releases/4.9.114/net-nfc-avoid-stalls-when-nfc_alloc_send_skb-returned-null.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 3bc53be9db21040b5d2de4d455f023c8c494aa68 Mon Sep 17 00:00:00 2001
 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
 Date: Wed, 18 Jul 2018 18:57:27 +0900
 Subject: net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.

 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

 commit 3bc53be9db21040b5d2de4d455f023c8c494aa68 upstream.

 syzbot is reporting stalls at nfc_llcp_send_ui_frame() [1]. This is
 because nfc_llcp_send_ui_frame() is retrying the loop without any delay
 when nonblocking nfc_alloc_send_skb() returned NULL.

 Since there is no need to use MSG_DONTWAIT if we retry until
 sock_alloc_send_pskb() succeeds, let's use blocking call.
 Also, in case an unexpected error occurred, let's break the loop
 if blocking nfc_alloc_send_skb() failed.

 [1] https://syzkaller.appspot.com/bug?id=4a131cc571c3733e0eff6bc673f4e36ae48f19c6

 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
 Reported-by: syzbot <syzbot+d29d18215e477cfbfbdd@syzkaller.appspotmail.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/nfc/llcp_commands.c |    9 ++++++---
  1 file changed, 6 insertions(+), 3 deletions(-)

 --- a/net/nfc/llcp_commands.c
 +++ b/net/nfc/llcp_commands.c
 @@ -753,11 +753,14 @@ int nfc_llcp_send_ui_frame(struct nfc_ll
  		pr_debug("Fragment %zd bytes remaining %zd",
  			 frag_len, remaining_len);

 -		pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, MSG_DONTWAIT,
 +		pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, 0,
  					 frag_len + LLCP_HEADER_SIZE, &err);
  		if (pdu == NULL) {
 -			pr_err("Could not allocate PDU\n");
 -			continue;
 +			pr_err("Could not allocate PDU (error=%d)\n", err);
 +			len -= remaining_len;
 +			if (len == 0)
 +				len = err;
 +			break;
  		}

  		pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI);
	From 3bc53be9db21040b5d2de4d455f023c8c494aa68 Mon Sep 17 00:00:00 2001
	From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
	Date: Wed, 18 Jul 2018 18:57:27 +0900
	Subject: net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.

	From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

	commit 3bc53be9db21040b5d2de4d455f023c8c494aa68 upstream.

	syzbot is reporting stalls at nfc_llcp_send_ui_frame() [1]. This is
	because nfc_llcp_send_ui_frame() is retrying the loop without any delay
	when nonblocking nfc_alloc_send_skb() returned NULL.

	Since there is no need to use MSG_DONTWAIT if we retry until
	sock_alloc_send_pskb() succeeds, let's use blocking call.
	Also, in case an unexpected error occurred, let's break the loop
	if blocking nfc_alloc_send_skb() failed.

	[1] https://syzkaller.appspot.com/bug?id=4a131cc571c3733e0eff6bc673f4e36ae48f19c6

	Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
	Reported-by: syzbot <syzbot+d29d18215e477cfbfbdd@syzkaller.appspotmail.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/nfc/llcp_commands.c \| 9 ++++++---
	1 file changed, 6 insertions(+), 3 deletions(-)

	--- a/net/nfc/llcp_commands.c
	+++ b/net/nfc/llcp_commands.c
	@@ -753,11 +753,14 @@ int nfc_llcp_send_ui_frame(struct nfc_ll
	pr_debug("Fragment %zd bytes remaining %zd",
	frag_len, remaining_len);

	- pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, MSG_DONTWAIT,
	+ pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, 0,
	frag_len + LLCP_HEADER_SIZE, &err);
	if (pdu == NULL) {
	- pr_err("Could not allocate PDU\n");
	- continue;
	+ pr_err("Could not allocate PDU (error=%d)\n", err);
	+ len -= remaining_len;
	+ if (len == 0)
	+ len = err;
	+ break;
	}

	pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI);