Linux-WPAN Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one
@ 2021-06-16  2:09 Dongliang Mu
  2021-06-22 18:29 ` Alexander Aring
  0 siblings, 1 reply; 3+ messages in thread
From: Dongliang Mu @ 2021-06-16  2:09 UTC (permalink / raw)
  To: alex.aring, stefan, davem, kuba
  Cc: linux-wpan, linux-kernel, netdev, Dongliang Mu,
	syzbot+b80c9959009a9325cdff

No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to
remove the entry in the edges list. Take the example below, phy0, phy1
and e0 will be deleted, resulting in e1 not freed and accessed in the
future.

              hwsim_phys
                  |
    ------------------------------
    |                            |
phy0 (edges)                 phy1 (edges)
   ----> e1 (idx = 1)             ----> e0 (idx = 0)

Fix this by deleting and freeing all the entries in the edges list
between hwsim_edge_unsubscribe_me and list_del(&phy->list).

Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com
Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
---
v1->v2: add rcu_read_lock for the deletion operation according to Pavel Skripkin

 drivers/net/ieee802154/mac802154_hwsim.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
index da9135231c07..cf659361a3fb 100644
--- a/drivers/net/ieee802154/mac802154_hwsim.c
+++ b/drivers/net/ieee802154/mac802154_hwsim.c
@@ -824,12 +824,17 @@ static int hwsim_add_one(struct genl_info *info, struct device *dev,
 static void hwsim_del(struct hwsim_phy *phy)
 {
 	struct hwsim_pib *pib;
+	struct hwsim_edge *e;
 
 	hwsim_edge_unsubscribe_me(phy);
 
 	list_del(&phy->list);
 
 	rcu_read_lock();
+	list_for_each_entry_rcu(e, &phy->edges, list) {
+		list_del_rcu(&e->list);
+		hwsim_free_edge(e);
+	}
 	pib = rcu_dereference(phy->pib);
 	rcu_read_unlock();
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one
  2021-06-16  2:09 [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one Dongliang Mu
@ 2021-06-22 18:29 ` Alexander Aring
  2021-06-22 19:21   ` Stefan Schmidt
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Aring @ 2021-06-22 18:29 UTC (permalink / raw)
  To: Dongliang Mu
  Cc: Stefan Schmidt, David S. Miller, Jakub Kicinski, linux-wpan - ML,
	kernel list, open list:NETWORKING [GENERAL],
	syzbot+b80c9959009a9325cdff

Hi,

On Tue, 15 Jun 2021 at 22:09, Dongliang Mu <mudongliangabcd@gmail.com> wrote:
>
> No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to
> remove the entry in the edges list. Take the example below, phy0, phy1
> and e0 will be deleted, resulting in e1 not freed and accessed in the
> future.
>
>               hwsim_phys
>                   |
>     ------------------------------
>     |                            |
> phy0 (edges)                 phy1 (edges)
>    ----> e1 (idx = 1)             ----> e0 (idx = 0)
>
> Fix this by deleting and freeing all the entries in the edges list
> between hwsim_edge_unsubscribe_me and list_del(&phy->list).
>
> Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com
> Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>

Acked-by: Alexander Aring <aahringo@redhat.com>

Thanks!

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one
  2021-06-22 18:29 ` Alexander Aring
@ 2021-06-22 19:21   ` Stefan Schmidt
  0 siblings, 0 replies; 3+ messages in thread
From: Stefan Schmidt @ 2021-06-22 19:21 UTC (permalink / raw)
  To: Alexander Aring, Dongliang Mu
  Cc: David S. Miller, Jakub Kicinski, linux-wpan - ML, kernel list,
	open list:NETWORKING [GENERAL],
	syzbot+b80c9959009a9325cdff

Hello.

On 22.06.21 20:29, Alexander Aring wrote:
> Hi,
> 
> On Tue, 15 Jun 2021 at 22:09, Dongliang Mu <mudongliangabcd@gmail.com> wrote:
>>
>> No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to
>> remove the entry in the edges list. Take the example below, phy0, phy1
>> and e0 will be deleted, resulting in e1 not freed and accessed in the
>> future.
>>
>>                hwsim_phys
>>                    |
>>      ------------------------------
>>      |                            |
>> phy0 (edges)                 phy1 (edges)
>>     ----> e1 (idx = 1)             ----> e0 (idx = 0)
>>
>> Fix this by deleting and freeing all the entries in the edges list
>> between hwsim_edge_unsubscribe_me and list_del(&phy->list).
>>
>> Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com
>> Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling")
>> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> 
> Acked-by: Alexander Aring <aahringo@redhat.com>
> 
> Thanks!


This patch has been applied to the wpan tree and will be
part of the next pull request to net. Thanks!

regards
Stefan Schmidt

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-16  2:09 [PATCH v2] ieee802154: hwsim: Fix memory leak in hwsim_add_one Dongliang Mu
2021-06-22 18:29 ` Alexander Aring
2021-06-22 19:21   ` Stefan Schmidt

Linux-WPAN Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wpan/0 linux-wpan/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wpan linux-wpan/ https://lore.kernel.org/linux-wpan \
		linux-wpan@vger.kernel.org
	public-inbox-index linux-wpan

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wpan


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git