* [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one
@ 2021-06-16 2:09 Dongliang Mu
2021-06-22 18:29 ` Alexander Aring
0 siblings, 1 reply; 3+ messages in thread
From: Dongliang Mu @ 2021-06-16 2:09 UTC (permalink / raw)
To: alex.aring, stefan, davem, kuba
Cc: linux-wpan, linux-kernel, netdev, Dongliang Mu,
syzbot+b80c9959009a9325cdff
No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to
remove the entry in the edges list. Take the example below, phy0, phy1
and e0 will be deleted, resulting in e1 not freed and accessed in the
future.
hwsim_phys
|
------------------------------
| |
phy0 (edges) phy1 (edges)
----> e1 (idx = 1) ----> e0 (idx = 0)
Fix this by deleting and freeing all the entries in the edges list
between hwsim_edge_unsubscribe_me and list_del(&phy->list).
Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com
Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
---
v1->v2: add rcu_read_lock for the deletion operation according to Pavel Skripkin
drivers/net/ieee802154/mac802154_hwsim.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
index da9135231c07..cf659361a3fb 100644
--- a/drivers/net/ieee802154/mac802154_hwsim.c
+++ b/drivers/net/ieee802154/mac802154_hwsim.c
@@ -824,12 +824,17 @@ static int hwsim_add_one(struct genl_info *info, struct device *dev,
static void hwsim_del(struct hwsim_phy *phy)
{
struct hwsim_pib *pib;
+ struct hwsim_edge *e;
hwsim_edge_unsubscribe_me(phy);
list_del(&phy->list);
rcu_read_lock();
+ list_for_each_entry_rcu(e, &phy->edges, list) {
+ list_del_rcu(&e->list);
+ hwsim_free_edge(e);
+ }
pib = rcu_dereference(phy->pib);
rcu_read_unlock();
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one
2021-06-16 2:09 [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one Dongliang Mu
@ 2021-06-22 18:29 ` Alexander Aring
2021-06-22 19:21 ` Stefan Schmidt
0 siblings, 1 reply; 3+ messages in thread
From: Alexander Aring @ 2021-06-22 18:29 UTC (permalink / raw)
To: Dongliang Mu
Cc: Stefan Schmidt, David S. Miller, Jakub Kicinski, linux-wpan - ML,
kernel list, open list:NETWORKING [GENERAL],
syzbot+b80c9959009a9325cdff
Hi,
On Tue, 15 Jun 2021 at 22:09, Dongliang Mu <mudongliangabcd@gmail.com> wrote:
>
> No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to
> remove the entry in the edges list. Take the example below, phy0, phy1
> and e0 will be deleted, resulting in e1 not freed and accessed in the
> future.
>
> hwsim_phys
> |
> ------------------------------
> | |
> phy0 (edges) phy1 (edges)
> ----> e1 (idx = 1) ----> e0 (idx = 0)
>
> Fix this by deleting and freeing all the entries in the edges list
> between hwsim_edge_unsubscribe_me and list_del(&phy->list).
>
> Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com
> Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Acked-by: Alexander Aring <aahringo@redhat.com>
Thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one
2021-06-22 18:29 ` Alexander Aring
@ 2021-06-22 19:21 ` Stefan Schmidt
0 siblings, 0 replies; 3+ messages in thread
From: Stefan Schmidt @ 2021-06-22 19:21 UTC (permalink / raw)
To: Alexander Aring, Dongliang Mu
Cc: David S. Miller, Jakub Kicinski, linux-wpan - ML, kernel list,
open list:NETWORKING [GENERAL],
syzbot+b80c9959009a9325cdff
Hello.
On 22.06.21 20:29, Alexander Aring wrote:
> Hi,
>
> On Tue, 15 Jun 2021 at 22:09, Dongliang Mu <mudongliangabcd@gmail.com> wrote:
>>
>> No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to
>> remove the entry in the edges list. Take the example below, phy0, phy1
>> and e0 will be deleted, resulting in e1 not freed and accessed in the
>> future.
>>
>> hwsim_phys
>> |
>> ------------------------------
>> | |
>> phy0 (edges) phy1 (edges)
>> ----> e1 (idx = 1) ----> e0 (idx = 0)
>>
>> Fix this by deleting and freeing all the entries in the edges list
>> between hwsim_edge_unsubscribe_me and list_del(&phy->list).
>>
>> Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com
>> Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
>> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
>
> Acked-by: Alexander Aring <aahringo@redhat.com>
>
> Thanks!
This patch has been applied to the wpan tree and will be
part of the next pull request to net. Thanks!
regards
Stefan Schmidt
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-22 19:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-16 2:09 [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one Dongliang Mu
2021-06-22 18:29 ` Alexander Aring
2021-06-22 19:21 ` Stefan Schmidt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).