linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Takeshi Misawa <jeliantsurux@gmail.com>,
	David Howells <dhowells@redhat.com>,
	Jakub Kicinski <kuba@kernel.org>,
	syzbot+305326672fed51b205f7@syzkaller.appspotmail.com
Subject: [PATCH 4.19 33/37] rxrpc: Fix memory leak in rxrpc_lookup_local
Date: Tue,  2 Feb 2021 14:39:16 +0100	[thread overview]
Message-ID: <20210202132944.315041162@linuxfoundation.org> (raw)
In-Reply-To: <20210202132942.915040339@linuxfoundation.org>

From: Takeshi Misawa <jeliantsurux@gmail.com>

commit b8323f7288abd71794cd7b11a4c0a38b8637c8b5 upstream.

Commit 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record")
Then release ref in __rxrpc_put_peer and rxrpc_put_peer_locked.

	struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp)
	-               peer->local = local;
	+               peer->local = rxrpc_get_local(local);

rxrpc_discard_prealloc also need ref release in discarding.

syzbot report:
BUG: memory leak
unreferenced object 0xffff8881080ddc00 (size 256):
  comm "syz-executor339", pid 8462, jiffies 4294942238 (age 12.350s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 0a 00 00 00 00 c0 00 08 81 88 ff ff  ................
  backtrace:
    [<000000002b6e495f>] kmalloc include/linux/slab.h:552 [inline]
    [<000000002b6e495f>] kzalloc include/linux/slab.h:682 [inline]
    [<000000002b6e495f>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
    [<000000002b6e495f>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
    [<000000006b43a77b>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
    [<00000000fd447a55>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
    [<000000007fd8867c>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
    [<0000000063d80ec1>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
    [<00000000073c5efa>] setup_net+0xde/0x2d0 net/core/net_namespace.c:342
    [<00000000a6744d5b>] copy_net_ns+0x19f/0x3e0 net/core/net_namespace.c:483
    [<0000000017d3aec3>] create_new_namespaces+0x199/0x4f0 kernel/nsproxy.c:110
    [<00000000186271ef>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
    [<000000002de7bac4>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2957
    [<00000000349b12ba>] __do_sys_unshare kernel/fork.c:3025 [inline]
    [<00000000349b12ba>] __se_sys_unshare kernel/fork.c:3023 [inline]
    [<00000000349b12ba>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3023
    [<000000006d178ef7>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000637076d4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record")
Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
Reported-and-tested-by: syzbot+305326672fed51b205f7@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/161183091692.3506637.3206605651502458810.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/rxrpc/call_accept.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -211,6 +211,7 @@ void rxrpc_discard_prealloc(struct rxrpc
 	tail = b->peer_backlog_tail;
 	while (CIRC_CNT(head, tail, size) > 0) {
 		struct rxrpc_peer *peer = b->peer_backlog[tail];
+		rxrpc_put_local(peer->local);
 		kfree(peer);
 		tail = (tail + 1) & (size - 1);
 	}



  parent reply	other threads:[~2021-02-02 14:53 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-02 13:38 [PATCH 4.19 00/37] 4.19.173-rc1 review Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 01/37] nbd: freeze the queue while were adding connections Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 02/37] ACPI: sysfs: Prefer "compatible" modalias Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 03/37] kernel: kexec: remove the lock operation of system_transition_mutex Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 04/37] xen/privcmd: allow fetching resource sizes Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 05/37] ALSA: hda/via: Apply the workaround generically for Clevo machines Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 06/37] media: rc: ensure that uevent can be read directly after rc device register Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 07/37] ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 08/37] wext: fix NULL-ptr-dereference with cfg80211s lack of commit() Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 09/37] net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 10/37] PM: hibernate: flush swap writer after marking Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 11/37] drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 12/37] drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 13/37] KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 14/37] KVM: x86: get smi pending status correctly Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 15/37] xen: Fix XenStore initialisation for XS_LOCAL Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.19 16/37] leds: trigger: fix potential deadlock with libata Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 17/37] mt7601u: fix kernel crash unplugging the device Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 18/37] mt7601u: fix rx buffer refcounting Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 19/37] xen-blkfront: allow discard-* nodes to be optional Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 20/37] ARM: imx: build suspend-imx6.S with arm instruction set Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 21/37] netfilter: nft_dynset: add timeout extension to template Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 22/37] xfrm: Fix oops in xfrm_replay_advance_bmp Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 23/37] xfrm: fix disable_xfrm sysctl when used on xfrm interfaces Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 24/37] RDMA/cxgb4: Fix the reported max_recv_sge value Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 25/37] pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 26/37] iwlwifi: pcie: use jiffies for memory read spin time limit Greg Kroah-Hartman
2021-02-03 20:42   ` Pavel Machek
2021-02-02 13:39 ` [PATCH 4.19 27/37] iwlwifi: pcie: reschedule in long-running memory reads Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 28/37] mac80211: pause TX while changing interface type Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 29/37] net/mlx5: Fix memory leak on flow table creation error flow Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 30/37] can: dev: prevent potential information leak in can_fill_info() Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 31/37] iommu/vt-d: Gracefully handle DMAR units with no supported address widths Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 32/37] iommu/vt-d: Dont dereference iommu_device if IOMMU_API is not built Greg Kroah-Hartman
2021-02-02 13:39 ` Greg Kroah-Hartman [this message]
2021-02-02 13:39 ` [PATCH 4.19 34/37] NFC: fix resource leak when target index is invalid Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 35/37] NFC: fix possible resource leak Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 36/37] team: protect features update by RCU to avoid deadlock Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.19 37/37] tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN Greg Kroah-Hartman
2021-02-02 17:48 ` [PATCH 4.19 00/37] 4.19.173-rc1 review Pavel Machek
2021-02-03  3:22 ` Naresh Kamboju
2021-02-03 15:42 ` Shuah Khan
2021-02-03 20:42 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210202132944.315041162@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dhowells@redhat.com \
    --cc=jeliantsurux@gmail.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+305326672fed51b205f7@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).