strparser strparser: pad sk_skb_cb to avoid straddling cachelines 2022-07-08 18:38:44 -07:00
sunrpc Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
switchdev net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
tipc tipc: fix a null-ptr-deref in tipc_topsrv_accept 2022-10-20 21:08:17 -07:00
tls tls: strp: make sure the TCP skbs do not have overlapping data 2022-10-14 08:25:26 +01:00
unix net: remove SOCK_SUPPORT_ZC from sockmap 2022-10-28 20:21:25 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
wireless Merge branch 'cve-fixes-2022-10-13' 2022-10-13 11:59:56 +02:00
x25 net/x25: fix call timeouts in blocking connects 2022-08-08 20:48:51 -07:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
xfrm treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
compat.c net: clear msg_get_inq in __get_compat_msghdr() 2022-09-20 08:23:20 -07:00
devres.c
Kconfig Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
socket.c d_path pile 2022-10-06 16:55:41 -07:00
sysctl_net.c