From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Yang Yingliang <yangyingliang@huawei.com>,
Hulk Robot <hulkci@huawei.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 01/17] net/802/mrp: fix memleak in mrp_request_join()
Date: Thu, 22 Jul 2021 23:57:32 -0400 [thread overview]
Message-ID: <20210723035748.531594-1-sashal@kernel.org> (raw)
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 996af62167d0e0ec69b938a3561e96f84ffff1aa ]
I got kmemleak report when doing fuzz test:
BUG: memory leak
unreferenced object 0xffff88810c239500 (size 64):
comm "syz-executor940", pid 882, jiffies 4294712870 (age 14.631s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 01 00 00 00 01 02 00 04 ................
backtrace:
[<00000000a323afa4>] slab_alloc_node mm/slub.c:2972 [inline]
[<00000000a323afa4>] slab_alloc mm/slub.c:2980 [inline]
[<00000000a323afa4>] __kmalloc+0x167/0x340 mm/slub.c:4130
[<000000005034ca11>] kmalloc include/linux/slab.h:595 [inline]
[<000000005034ca11>] mrp_attr_create net/802/mrp.c:276 [inline]
[<000000005034ca11>] mrp_request_join+0x265/0x550 net/802/mrp.c:530
[<00000000fcfd81f3>] vlan_mvrp_request_join+0x145/0x170 net/8021q/vlan_mvrp.c:40
[<000000009258546e>] vlan_dev_open+0x477/0x890 net/8021q/vlan_dev.c:292
[<0000000059acd82b>] __dev_open+0x281/0x410 net/core/dev.c:1609
[<000000004e6dc695>] __dev_change_flags+0x424/0x560 net/core/dev.c:8767
[<00000000471a09af>] rtnl_configure_link+0xd9/0x210 net/core/rtnetlink.c:3122
[<0000000037a4672b>] __rtnl_newlink+0xe08/0x13e0 net/core/rtnetlink.c:3448
[<000000008d5d0fda>] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488
[<000000004882fe39>] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5552
[<00000000907e6c54>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
[<00000000e7d7a8c4>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
[<00000000e7d7a8c4>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
[<00000000e0645d50>] netlink_sendmsg+0x78e/0xc90 net/netlink/af_netlink.c:1929
[<00000000c24559b7>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<00000000c24559b7>] sock_sendmsg+0x139/0x170 net/socket.c:674
[<00000000fc210bc2>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
[<00000000be4577b5>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
Calling mrp_request_leave() after mrp_request_join(), the attr->state
is set to MRP_APPLICANT_VO, mrp_attr_destroy() won't be called in last
TX event in mrp_uninit_applicant(), the attr of applicant will be leaked.
To fix this leak, iterate and free each attr of applicant before rerturning
from mrp_uninit_applicant().
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/mrp.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/net/802/mrp.c b/net/802/mrp.c
index bea6e43d45a0..35e04cc5390c 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -292,6 +292,19 @@ static void mrp_attr_destroy(struct mrp_applicant *app, struct mrp_attr *attr)
kfree(attr);
}
+static void mrp_attr_destroy_all(struct mrp_applicant *app)
+{
+ struct rb_node *node, *next;
+ struct mrp_attr *attr;
+
+ for (node = rb_first(&app->mad);
+ next = node ? rb_next(node) : NULL, node != NULL;
+ node = next) {
+ attr = rb_entry(node, struct mrp_attr, node);
+ mrp_attr_destroy(app, attr);
+ }
+}
+
static int mrp_pdu_init(struct mrp_applicant *app)
{
struct sk_buff *skb;
@@ -895,6 +908,7 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
spin_lock_bh(&app->lock);
mrp_mad_event(app, MRP_EVENT_TX);
+ mrp_attr_destroy_all(app);
mrp_pdu_queue(app);
spin_unlock_bh(&app->lock);
--
2.30.2
next reply other threads:[~2021-07-23 3:58 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-23 3:57 Sasha Levin [this message]
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 02/17] net/802/garp: fix memleak in garp_request_join() Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 03/17] net: annotate data race around sk_ll_usec Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 04/17] sctp: move 198 addresses from unusable to private scope Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 05/17] rcu-tasks: Don't delete holdouts within trc_inspect_reader() Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 06/17] rcu-tasks: Don't delete holdouts within trc_wait_for_one_reader() Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 07/17] ipv6: allocate enough headroom in ip6_finish_output2() Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 08/17] drm/ttm: add a check against null pointer dereference Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 09/17] hfs: add missing clean-up in hfs_fill_super Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 10/17] hfs: fix high memory mapping in hfs_bnode_read Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 11/17] hfs: add lock nesting notation to hfs_find_init Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 12/17] firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 13/17] firmware: arm_scmi: Fix range check for the maximum number of pending messages Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 14/17] cifs: fix the out of range assignment to bit fields in parse_server_interfaces Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 15/17] iomap: remove the length variable in iomap_seek_data Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 16/17] iomap: remove the length variable in iomap_seek_hole Sasha Levin
2021-07-23 3:57 ` [PATCH AUTOSEL 5.10 17/17] ARM: dts: versatile: Fix up interrupt controller node names Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210723035748.531594-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=hulkci@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).