Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp303778pxa; Wed, 12 Aug 2020 02:23:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCBb397zo3XhmyzaOoFF/Je30IipV30vW8zyBqzJLMPsfvvIMObIYBw/g4Bweyq3puIaOS X-Received: by 2002:a17:906:bcc4:: with SMTP id lw4mr28712597ejb.361.1597224194814; Wed, 12 Aug 2020 02:23:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597224194; cv=none; d=google.com; s=arc-20160816; b=pK33GH05btuGn25xzymCTdmAkKjTX8auXFd2tkAgXqLY1MTfBWJWQnDaUiYnU3eRy7 zi9fop2isd/AgSw4NaUoyCTljlu6GJ1c0Fgn/eVfzfe80gIXaGoEwQHu+PwZiQJiXDgB 8y1cOleWc6juDh8Qg3aoC/tac5ElvYu44zv4Y/BIMyp9YofSCahBS4Qh20qUGCqOLh+9 ehMKszVGdp0supzHKsiBsEPqVwhCyMLfwTX02wXKKg0zeAU1nC1H3d+ydVnxwsqrQldy n+2aUj+YCjorPe8oqJIU3AbF9COV1BQA5bK1OOatDInz5tQgT8l745XPQhtdBKnSTedf i2YA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=/HlCtDB/PGtUPzqyzdpexqcvsYJ4vdO0g3v1L9oM6PI=; b=Okl+OwdI0K74py7IHjv3WZpSOs82eI72IHdjhAY0M/NUTilKcwgl+pgr2Sj+zlZhIc yU1lI/S6uS75V9EqDxXEdvMQqwxYjIs+dvOPDIIgetg6e8JllV9ke58Eb04nL0MH0r4z wHPmBvI9eIhOgzDyFunAxk+T2wQuQgFbmITkccFd9mC18ACeBTFtYz918rrtPyZzdceI LG1sfxbM19OEdK3XIY4jFLEQLou+/nDuLBMcljIE/TB4d2fWW1JHHBvLQKavwg3tp0hT 3pCxxnW6WDcQBxO6pJ+xfmvPahJOHftet4r5vdZQyWq5Shm3mE/SNIMj1Um8lHq6FlOa XTIA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m23si782964eji.400.2020.08.12.02.22.51; Wed, 12 Aug 2020 02:23:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727089AbgHLJVs convert rfc822-to-8bit (ORCPT + 99 others); Wed, 12 Aug 2020 05:21:48 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:3114 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726255AbgHLJVr (ORCPT ); Wed, 12 Aug 2020 05:21:47 -0400 Received: from dggeme754-chm.china.huawei.com (unknown [172.30.72.54]) by Forcepoint Email with ESMTP id 182CEAA35F889125B018; Wed, 12 Aug 2020 17:21:37 +0800 (CST) Received: from dggeme753-chm.china.huawei.com (10.3.19.99) by dggeme754-chm.china.huawei.com (10.3.19.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Wed, 12 Aug 2020 17:21:36 +0800 Received: from dggeme753-chm.china.huawei.com ([10.7.64.70]) by dggeme753-chm.china.huawei.com ([10.7.64.70]) with mapi id 15.01.1913.007; Wed, 12 Aug 2020 17:21:36 +0800 From: linmiaohe To: David Miller , "xiyou.wangcong@gmail.com" CC: "kuba@kernel.org" , "edumazet@google.com" , "kafai@fb.com" , "daniel@iogearbox.net" , "jakub@cloudflare.com" , "keescook@chromium.org" , "zhang.lin16@zte.com.cn" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] net: Fix potential memory leak in proto_register() Thread-Topic: [PATCH] net: Fix potential memory leak in proto_register() Thread-Index: AdZwUsoSFctrm9tgR62RlU4Cwvd7hw== Date: Wed, 12 Aug 2020 09:21:36 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.174.176.252] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all: David Miller wrote: >From: Cong Wang >Date: Tue, 11 Aug 2020 16:02:51 -0700 > >>> @@ -3406,6 +3406,16 @@ static void sock_inuse_add(struct net *net, >>> int val) } #endif >>> >>> +static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot) { >>> + if (!twsk_prot) >>> + return; >>> + kfree(twsk_prot->twsk_slab_name); >>> + twsk_prot->twsk_slab_name = NULL; >>> + kmem_cache_destroy(twsk_prot->twsk_slab); >> >> Hmm, are you sure you can free the kmem cache name before >> kmem_cache_destroy()? To me, it seems kmem_cache_destroy() frees the >> name via slab_kmem_cache_release() via kfree_const(). >> With your patch, we have a double-free on the name? >> >> Or am I missing anything? > >Yep, there is a double free here. > >Please fix this. Many thanks for both of you to point this issue out. But I'am not really understand, could you please explain it more? As far as I can see, the double free path is: 1. kfree(twsk_prot->twsk_slab_name) 2. kmem_cache_destroy --> shutdown_memcg_caches --> shutdown_cache --> slab_kmem_cache_release --> kfree_const(s->name) But twsk_prot->twsk_slab_name is allocated from kasprintf via kmalloc_track_caller while twsk_prot->twsk_slab->name is allocated via kstrdup_const. So I think twsk_prot->twsk_slab_name and twsk_prot->twsk_slab->name point to different memory, and there is no double free. Or am I missing anything? By the way, req_prot_cleanup() do the same things, i.e. free the slab_name before involve kmem_cache_destroy(). If there is a double free, so as here? Thanks.