Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp4109268ybe; Mon, 9 Sep 2019 04:28:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqzjl1Xmzaa4+n9WLr1imHOeXL6g+f0rJO+HphPedpM/8u2vgTWuMLfLoJMBj7NydXxI7smW X-Received: by 2002:a17:906:8406:: with SMTP id n6mr19160976ejx.138.1568028496661; Mon, 09 Sep 2019 04:28:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568028496; cv=none; d=google.com; s=arc-20160816; b=qSIYLntRDXAkrLbWIPra0NdX+oMPTLdwt/vlBVxaPKgK4rek2mPrwOnk2deQ35UIDu Di7x0/Dgi0kckhJS2oT/XtSh7LBaXspzfS2jw74ufnNKeJEpTAMcn+JoudkCZ7Fd12I4 0POcBUuw9dr3HWN4xX5TbURPqM5N/3MpTXUY7wrNZZbCFRt0HqCe4VDYdE01+/u6BM+s 12gSgggyeMS19jOb2v+Qr5PYBzq8Fa56aTBpp5JgZ2yEul7oiwnVpnMQdvypRt/h2DDk p3uD3Aq5L6Cex68w2bIfa2DOcZuA6P2oCAfeNHDKLgh592w+JAaPXiNZv9FE8kFQ1nlo unaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pPEGGEDb2d16lQS0XH0Lf39ujGtlhe9Q2sIMQ+m6AaU=; b=LfUXPWD3FolOWMEqsQaR+NOeisQtpuZJ/czuAB2o+1rQ60HB1vrhG2pPs5wQazpQ/g CCaJ4dE7BYUCTZkPhes7Js9j6LCPiJqerOssvQ8Tu29fsnhjY75PZzPin96AQZFNztrU fzl9DwLQG54je5cxYZ9GXoPb4LVOkuLCAvLPlj1ztph7JO1zS78GP+d/Ai+GtsD/Rj5n 1kVa9cWO/4TF5k2q3MgM5M26GRtl4bEtAFOsiW5uT3Y44tKHs23r2iW1sEKV6dGroaO+ PS0beDHXfP0urL2DI5DTru1lzrg68dFwvNtQdX6W33VXYDzs2tZCiJHGsqa00IbW0kHK kkSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="MC/KQxFx"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r20si7287997eji.135.2019.09.09.04.27.52; Mon, 09 Sep 2019 04:28:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="MC/KQxFx"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730391AbfIHMq3 (ORCPT + 99 others); Sun, 8 Sep 2019 08:46:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:34104 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726687AbfIHMq1 (ORCPT ); Sun, 8 Sep 2019 08:46:27 -0400 Received: from localhost (unknown [62.28.240.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6D0BA20644; Sun, 8 Sep 2019 12:46:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1567946786; bh=gdF4uvgwLqBk17amB8Ul2Jm1qxH0Aqoc/x4M99Un1q4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MC/KQxFxuef7TzAWbtzMfSOB6pHKJpF2I+ucI0KhwBG/urS5mV7WK4GqFAktWQPI1 ZUnbb30rfz6Tf3/60CugURV7DJw5IqDwKTpZGtKjRqeHnGMxTOb5feeUGDSmwFeyI6 lMEmu/Lep0v64QQqEx7AkNbR4kC/SctTJcyP/A6w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.14 39/40] mld: fix memory leak in mld_del_delrec() Date: Sun, 8 Sep 2019 13:42:12 +0100 Message-Id: <20190908121132.593371325@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190908121114.260662089@linuxfoundation.org> References: <20190908121114.260662089@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit a84d016479896b5526a2cc54784e6ffc41c9d6f6 ] Similar to the fix done for IPv4 in commit e5b1c6c6277d ("igmp: fix memory leak in igmpv3_del_delrec()"), we need to make sure mca_tomb and mca_sources are not blindly overwritten. Using swap() then a call to ip6_mc_clear_src() will take care of the missing free. BUG: memory leak unreferenced object 0xffff888117d9db00 (size 64): comm "syz-executor247", pid 6918, jiffies 4294943989 (age 25.350s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 fe 88 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000005b463030>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<000000005b463030>] slab_post_alloc_hook mm/slab.h:522 [inline] [<000000005b463030>] slab_alloc mm/slab.c:3319 [inline] [<000000005b463030>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548 [<00000000939cbf94>] kmalloc include/linux/slab.h:552 [inline] [<00000000939cbf94>] kzalloc include/linux/slab.h:748 [inline] [<00000000939cbf94>] ip6_mc_add1_src net/ipv6/mcast.c:2236 [inline] [<00000000939cbf94>] ip6_mc_add_src+0x31f/0x420 net/ipv6/mcast.c:2356 [<00000000d8972221>] ip6_mc_source+0x4a8/0x600 net/ipv6/mcast.c:449 [<000000002b203d0d>] do_ipv6_setsockopt.isra.0+0x1b92/0x1dd0 net/ipv6/ipv6_sockglue.c:748 [<000000001f1e2d54>] ipv6_setsockopt+0x89/0xd0 net/ipv6/ipv6_sockglue.c:944 [<00000000c8f7bdf9>] udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1558 [<000000005a9a0c5e>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3139 [<00000000910b37b2>] __sys_setsockopt+0x10f/0x220 net/socket.c:2084 [<00000000e9108023>] __do_sys_setsockopt net/socket.c:2100 [inline] [<00000000e9108023>] __se_sys_setsockopt net/socket.c:2097 [inline] [<00000000e9108023>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2097 [<00000000f4818160>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296 [<000000008d367e8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down") Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv6/mcast.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -772,12 +772,13 @@ static void mld_del_delrec(struct inet6_ im->idev = pmc->idev; im->mca_crcount = idev->mc_qrv; if (im->mca_sfmode == MCAST_INCLUDE) { - im->mca_tomb = pmc->mca_tomb; - im->mca_sources = pmc->mca_sources; + swap(im->mca_tomb, pmc->mca_tomb); + swap(im->mca_sources, pmc->mca_sources); for (psf = im->mca_sources; psf; psf = psf->sf_next) psf->sf_crcount = im->mca_crcount; } in6_dev_put(pmc->idev); + ip6_mc_clear_src(pmc); kfree(pmc); } spin_unlock_bh(&im->mca_lock);