* [PATCH] net: genetlink: Fix memleak in genl_family_rcv_msg_dumpit()
@ 2020-06-02 6:45 YueHaibing
2020-06-02 18:04 ` Cong Wang
0 siblings, 1 reply; 3+ messages in thread
From: YueHaibing @ 2020-06-02 6:45 UTC (permalink / raw)
To: davem, kuba, jiri; +Cc: netdev, linux-kernel, YueHaibing
dumpit info is freed by cb->done now (genl_lock_done()/
genl_parallel_done()), however if any error occurs before
cb->done is called, info and attrs will leak.
unreferenced object 0xffff888119904840 (size 32):
comm "syz-executor.0", pid 857, jiffies 4295306979 (age 18.692s)
hex dump (first 32 bytes):
60 2d 5a af ff ff ff ff c0 d6 a5 ae ff ff ff ff `-Z.............
00 00 00 00 00 00 00 00 60 b4 25 ac ff ff ff ff ........`.%.....
backtrace:
[<0000000048573ee1>] kmalloc include/linux/slab.h:555 [inline]
[<0000000048573ee1>] genl_dumpit_info_alloc net/netlink/genetlink.c:463 [inline]
[<0000000048573ee1>] genl_family_rcv_msg_dumpit net/netlink/genetlink.c:598 [inline]
[<0000000048573ee1>] genl_family_rcv_msg net/netlink/genetlink.c:715 [inline]
[<0000000048573ee1>] genl_rcv_msg+0x7b7/0xce0 net/netlink/genetlink.c:735
[<000000006d27610a>] netlink_rcv_skb+0x139/0x390 net/netlink/af_netlink.c:2469
[<00000000d643c808>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
[<00000000fdec3fc5>] netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
[<00000000fdec3fc5>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1329
[<0000000027eb500d>] netlink_sendmsg+0x793/0xc80 net/netlink/af_netlink.c:1918
[<000000006e6952a8>] sock_sendmsg_nosec net/socket.c:652 [inline]
[<000000006e6952a8>] sock_sendmsg+0x139/0x170 net/socket.c:672
Fixes: 1927f41a22a0 ("net: genetlink: introduce dump info struct to be available during dumpit op")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
---
net/netlink/genetlink.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 9f357aa22b94..cd719aecb0e2 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -548,8 +548,6 @@ static int genl_lock_done(struct netlink_callback *cb)
rc = ops->done(cb);
genl_unlock();
}
- genl_family_rcv_msg_attrs_free(info->family, info->attrs, true);
- genl_dumpit_info_free(info);
return rc;
}
@@ -561,8 +559,6 @@ static int genl_parallel_done(struct netlink_callback *cb)
if (ops->done)
rc = ops->done(cb);
- genl_family_rcv_msg_attrs_free(info->family, info->attrs, true);
- genl_dumpit_info_free(info);
return rc;
}
@@ -594,7 +590,6 @@ static int genl_family_rcv_msg_dumpit(const struct genl_family *family,
return PTR_ERR(attrs);
no_attrs:
- /* Allocate dumpit info. It is going to be freed by done() callback. */
info = genl_dumpit_info_alloc();
if (!info) {
genl_family_rcv_msg_attrs_free(family, attrs, true);
@@ -630,6 +625,9 @@ static int genl_family_rcv_msg_dumpit(const struct genl_family *family,
err = __netlink_dump_start(net->genl_sock, skb, nlh, &c);
}
+ genl_family_rcv_msg_attrs_free(info->family, info->attrs, true);
+ genl_dumpit_info_free(info);
+
return err;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] net: genetlink: Fix memleak in genl_family_rcv_msg_dumpit()
2020-06-02 6:45 [PATCH] net: genetlink: Fix memleak in genl_family_rcv_msg_dumpit() YueHaibing
@ 2020-06-02 18:04 ` Cong Wang
2020-06-03 2:20 ` Yuehaibing
0 siblings, 1 reply; 3+ messages in thread
From: Cong Wang @ 2020-06-02 18:04 UTC (permalink / raw)
To: YueHaibing
Cc: David Miller, Jakub Kicinski, Jiri Pirko,
Linux Kernel Network Developers, LKML
On Mon, Jun 1, 2020 at 11:47 PM YueHaibing <yuehaibing@huawei.com> wrote:
> @@ -630,6 +625,9 @@ static int genl_family_rcv_msg_dumpit(const struct genl_family *family,
> err = __netlink_dump_start(net->genl_sock, skb, nlh, &c);
> }
>
> + genl_family_rcv_msg_attrs_free(info->family, info->attrs, true);
> + genl_dumpit_info_free(info);
> +
> return err;
> }
I do not think you can just move it after __netlink_dump_start(),
because cb->done() can be called, for example, in netlink_sock_destruct()
too.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] net: genetlink: Fix memleak in genl_family_rcv_msg_dumpit()
2020-06-02 18:04 ` Cong Wang
@ 2020-06-03 2:20 ` Yuehaibing
0 siblings, 0 replies; 3+ messages in thread
From: Yuehaibing @ 2020-06-03 2:20 UTC (permalink / raw)
To: Cong Wang
Cc: David Miller, Jakub Kicinski, Jiri Pirko,
Linux Kernel Network Developers, LKML
On 2020/6/3 2:04, Cong Wang wrote:
> On Mon, Jun 1, 2020 at 11:47 PM YueHaibing <yuehaibing@huawei.com> wrote:
>> @@ -630,6 +625,9 @@ static int genl_family_rcv_msg_dumpit(const struct genl_family *family,
>> err = __netlink_dump_start(net->genl_sock, skb, nlh, &c);
>> }
>>
>> + genl_family_rcv_msg_attrs_free(info->family, info->attrs, true);
>> + genl_dumpit_info_free(info);
>> +
>> return err;
>> }
>
> I do not think you can just move it after __netlink_dump_start(),
> because cb->done() can be called, for example, in netlink_sock_destruct()
> too.
netlink_sock_destruct() call cb->done() while nlk->cb_running is true,
if nlk->cb_running is not set to true in __netlink_dump_start() before return,
the memleak still occurs.
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-03 2:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-02 6:45 [PATCH] net: genetlink: Fix memleak in genl_family_rcv_msg_dumpit() YueHaibing
2020-06-02 18:04 ` Cong Wang
2020-06-03 2:20 ` Yuehaibing
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).