From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com,
Anant Thazhemadam <anant.thazhemadam@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.8 043/124] net: team: fix memory leak in __team_options_register
Date: Mon, 12 Oct 2020 15:30:47 +0200 [thread overview]
Message-ID: <20201012133148.938768556@linuxfoundation.org> (raw)
In-Reply-To: <20201012133146.834528783@linuxfoundation.org>
From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
commit 9a9e77495958c7382b2438bc19746dd3aaaabb8e upstream.
The variable "i" isn't initialized back correctly after the first loop
under the label inst_rollback gets executed.
The value of "i" is assigned to be option_count - 1, and the ensuing
loop (under alloc_rollback) begins by initializing i--.
Thus, the value of i when the loop begins execution will now become
i = option_count - 2.
Thus, when kfree(dst_opts[i]) is called in the second loop in this
order, (i.e., inst_rollback followed by alloc_rollback),
dst_optsp[option_count - 2] is the first element freed, and
dst_opts[option_count - 1] does not get freed, and thus, a memory
leak is caused.
This memory leak can be fixed, by assigning i = option_count (instead of
option_count - 1).
Fixes: 80f7c6683fe0 ("team: add support for per-port options")
Reported-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
Tested-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/team/team.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -287,7 +287,7 @@ inst_rollback:
for (i--; i >= 0; i--)
__team_option_inst_del_option(team, dst_opts[i]);
- i = option_count - 1;
+ i = option_count;
alloc_rollback:
for (i--; i >= 0; i--)
kfree(dst_opts[i]);
next prev parent reply other threads:[~2020-10-12 13:45 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-12 13:30 [PATCH 5.8 000/124] 5.8.15-rc1 review Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 001/124] fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 002/124] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 003/124] fbcon: Fix global-out-of-bounds read in fbcon_get_font() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 004/124] Revert "ravb: Fixed to be able to unload modules" Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 005/124] bpf: Fix scalar32_min_max_or bounds tracking Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 006/124] crypto: arm64: Use x16 with indirect branch to bti_c Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 007/124] exfat: fix use of uninitialized spinlock on error path Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 008/124] net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 009/124] drm/nouveau/device: return error for unknown chipsets Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 010/124] drm/nouveau/mem: guard against NULL pointer access in mem_del Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 011/124] partitions/ibm: fix non-DASD devices Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 012/124] block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 013/124] vhost: Dont call access_ok() when using IOTLB Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 014/124] vhost: Use vhost_get_used_size() in vhost_vring_set_addr() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 015/124] usermodehelper: reset umask to default before executing user process Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 016/124] splice: teach splice pipe reading about empty pipe buffers Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 017/124] Platform: OLPC: Fix memleak in olpc_ec_probe Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 018/124] platform/x86: intel-vbtn: Fix SW_TABLET_MODE always reporting 1 on the HP Pavilion 11 x360 Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 019/124] platform/x86: thinkpad_acpi: initialize tp_nvram_state variable Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 020/124] platform/x86: asus-wmi: Fix SW_TABLET_MODE always reporting 1 on many different models Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 021/124] bpf: Fix sysfs export of empty BTF section Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 022/124] bpf: Prevent .BTF section elimination Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 023/124] r8169: consider that PHY reset may still be in progress after applying firmware Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 024/124] platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 025/124] platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 026/124] nvme-core: put ctrl ref when module ref get fail Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 027/124] macsec: avoid use-after-free in macsec_handle_frame() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 028/124] RISC-V: Make sure memblock reserves the memory containing DT Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 029/124] gpiolib: Disable compat ->read() code in UML case Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 030/124] mm/khugepaged: fix filemap page_to_pgoff(page) != offset Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 031/124] net: introduce helper sendpage_ok() in include/linux/net.h Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 032/124] tcp: use sendpage_ok() to detect misused .sendpage Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 033/124] nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 034/124] xfrmi: drop ignore_df check before updating pmtu Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 035/124] espintcp: restore IP CB before handing the packet to xfrm Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 036/124] cifs: Fix incomplete memory allocation on setxattr path Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 037/124] i2c: meson: fix clock setting overwrite Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 038/124] i2c: meson: keep peripheral clock enabled Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 039/124] i2c: meson: fixup rate calculation with filter delay Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 040/124] i2c: owl: Clear NACK and BUS error bits Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 041/124] sctp: fix sctp_auth_init_hmacs() error path Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 042/124] team: set dev->needed_headroom in team_setup_by_port() Greg Kroah-Hartman
2020-10-12 13:30 ` Greg Kroah-Hartman [this message]
2020-10-12 13:30 ` [PATCH 5.8 044/124] openvswitch: handle DNAT tuple collision Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 045/124] drm/amdgpu: prevent double kfree ttm->sg Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 046/124] btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 047/124] io_uring: fix potential ABBA deadlock in ->show_fdinfo() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 048/124] drm/amd/pm: Removed fixed clock in auto mode DPM Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 049/124] drm/amd/display: fix return value check for hdcp_work Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 050/124] drm/vmwgfx: Fix error handling in get_node Greg Kroah-Hartman
2020-10-13 15:55 ` Roland Scheidegger
2020-10-14 6:55 ` Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 051/124] btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 052/124] iommu/vt-d: Fix lockdep splat in iommu_flush_dev_iotlb() Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 053/124] xfrm: clone XFRMA_SET_MARK in xfrm_do_migrate Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 054/124] xfrm: clone XFRMA_REPLAY_ESN_VAL " Greg Kroah-Hartman
2020-10-12 13:30 ` [PATCH 5.8 055/124] xfrm: clone XFRMA_SEC_CTX " Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 056/124] xfrm: clone whole liftime_cur structure " Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 057/124] xsk: Do not discard packet when NETDEV_TX_BUSY Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 058/124] net: stmmac: removed enabling eee in EEE set callback Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 059/124] platform/x86: fix kconfig dependency warning for LG_LAPTOP Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 060/124] platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 061/124] hinic: add log in exception handling processes Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 062/124] hinic: fix wrong return value of mac-set cmd Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 063/124] net: dsa: felix: convert TAS link speed based on phylink speed Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 064/124] xfrm: Use correct address family in xfrm_state_find Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 065/124] iavf: use generic power management Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 066/124] iavf: Fix incorrect adapter get in iavf_resume Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 067/124] ice: fix memory leak if register_netdev_fails Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 068/124] ice: fix memory leak in ice_vsi_setup Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 069/124] vmxnet3: fix cksum offload issues for non-udp tunnels Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 070/124] net: stmmac: Fix clock handling on remove path Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 071/124] net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 072/124] bonding: set dev->needed_headroom in bond_setup_by_slave() Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 073/124] mdio: fix mdio-thunder.c dependency & build error Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 074/124] mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()s error path Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 075/124] r8169: fix RTL8168f/RTL8411 EPHY config Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 076/124] net: usb: ax88179_178a: fix missing stop entry in driver_info Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 077/124] virtio-net: dont disable guest csum when disable LRO Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 078/124] net: phy: realtek: fix rtl8211e rx/tx delay config Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 079/124] octeontx2-af: Fix enable/disable of default NPC entries Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 080/124] octeontx2-pf: Fix TCP/UDP checksum offload for IPv6 frames Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 081/124] octeontx2-pf: Fix the device state on error Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 082/124] octeontx2-pf: Fix synchnorization issue in mbox Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 083/124] pipe: Fix memory leaks in create_pipe_files() Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 084/124] net/mlx5: Fix a race when moving command interface to polling mode Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 085/124] net/mlx5: Avoid possible free of command entry while timeout comp handler Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 086/124] net/mlx5: poll cmd EQ in case of command timeout Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 087/124] net/mlx5: Add retry mechanism to the command entry index allocation Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 088/124] net/mlx5: Fix request_irqs error flow Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 089/124] net/mlx5e: Add resiliency in Striding RQ mode for packets larger than MTU Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 090/124] net/mlx5e: Fix return status when setting unsupported FEC mode Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 091/124] net/mlx5e: Fix VLAN cleanup flow Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 092/124] net/mlx5e: Fix VLAN create flow Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 093/124] net/mlx5e: Fix race condition on nhe->n pointer in neigh update Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 094/124] net: stmmac: Modify configuration method of EEE timers Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 095/124] net: hinic: fix DEVLINK build errors Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 096/124] vhost-vdpa: fix vhost_vdpa_map() on error condition Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 097/124] vhost-vdpa: fix page pinning leakage in error path Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 098/124] net: mvneta: fix double free of txq->buf Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 099/124] rxrpc: Fix rxkad token xdr encoding Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 100/124] rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 101/124] rxrpc: Fix some missing _bh annotations on locking conn->state_lock Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 102/124] rxrpc: The server keyring isnt network-namespaced Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 103/124] rxrpc: Fix server keyring leak Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 104/124] net: mscc: ocelot: rename ocelot_board.c to ocelot_vsc7514.c Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 105/124] net: mscc: ocelot: split writes to pause frame enable bit and to thresholds Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 106/124] net: mscc: ocelot: extend watermark encoding function Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 107/124] net: mscc: ocelot: divide watermark value by 60 when writing to SYS_ATOP Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 108/124] afs: Fix deadlock between writeback and truncate Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 109/124] perf: Fix task_function_call() error handling Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 110/124] mmc: core: dont set limits.discard_granularity as 0 Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 111/124] mm: validate inode in mapping_set_error() Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 112/124] mm: khugepaged: recalculate min_free_kbytes after memory hotplug as expected by khugepaged Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 113/124] tcp: fix receive window update in tcp_add_backlog() Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 114/124] netlink: fix policy dump leak Greg Kroah-Hartman
2020-10-12 13:31 ` [PATCH 5.8 115/124] net/core: check length before updating Ethertype in skb_mpls_{push,pop} Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 116/124] net: bridge: fdb: dont flush ext_learn entries Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 117/124] net/tls: race causes kernel panic Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 118/124] net/mlx5e: Fix drivers declaration to support GRE offload Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 119/124] tty/vt: Do not warn when huge selection requested Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 120/124] Input: ati_remote2 - add missing newlines when printing module parameters Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 121/124] net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 122/124] net: qrtr: ns: Protect radix_tree_deref_slot() using rcu read locks Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 123/124] net_sched: defer tcf_idr_insert() in tcf_action_init_1() Greg Kroah-Hartman
2020-10-12 13:32 ` [PATCH 5.8 124/124] net_sched: commit action insertions together Greg Kroah-Hartman
2020-10-12 17:30 ` [PATCH 5.8 000/124] 5.8.15-rc1 review Jeffrin Jose T
2020-10-14 9:56 ` Greg Kroah-Hartman
2020-10-14 18:31 ` Jeffrin Jose T
2020-10-13 5:44 ` Naresh Kamboju
2020-10-14 9:57 ` Greg Kroah-Hartman
2020-10-13 16:41 ` Guenter Roeck
2020-10-14 9:57 ` Greg Kroah-Hartman
2020-10-14 1:21 ` Shuah Khan
2020-10-14 9:57 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201012133148.938768556@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anant.thazhemadam@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).