Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753454AbbLNS7V (ORCPT ); Mon, 14 Dec 2015 13:59:21 -0500 Received: from mail-pf0-f175.google.com ([209.85.192.175]:35894 "EHLO mail-pf0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753300AbbLNS7T (ORCPT ); Mon, 14 Dec 2015 13:59:19 -0500 Subject: Re: [PATCH 4.3 34/71] vrf: fix double free and memory corruption on register_netdevice failure To: Ben Hutchings , Greg Kroah-Hartman , linux-kernel@vger.kernel.org References: <20151212200536.761001328@linuxfoundation.org> <20151212200538.468407629@linuxfoundation.org> <1450115142.3944.10.camel@decadent.org.uk> Cc: stable@vger.kernel.org, Nikolay Aleksandrov , "David S. Miller" From: David Ahern Message-ID: <566F1183.10907@cumulusnetworks.com> Date: Mon, 14 Dec 2015 11:59:15 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <1450115142.3944.10.camel@decadent.org.uk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2105 Lines: 77 On 12/14/15 10:45 AM, Ben Hutchings wrote: > On Sat, 2015-12-12 at 12:05 -0800, Greg Kroah-Hartman wrote: >> 4.3-stable review patch. If anyone has any objections, please let me >> know. >> >> ------------------ >> >> From: Nikolay Aleksandrov >> >> [ Upstream commit 7f109f7cc37108cba7243bc832988525b0d85909 ] > [...] >> --- a/drivers/net/vrf.c >> +++ b/drivers/net/vrf.c >> @@ -581,7 +581,6 @@ static int vrf_newlink(struct net *src_n >> { >> struct net_vrf *vrf = netdev_priv(dev); >> struct net_vrf_dev *vrf_ptr; >> - int err; >> >> if (!data || !data[IFLA_VRF_TABLE]) >> return -EINVAL; >> @@ -590,26 +589,16 @@ static int vrf_newlink(struct net *src_n >> >> dev->priv_flags |= IFF_VRF_MASTER; >> >> - err = -ENOMEM; >> vrf_ptr = kmalloc(sizeof(*dev->vrf_ptr), GFP_KERNEL); >> if (!vrf_ptr) >> - goto out_fail; >> + return -ENOMEM; >> >> vrf_ptr->ifindex = dev->ifindex; >> vrf_ptr->tb_id = vrf->tb_id; >> >> - err = register_netdevice(dev); >> - if (err < 0) >> - goto out_fail; >> - >> rcu_assign_pointer(dev->vrf_ptr, vrf_ptr); >> >> - return 0; >> - >> -out_fail: >> - kfree(vrf_ptr); >> - free_netdev(dev); >> - return err; >> + return register_netdev(dev); >> } >> >> static size_t vrf_nl_getsize(const struct net_device *dev) > > This leaks *dev->vrf_ptr if register_netdevice() fails. (This bug does > not exist in the mainline version, as net_device::vrf_ptr no longer > exists there.) Good catch. The backport just needs to drop the free_netdev call: diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 488c6f50df73..374feba02565 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -608,7 +608,6 @@ static int vrf_newlink(struct net *src_net, struct net_device *dev, out_fail: kfree(vrf_ptr); - free_netdev(dev); return err; } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/