From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Takeshi Misawa <jeliantsurux@gmail.com>,
David Howells <dhowells@redhat.com>,
Jakub Kicinski <kuba@kernel.org>,
syzbot+305326672fed51b205f7@syzkaller.appspotmail.com
Subject: [PATCH 4.19 33/37] rxrpc: Fix memory leak in rxrpc_lookup_local
Date: Tue, 2 Feb 2021 14:39:16 +0100 [thread overview]
Message-ID: <20210202132944.315041162@linuxfoundation.org> (raw)
In-Reply-To: <20210202132942.915040339@linuxfoundation.org>
From: Takeshi Misawa <jeliantsurux@gmail.com>
commit b8323f7288abd71794cd7b11a4c0a38b8637c8b5 upstream.
Commit 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record")
Then release ref in __rxrpc_put_peer and rxrpc_put_peer_locked.
struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp)
- peer->local = local;
+ peer->local = rxrpc_get_local(local);
rxrpc_discard_prealloc also need ref release in discarding.
syzbot report:
BUG: memory leak
unreferenced object 0xffff8881080ddc00 (size 256):
comm "syz-executor339", pid 8462, jiffies 4294942238 (age 12.350s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 c0 00 08 81 88 ff ff ................
backtrace:
[<000000002b6e495f>] kmalloc include/linux/slab.h:552 [inline]
[<000000002b6e495f>] kzalloc include/linux/slab.h:682 [inline]
[<000000002b6e495f>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<000000002b6e495f>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<000000006b43a77b>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000fd447a55>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<000000007fd8867c>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<0000000063d80ec1>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<00000000073c5efa>] setup_net+0xde/0x2d0 net/core/net_namespace.c:342
[<00000000a6744d5b>] copy_net_ns+0x19f/0x3e0 net/core/net_namespace.c:483
[<0000000017d3aec3>] create_new_namespaces+0x199/0x4f0 kernel/nsproxy.c:110
[<00000000186271ef>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<000000002de7bac4>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2957
[<00000000349b12ba>] __do_sys_unshare kernel/fork.c:3025 [inline]
[<00000000349b12ba>] __se_sys_unshare kernel/fork.c:3023 [inline]
[<00000000349b12ba>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3023
[<000000006d178ef7>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000637076d4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record")
Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
Reported-and-tested-by: syzbot+305326672fed51b205f7@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/161183091692.3506637.3206605651502458810.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/call_accept.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -211,6 +211,7 @@ void rxrpc_discard_prealloc(struct rxrpc
tail = b->peer_backlog_tail;
while (CIRC_CNT(head, tail, size) > 0) {
struct rxrpc_peer *peer = b->peer_backlog[tail];
+ rxrpc_put_local(peer->local);
kfree(peer);
tail = (tail + 1) & (size - 1);
}
next prev parent reply other threads:[~2021-02-02 14:53 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 13:38 [PATCH 4.19 00/37] 4.19.173-rc1 review Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 01/37] nbd: freeze the queue while were adding connections Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 02/37] ACPI: sysfs: Prefer "compatible" modalias Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 03/37] kernel: kexec: remove the lock operation of system_transition_mutex Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 04/37] xen/privcmd: allow fetching resource sizes Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 05/37] ALSA: hda/via: Apply the workaround generically for Clevo machines Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 06/37] media: rc: ensure that uevent can be read directly after rc device register Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 07/37] ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 08/37] wext: fix NULL-ptr-dereference with cfg80211s lack of commit() Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 09/37] net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 10/37] PM: hibernate: flush swap writer after marking Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 11/37] drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 12/37] drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 13/37] KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 14/37] KVM: x86: get smi pending status correctly Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 15/37] xen: Fix XenStore initialisation for XS_LOCAL Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 16/37] leds: trigger: fix potential deadlock with libata Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 17/37] mt7601u: fix kernel crash unplugging the device Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 18/37] mt7601u: fix rx buffer refcounting Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 19/37] xen-blkfront: allow discard-* nodes to be optional Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 20/37] ARM: imx: build suspend-imx6.S with arm instruction set Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 21/37] netfilter: nft_dynset: add timeout extension to template Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 22/37] xfrm: Fix oops in xfrm_replay_advance_bmp Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 23/37] xfrm: fix disable_xfrm sysctl when used on xfrm interfaces Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 24/37] RDMA/cxgb4: Fix the reported max_recv_sge value Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 25/37] pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 26/37] iwlwifi: pcie: use jiffies for memory read spin time limit Greg Kroah-Hartman
2021-02-03 20:42 ` Pavel Machek
2021-02-02 13:39 ` [PATCH 4.19 27/37] iwlwifi: pcie: reschedule in long-running memory reads Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 28/37] mac80211: pause TX while changing interface type Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 29/37] net/mlx5: Fix memory leak on flow table creation error flow Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 30/37] can: dev: prevent potential information leak in can_fill_info() Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 31/37] iommu/vt-d: Gracefully handle DMAR units with no supported address widths Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 32/37] iommu/vt-d: Dont dereference iommu_device if IOMMU_API is not built Greg Kroah-Hartman
2021-02-02 13:39 ` Greg Kroah-Hartman [this message]
2021-02-02 13:39 ` [PATCH 4.19 34/37] NFC: fix resource leak when target index is invalid Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 35/37] NFC: fix possible resource leak Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 36/37] team: protect features update by RCU to avoid deadlock Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 37/37] tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN Greg Kroah-Hartman
2021-02-02 17:48 ` [PATCH 4.19 00/37] 4.19.173-rc1 review Pavel Machek
2021-02-03 3:22 ` Naresh Kamboju
2021-02-03 15:42 ` Shuah Khan
2021-02-03 20:42 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210202132944.315041162@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=jeliantsurux@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+305326672fed51b205f7@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).