Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1745983ybl; Sat, 11 Jan 2020 02:00:01 -0800 (PST) X-Google-Smtp-Source: APXvYqxi7huD2pabv4egHr9gNq/5JqOycrgMKH2QTJxkOOcOcua/JuyBJY+BuMeCPtgdxNxUgvM4 X-Received: by 2002:a9d:7dc9:: with SMTP id k9mr6321548otn.117.1578736801669; Sat, 11 Jan 2020 02:00:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578736801; cv=none; d=google.com; s=arc-20160816; b=fdTABdnu8Gh7CXBFzH/8s/5CSrZG1XnaMSRRKkfZ9eVnTNPGBBaI2KRLAN1KWaON+h 2DiLB7OiRCRb6uR35JKa5o6Jw7JLpeEfVfA3g+dmSZk/aYyeOVgDp9/eVcVHyFkameTz pZmN9/onk5Umbed8UZ8yASUWtJuyPb8awYK4HEZtp1haXYckd7SsUXzc+ugUym0tEYOp pPJoAu5Fmp1A+SdiH/+eVUPe0g9zYfrmU0TVYwMLeVTYkYv+lEqSxU56pk92bftG+/Pj A4fiJUf59IyvP61Iswf20Jg27fiNV5Mb7X2t3QPgtHNgiMFacqHQMicQO8zg2qpB8QHv rKeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Qxi80o0JOVfRqOBWY3OUHYGNCbgULYGg39K8jGRfP4s=; b=FeIHxZTRGlgEPvkoYUFI+bjjQhvx4WMF3WUjYzUMgn5SKAXwxNFfCVPneqUGMkXi0B OMCltKw0tfsZ74wKWvivjZNtS5YO1dscrLVZ8bn2wzct8LNgYxMpC0n6LH5VSylrR7QM GP3uJU1VZdWUnPAyaeo3gzCsl4WyQLHAAqbyLHUMslqV2IA2kK4QB9LhQUx4AgFP9LqS BaBMNK78+Ei8EdjeJgwC/h4972TP916kvmNSpg4J37Dd5pHkh70pun9x8wBHuThOHr9C kKT4O83yEs46JChn8XMuLUaMWSipmXg3R9PVgLmjIb+gLHshxJUf4+TclYFCCptqul9y Gjxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Cs+4jnNL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w19si3374563otj.209.2020.01.11.01.59.50; Sat, 11 Jan 2020 02:00:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Cs+4jnNL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729193AbgAKJ6E (ORCPT + 99 others); Sat, 11 Jan 2020 04:58:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:50912 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728825AbgAKJ6E (ORCPT ); Sat, 11 Jan 2020 04:58:04 -0500 Received: from localhost (unknown [62.119.166.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C8EC02082E; Sat, 11 Jan 2020 09:58:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578736683; bh=qHvB531V3RJdaRoKgWd7QiWpenSN3LNiYeeliilRbKA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Cs+4jnNLfIflJ5UpXEWAYcDDiIfDwg6v6ei5+tv4rSrFWbvekIRi4CWhoMJB4Smui SEP84C0XFT5wqF7Wc7v6iW80Ez5rBMUhFHCxkbxlgwMqAynYhQlTxJGRj8OnSFVzC9 nlDXDKk4YfmO9RzMGTriiQCwKT55a7llHf222IFw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.4 55/59] vlan: fix memory leak in vlan_dev_set_egress_priority Date: Sat, 11 Jan 2020 10:50:04 +0100 Message-Id: <20200111094852.370151428@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200111094835.417654274@linuxfoundation.org> References: <20200111094835.417654274@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ] There are few cases where the ndo_uninit() handler might be not called if an error happens while device is initialized. Since vlan_newlink() calls vlan_changelink() before trying to register the netdevice, we need to make sure vlan_dev_uninit() has been called at least once, or we might leak allocated memory. BUG: memory leak unreferenced object 0xffff888122a206c0 (size 32): comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s) hex dump (first 32 bytes): 00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline] [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline] [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549 [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline] [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194 [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126 [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181 [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305 [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363 [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424 [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline] [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659 [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline] [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline] [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/8021q/vlan.h | 1 + net/8021q/vlan_dev.c | 3 ++- net/8021q/vlan_netlink.c | 9 +++++---- 3 files changed, 8 insertions(+), 5 deletions(-) --- a/net/8021q/vlan.h +++ b/net/8021q/vlan.h @@ -109,6 +109,7 @@ int vlan_check_real_dev(struct net_devic void vlan_setup(struct net_device *dev); int register_vlan_dev(struct net_device *dev); void unregister_vlan_dev(struct net_device *dev, struct list_head *head); +void vlan_dev_uninit(struct net_device *dev); bool vlan_dev_inherit_address(struct net_device *dev, struct net_device *real_dev); --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -606,7 +606,8 @@ static int vlan_dev_init(struct net_devi return 0; } -static void vlan_dev_uninit(struct net_device *dev) +/* Note: this function might be called multiple times for the same device. */ +void vlan_dev_uninit(struct net_device *dev) { struct vlan_priority_tci_mapping *pm; struct vlan_dev_priv *vlan = vlan_dev_priv(dev); --- a/net/8021q/vlan_netlink.c +++ b/net/8021q/vlan_netlink.c @@ -154,10 +154,11 @@ static int vlan_newlink(struct net *src_ return -EINVAL; err = vlan_changelink(dev, tb, data); - if (err < 0) - return err; - - return register_vlan_dev(dev); + if (!err) + err = register_vlan_dev(dev); + if (err) + vlan_dev_uninit(dev); + return err; } static inline size_t vlan_qos_map_size(unsigned int n)