From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Chengyang Fan <cy.fan@huawei.com>, Hulk Robot <hulkci@huawei.com>,
Hangbin Liu <liuhangbin@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 30/71] net: ipv4: fix memory leak in ip_mc_add1_src
Date: Mon, 28 Jun 2021 10:39:22 -0400 [thread overview]
Message-ID: <20210628144003.34260-31-sashal@kernel.org> (raw)
In-Reply-To: <20210628144003.34260-1-sashal@kernel.org>
From: Chengyang Fan <cy.fan@huawei.com>
[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ]
BUG: memory leak
unreferenced object 0xffff888101bc4c00 (size 32):
comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................
backtrace:
[<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
[<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
[<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
[<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
[<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
[<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
[<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
[<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
[<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
[<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
[<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
[<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
[<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
[<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set
link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
because it was also called in igmpv3_clear_delrec().
Rough callgraph:
inetdev_destroy
-> ip_mc_destroy_dev
-> igmpv3_clear_delrec
-> ip_mc_clear_src
-> RCU_INIT_POINTER(dev->ip_ptr, NULL)
However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't
release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
inetdev_by_index() and then in_dev->mc_list->sources cannot be released
by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:
sock_close
-> __sock_release
-> inet_release
-> ip_mc_drop_socket
-> inetdev_by_index
-> ip_mc_leave_src
-> ip_mc_del_src
-> ip_mc_del1_src
So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
in_dev->mc_list->sources.
Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Chengyang Fan <cy.fan@huawei.com>
Acked-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/igmp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 02c1736c0b89..f4a827964b68 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1782,6 +1782,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
in_dev->mc_list = i->next_rcu;
in_dev->mc_count--;
+ ip_mc_clear_src(i);
ip_ma_put(i);
}
}
--
2.30.2
next prev parent reply other threads:[~2021-06-28 15:19 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 14:38 [PATCH 4.9 00/71] 4.9.274-rc1 review Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 01/71] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 02/71] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 03/71] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 04/71] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 05/71] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 06/71] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 07/71] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 08/71] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 09/71] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 10/71] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 11/71] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 12/71] net/x25: Return the correct errno code Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 13/71] net: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 14/71] fib: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 15/71] dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 16/71] dmaengine: stedma40: add missing iounmap() on error in d40_probe() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 17/71] mm: hwpoison: change PageHWPoison behavior on hugetlb pages Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 18/71] batman-adv: Avoid WARN_ON timing related checks Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 19/71] net: ipv4: fix memory leak in netlbl_cipsov4_add_std Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 20/71] net: rds: fix memory leak in rds_recvmsg Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 21/71] udp: fix race between close() and udp_abort() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 22/71] rtnetlink: Fix regression in bridge VLAN configuration Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 23/71] netfilter: synproxy: Fix out of bounds when parsing TCP options Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 24/71] alx: Fix an error handling path in 'alx_probe()' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 25/71] net: stmmac: dwmac1000: Fix extended MAC address registers definition Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 26/71] qlcnic: Fix an error handling path in 'qlcnic_probe()' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 27/71] netxen_nic: Fix an error handling path in 'netxen_nic_probe()' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 28/71] net: cdc_ncm: switch to eth%d interface naming Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 29/71] net: usb: fix possible use-after-free in smsc75xx_bind Sasha Levin
2021-06-28 14:39 ` Sasha Levin [this message]
2021-06-28 14:39 ` [PATCH 4.9 31/71] net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 32/71] be2net: Fix an error handling path in 'be_probe()' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 33/71] net: hamradio: fix memory leak in mkiss_close Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 34/71] net: cdc_eem: fix tx fixup skb leak Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 35/71] net: ethernet: fix potential use-after-free in ec_bhf_remove Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 36/71] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 37/71] radeon: use memcpy_to/fromio for UVD fw upload Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 38/71] can: bcm: fix infoleak in struct bcm_msg_head Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 39/71] tracing: Do no increment trace_clock_global() by one Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 40/71] PCI: Mark TI C667X to avoid bus reset Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 41/71] PCI: Mark some NVIDIA GPUs " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 42/71] ARCv2: save ABI registers across signal handling Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 43/71] dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 44/71] net: fec_ptp: add clock rate zero check Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 45/71] can: bcm/raw/isotp: use per module netdevice notifier Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 46/71] usb: dwc3: core: fix kernel panic when do reboot Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 47/71] tracing: Do not stop recording cmdlines when tracing is off Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 48/71] tracing: Do not stop recording comms if the trace file is being read Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 49/71] x86/fpu: Reset state for all signal restore failures Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 50/71] inet: use bigger hash table for IP ID generation Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 51/71] i40e: Be much more verbose about what we can and cannot offload Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 52/71] ARM: 9081/1: fix gcc-10 thumb2-kernel regression Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 53/71] Makefile: Move -Wno-unused-but-set-variable out of GCC only block Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 54/71] arm64: perf: Disable PMU while processing counter overflows Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 55/71] Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 56/71] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 57/71] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 58/71] mac80211: drop multicast fragments Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 59/71] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 60/71] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 61/71] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 62/71] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 63/71] net/packet: annotate accesses to po->ifindex Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 64/71] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 65/71] sh_eth: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 66/71] r8169: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 67/71] net: qed: Fix memcpy() overflow of qed_dcbx_params() Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 68/71] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 69/71] nilfs2: fix memory leak in nilfs_sysfs_delete_device_group Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 70/71] i2c: robotfuzz-osif: fix control-request directions Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 71/71] Linux 4.9.274-rc1 Sasha Levin
2021-06-29 10:09 ` [PATCH 4.9 00/71] 4.9.274-rc1 review Jon Hunter
2021-06-29 12:50 ` Naresh Kamboju
2021-06-29 14:11 ` Guenter Roeck
2021-06-29 22:07 ` Sasha Levin
2021-06-29 18:18 ` Guenter Roeck
2021-06-29 23:43 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210628144003.34260-31-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=cy.fan@huawei.com \
--cc=davem@davemloft.net \
--cc=hulkci@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=liuhangbin@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.