From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Remi Pommarel <repk@triplefau.lt>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 38/51] mac80211: mesh: Free pending skb when destroying a mpath
Date: Mon, 3 Aug 2020 14:20:23 +0200 [thread overview]
Message-ID: <20200803121851.405451106@linuxfoundation.org> (raw)
In-Reply-To: <20200803121849.488233135@linuxfoundation.org>
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit 5e43540c2af0a0c0a18e39579b1ad49541f87506 ]
A mpath object can hold reference on a list of skb that are waiting for
mpath resolution to be sent. When destroying a mpath this skb list
should be cleaned up in order to not leak memory.
Fixing that kind of leak:
unreferenced object 0xffff0000181c9300 (size 1088):
comm "openvpn", pid 1782, jiffies 4295071698 (age 80.416s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 f9 80 36 00 00 00 00 00 ..........6.....
02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
backtrace:
[<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
[<000000002caaef13>] sk_prot_alloc.isra.39+0x34/0x178
[<00000000ceeaa916>] sk_alloc+0x34/0x228
[<00000000ca1f1d04>] inet_create+0x198/0x518
[<0000000035626b1c>] __sock_create+0x134/0x328
[<00000000a12b3a87>] __sys_socket+0xb0/0x158
[<00000000ff859f23>] __arm64_sys_socket+0x40/0x58
[<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
[<0000000005b5157d>] el0_svc+0x8/0xc
unreferenced object 0xffff000012973a40 (size 216):
comm "openvpn", pid 1782, jiffies 4295082137 (age 38.660s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 c0 06 16 00 00 ff ff 00 93 1c 18 00 00 ff ff ................
backtrace:
[<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
[<0000000023c8c8f9>] __alloc_skb+0xc0/0x2b8
[<000000007ad950bb>] alloc_skb_with_frags+0x60/0x320
[<00000000ef90023a>] sock_alloc_send_pskb+0x388/0x3c0
[<00000000104fb1a3>] sock_alloc_send_skb+0x1c/0x28
[<000000006919d2dd>] __ip_append_data+0xba4/0x11f0
[<0000000083477587>] ip_make_skb+0x14c/0x1a8
[<0000000024f3d592>] udp_sendmsg+0xaf0/0xcf0
[<000000005aabe255>] inet_sendmsg+0x5c/0x80
[<000000008651ea08>] __sys_sendto+0x15c/0x218
[<000000003505c99b>] __arm64_sys_sendto+0x74/0x90
[<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
[<0000000005b5157d>] el0_svc+0x8/0xc
Fixes: 2bdaf386f99c (mac80211: mesh: move path tables into if_mesh)
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://lore.kernel.org/r/20200704135419.27703-1-repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/mesh_pathtbl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 1300220912051..933f26e2ff8be 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -554,6 +554,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl,
del_timer_sync(&mpath->timer);
atomic_dec(&sdata->u.mesh.mpaths);
atomic_dec(&tbl->entries);
+ mesh_path_flush_pending(mpath);
kfree_rcu(mpath, rcu);
}
--
2.25.1
next prev parent reply other threads:[~2020-08-03 12:37 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 12:19 [PATCH 4.14 00/51] 4.14.192-rc1 review Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 01/51] scsi: libsas: direct call probe and destruct Greg Kroah-Hartman
2020-08-03 12:57 ` John Garry
2020-08-05 9:52 ` Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 02/51] net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe() Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 03/51] crypto: ccp - Release all allocated memory if sha type is invalid Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 04/51] media: rc: prevent memory leak in cx23888_ir_probe Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 05/51] iio: imu: adis16400: fix memory leak Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 06/51] ath9k_htc: release allocated buffer if timed out Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 07/51] ath9k: " Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 08/51] x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 09/51] PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 10/51] wireless: Use offsetof instead of custom macro Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 11/51] ARM: 8986/1: hw_breakpoint: Dont invoke overflow handler on uaccess watchpoints Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 12/51] random32: update the net random state on interrupt and activity Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 13/51] ARM: percpu.h: fix build error Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 14/51] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 15/51] drm: hold gem reference until object is no longer accessed Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 16/51] f2fs: check memory boundary by insane namelen Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 17/51] f2fs: check if file namelen exceeds max value Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 18/51] random: fix circular include dependency on arm64 after addition of percpu.h Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 19/51] random32: remove net_rand_state from the latent entropy gcc plugin Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 20/51] 9p/trans_fd: abort p9_read_work if req status changed Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 21/51] 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 22/51] x86/build/lto: Fix truncated .bss with -fdata-sections Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 23/51] x86, vmlinux.lds: Page-align end of ..page_aligned sections Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 24/51] rds: Prevent kernel-infoleak in rds_notify_queue_get() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 25/51] xfs: fix missed wakeup on l_flush_wait Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 26/51] net/x25: Fix x25_neigh refcnt leak when x25 disconnect Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 27/51] net/x25: Fix null-ptr-deref in x25_disconnect Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 28/51] selftests/net: rxtimestamp: fix clang issues for target arch PowerPC Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 29/51] sh: Fix validation of system call number Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 30/51] net: lan78xx: add missing endpoint sanity check Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 31/51] net: lan78xx: fix transfer-buffer memory leak Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 32/51] mlx4: disable device on shutdown Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 33/51] mlxsw: core: Increase scope of RCU read-side critical section Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 34/51] mlxsw: core: Free EMAD transactions using kfree_rcu() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 35/51] ibmvnic: Fix IRQ mapping disposal in error path Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 36/51] bpf: Fix map leak in HASH_OF_MAPS map Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 37/51] mac80211: mesh: Free ie data when leaving mesh Greg Kroah-Hartman
2020-08-03 12:20 ` Greg Kroah-Hartman [this message]
2020-08-03 12:20 ` [PATCH 4.14 39/51] arm64/alternatives: move length validation inside the subsection Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 40/51] arm64: csum: Fix handling of bad packets Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 41/51] usb: hso: Fix debug compile warning on sparc32 Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 42/51] qed: Disable "MFW indication via attention" SPAM every 5 minutes Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 43/51] nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 44/51] parisc: add support for cmpxchg on u8 pointers Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 45/51] net: ethernet: ravb: exit if re-initialization fails in tx timeout Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 46/51] Revert "i2c: cadence: Fix the hold bit setting" Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 47/51] x86/unwind/orc: Fix ORC for newly forked tasks Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 48/51] cxgb4: add missing release on skb in uld_send() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 49/51] xen-netfront: fix potential deadlock in xennet_remove() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 50/51] KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 51/51] x86/i8259: Use printk_deferred() to prevent deadlock Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200803121851.405451106@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=repk@triplefau.lt \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).