Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4825998ybl; Wed, 22 Jan 2020 05:28:10 -0800 (PST) X-Google-Smtp-Source: APXvYqzp0tGePH8EScriaMh2OyPYFxilN6BALg9pkHGoxI3RM21tjgxJnmGBUbXqV3YLXldIKsUq X-Received: by 2002:aca:db56:: with SMTP id s83mr6807563oig.171.1579699690688; Wed, 22 Jan 2020 05:28:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579699690; cv=none; d=google.com; s=arc-20160816; b=1JJ5XVcVrsir7l8M8lbJo7io2G37I6ZgDI9DA0FT24o1KZhxm23CIcOdfDvNZXNQd/ t+fI3i02psoRZJcK6e+QsocpZP58RoUZpjaVO8H+oXTuQ0FIBKPDMnhk7UPStUMHCEMz Ql8AZvnROOsqfr+mI2YW//ercSfbwtWzJMOGVl9aSH5PH16/LMrHDwkmJ904SD8bIsq9 MX2ZxI+UuI9YCs3FcIRn+0I6yUdzG4L4BX0VpEP25dA2XZot1NyoTjh+7NaFm4PgXx7t 8pU+bIMAQjAr0P3TiuDt0HK45+7MvTmiJk+I/4iR7ube7PVQt3kDf7W0WY4jKUyyLrm9 WVCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=RSrJOrABvtB2K8TLcjfA+vPoORpUnfmX8/nh6nAdAvQ=; b=edNrmzs8SD/9OGD3YgNbFKHSrfFOwr2ei/ONwy/DSVqys6UweO9FunDorBeZiT5RLG NkchzRs0djoOV5DM+8heQNV8CozwR9x7b40dqM/3CNeYFhwNhO76RaJUWwM0vLWJ0iHS ElLguXCK3VDxuewmv6Ep/7CmVRykhNT5p9xAJi0GjlaKena/8NNT26QPHpEGTzV+MNG0 143ayxP5YIR/OHVpUA7MlhzggFbnbUUO3SSgglc+lhBiiyKDMy23cg1aGYh1FmHyCr3q ORLFfQbQYPPt/Ac71n1kTnt5PTu93NSJleGnF1GkbJop6r+xGoLqa6+mE23NflXJwLeW z6zA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iHQ4guA4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2si21215930oic.205.2020.01.22.05.27.58; Wed, 22 Jan 2020 05:28:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iHQ4guA4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731673AbgAVN0q (ORCPT + 99 others); Wed, 22 Jan 2020 08:26:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:47726 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731669AbgAVN0p (ORCPT ); Wed, 22 Jan 2020 08:26:45 -0500 Received: from localhost (unknown [84.241.205.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2EED62467F; Wed, 22 Jan 2020 13:26:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579699603; bh=+oCw+/pc4ZhoX6n0TJ3ziiklgPspFnfabr0Y5rbi8OU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iHQ4guA45vJoeHvG90Zp8m/sK8O9iXO8xVbiZ4hGgP7V9QXJOJiZMpw9d+FIoa8QE poAUxpyvqxgOY9AUTQA5N9hAfE+rP/PB4Sl65E1xxHLLGEEm+x/1/RKtblLEcwuS/Q FnMe0IRB8VFl+RWZfwAtcP4eBcfrbqRdaBh8fg/0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Kevin ldir Darbyshire-Bryant , Cong Wang , =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , "David S. Miller" Subject: [PATCH 5.4 156/222] net: sched: act_ctinfo: fix memory leak Date: Wed, 22 Jan 2020 10:29:02 +0100 Message-Id: <20200122092844.887337125@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200122092833.339495161@linuxfoundation.org> References: <20200122092833.339495161@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 ] Implement a cleanup method to properly free ci->params BUG: memory leak unreferenced object 0xffff88811746e2c0 (size 64): comm "syz-executor617", pid 7106, jiffies 4294943055 (age 14.250s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ c0 34 60 84 ff ff ff ff 00 00 00 00 00 00 00 00 .4`............. backtrace: [<0000000015aa236f>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<0000000015aa236f>] slab_post_alloc_hook mm/slab.h:586 [inline] [<0000000015aa236f>] slab_alloc mm/slab.c:3320 [inline] [<0000000015aa236f>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549 [<000000002c946bd1>] kmalloc include/linux/slab.h:556 [inline] [<000000002c946bd1>] kzalloc include/linux/slab.h:670 [inline] [<000000002c946bd1>] tcf_ctinfo_init+0x21a/0x530 net/sched/act_ctinfo.c:236 [<0000000086952cca>] tcf_action_init_1+0x400/0x5b0 net/sched/act_api.c:944 [<000000005ab29bf8>] tcf_action_init+0x135/0x1c0 net/sched/act_api.c:1000 [<00000000392f56f9>] tcf_action_add+0x9a/0x200 net/sched/act_api.c:1410 [<0000000088f3c5dd>] tc_ctl_action+0x14d/0x1bb net/sched/act_api.c:1465 [<000000006b39d986>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424 [<00000000fd6ecace>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<0000000047493d02>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 [<00000000bdcf8286>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000bdcf8286>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 [<00000000fc5b92d9>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 [<00000000da84d076>] sock_sendmsg_nosec net/socket.c:639 [inline] [<00000000da84d076>] sock_sendmsg+0x54/0x70 net/socket.c:659 [<0000000042fb2eee>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 [<000000008f23f67e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 [<00000000d838e4f6>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 [<00000000289a9cb1>] __do_sys_sendmsg net/socket.c:2426 [inline] [<00000000289a9cb1>] __se_sys_sendmsg net/socket.c:2424 [inline] [<00000000289a9cb1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Kevin 'ldir' Darbyshire-Bryant Cc: Cong Wang Cc: Toke Høiland-Jørgensen Acked-by: Kevin 'ldir' Darbyshire-Bryant Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/act_ctinfo.c | 11 +++++++++++ 1 file changed, 11 insertions(+) --- a/net/sched/act_ctinfo.c +++ b/net/sched/act_ctinfo.c @@ -360,6 +360,16 @@ static int tcf_ctinfo_search(struct net return tcf_idr_search(tn, a, index); } +static void tcf_ctinfo_cleanup(struct tc_action *a) +{ + struct tcf_ctinfo *ci = to_ctinfo(a); + struct tcf_ctinfo_params *cp; + + cp = rcu_dereference_protected(ci->params, 1); + if (cp) + kfree_rcu(cp, rcu); +} + static struct tc_action_ops act_ctinfo_ops = { .kind = "ctinfo", .id = TCA_ID_CTINFO, @@ -367,6 +377,7 @@ static struct tc_action_ops act_ctinfo_o .act = tcf_ctinfo_act, .dump = tcf_ctinfo_dump, .init = tcf_ctinfo_init, + .cleanup= tcf_ctinfo_cleanup, .walk = tcf_ctinfo_walker, .lookup = tcf_ctinfo_search, .size = sizeof(struct tcf_ctinfo),