Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1753402ybl; Sat, 11 Jan 2020 02:07:52 -0800 (PST) X-Google-Smtp-Source: APXvYqxy0CwG8IiSVZuikMivNPW2qkJtS/RuhHKSPMpEKh+O6NaTS+6UFsafHQbLGeH8PPpb8rk3 X-Received: by 2002:aca:220c:: with SMTP id b12mr5617830oic.55.1578737271980; Sat, 11 Jan 2020 02:07:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578737271; cv=none; d=google.com; s=arc-20160816; b=dJc05Bj/ktYqnIBYBgdMcjNm3GY3b3D0jvsJ+0JeLJl56z1ja2fec1ZV4REO2gLkuX ofnZp3QtV2ETRBlK0wmF5y7bFhYR584gt64R+iAD62dzmo0f4DLJ+wNe8/UluvzcGVGT soc3hZrwFi0ji38C3Dz+LJ4skxYVofzJmnXNXCe8djzEeifpbtgIK9Oz1Gp6zu1iy84a gpb0uExv4rI48DnLEh/Hy59LVw7PcPvJABAs5wv0BIlsVaH4BkbBoAZQmCIs6rIEvhal CZ8Sj6286Dcae85x69NVhgn1563XWaeZFwHj08wMTd4A2SYX1nHt15LJ5SUrxjdASl4C LZ8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=koNKW464bLWnxPAfVZSFvx5+sS3yGWSamxo9ekMJv1k=; b=GGxGHogZi+7HibweuZBdNIfqSHX0uH7E5jlBqaBZGs7jQ/zmVbfSD2+hw53w1a8I5G p3x8avT3aZigI9lZvpDWgmPktaKM+c+HWwmnWlHLEQQZQzjujhANPVQfawhW3VrC9JGv bLZRGbjwCuOuAIC42QV7oHZgEiGztkSab8JIo127GD9iSwT6Bx1bfJIvLzmTQJpx1C8i uXC5zX4p0EXVqu0w2/Jen0iZPNmkgBytV+9SCD1NQv4thYlf6Vnbj0aXwMftwj7+3jjz 0A8wIt4fk9AjtCrRI4VGjhkIt4CGZNJfFwTUFe+PbpQuWa48xg+hRGet29anKkxlMdXB h4aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Kp6oYrX1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s6si3215675otp.126.2020.01.11.02.07.40; Sat, 11 Jan 2020 02:07:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Kp6oYrX1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729521AbgAKKGu (ORCPT + 99 others); Sat, 11 Jan 2020 05:06:50 -0500 Received: from mail.kernel.org ([198.145.29.99]:41190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728893AbgAKKGt (ORCPT ); Sat, 11 Jan 2020 05:06:49 -0500 Received: from localhost (unknown [62.119.166.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8731F206DA; Sat, 11 Jan 2020 10:06:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578737209; bh=kZGM1WKiRixqfuBi3lyzYU5wQdVEpt56nuy0jTJIuqk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Kp6oYrX1IwiHDZjKvlaayDKjxkGPPM00EGj69ZsaHD8c8WO5xdX3hz4VMMhgcCqiH SGhAqaCo6z4xKA/VMpkw8wc+H00l6ppt0yxmzc+KKRo3PV7/684Emy/jZHfLBvABk3 0DTTVOVoZIlwlG+9KL3kKAJbJ4OMXCqNkVPvWQQM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.9 89/91] vlan: fix memory leak in vlan_dev_set_egress_priority Date: Sat, 11 Jan 2020 10:50:22 +0100 Message-Id: <20200111094913.319527830@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200111094844.748507863@linuxfoundation.org> References: <20200111094844.748507863@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ] There are few cases where the ndo_uninit() handler might be not called if an error happens while device is initialized. Since vlan_newlink() calls vlan_changelink() before trying to register the netdevice, we need to make sure vlan_dev_uninit() has been called at least once, or we might leak allocated memory. BUG: memory leak unreferenced object 0xffff888122a206c0 (size 32): comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s) hex dump (first 32 bytes): 00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline] [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline] [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549 [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline] [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194 [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126 [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181 [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305 [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363 [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424 [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline] [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659 [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline] [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline] [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/8021q/vlan.h | 1 + net/8021q/vlan_dev.c | 3 ++- net/8021q/vlan_netlink.c | 9 +++++---- 3 files changed, 8 insertions(+), 5 deletions(-) --- a/net/8021q/vlan.h +++ b/net/8021q/vlan.h @@ -109,6 +109,7 @@ int vlan_check_real_dev(struct net_devic void vlan_setup(struct net_device *dev); int register_vlan_dev(struct net_device *dev); void unregister_vlan_dev(struct net_device *dev, struct list_head *head); +void vlan_dev_uninit(struct net_device *dev); bool vlan_dev_inherit_address(struct net_device *dev, struct net_device *real_dev); --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -610,7 +610,8 @@ static int vlan_dev_init(struct net_devi return 0; } -static void vlan_dev_uninit(struct net_device *dev) +/* Note: this function might be called multiple times for the same device. */ +void vlan_dev_uninit(struct net_device *dev) { struct vlan_priority_tci_mapping *pm; struct vlan_dev_priv *vlan = vlan_dev_priv(dev); --- a/net/8021q/vlan_netlink.c +++ b/net/8021q/vlan_netlink.c @@ -157,10 +157,11 @@ static int vlan_newlink(struct net *src_ return -EINVAL; err = vlan_changelink(dev, tb, data); - if (err < 0) - return err; - - return register_vlan_dev(dev); + if (!err) + err = register_vlan_dev(dev); + if (err) + vlan_dev_uninit(dev); + return err; } static inline size_t vlan_qos_map_size(unsigned int n)