Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1052337pxv; Thu, 22 Jul 2021 20:59:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxAkVVXbQMlFquPvSeuerSbQRUtNZSYYPYI1wc78jH21AwiJoUIHgn+Pf1JUYvZdNhQm2bA X-Received: by 2002:a05:6402:2154:: with SMTP id bq20mr3290830edb.111.1627012746574; Thu, 22 Jul 2021 20:59:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627012746; cv=none; d=google.com; s=arc-20160816; b=HKcUVxiekU8NYJTdVueq1eqCZLeRX1/e+ilowiP7I246ktxi42kevE8Q7LkjeEfcem merUjA3ZWNkU3sm+Ol8yF4oYkg7/Jk9MXcDUt2ljcVtpZEIhWG7Qjqk9nBW8rbZ52eMn sF4OO+R3Qf5giGyvXoKGR1vuUg6pGbreP7MHQAaKEoUGXi8DnpKhoCxbgR4QVZXU0geF ELbrhXszjTB069G8RVnz8cYl+VoQL/dTnUfIUDLbSgJweFVVnnWtWWf5E/kjCLfOJr60 9vthYXdrz34c+P/gY+4149UiaZZdMEOWGxcEPEpDVeELTu8Kjgek8POoIPIO1Hz0fSAp YruQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=afELgzKK8jlm7Ckc+JmfOvrabYmLkLqvCedA6tby21k=; b=hlItOVLE7ZV3ygdDiwbAdnKcHZ4wHyswQzABXnzni+XmUUb1TnHPEGaDjGRYHo0OcN OwWU2t4Ny+vxNx/zxDIreYwx9VQXggO9p5Jj9H2S2qNjAHKS/TYXmjuW4PfQaVw6CvOW 7QS42p1KDmJuCPrPPwamJMHMFSw6wlDDVjnYCzscEeV3gcVk+MwsNjOz4kFEgodYNOuv AZkflrzR3Jh9Nc5eY+58mjz3GcE9yznw9y9CiWyWtFiLPrISf6Kg1SZyx4RF70idhY67 zZSF+JX/+HF4Hbnfo347iK+kvH6fy6J7NhyQiVfjwS5zgjteJnEFwN+e2NKd+r5bWsrA Gzxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Yb9HoZ88; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k5si1109936edv.339.2021.07.22.20.58.43; Thu, 22 Jul 2021 20:59:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Yb9HoZ88; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233586AbhGWDQt (ORCPT + 99 others); Thu, 22 Jul 2021 23:16:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:36828 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233542AbhGWDQt (ORCPT ); Thu, 22 Jul 2021 23:16:49 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6F2C160E9C; Fri, 23 Jul 2021 03:57:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1627012643; bh=GEMrgZ1BSUX+9zlkMV2VjhWoKC9SDQxjvZcaOc7xg3k=; h=From:To:Cc:Subject:Date:From; b=Yb9HoZ88JTVegHbduAxqU3cM/VChFZ81cOCB8HW5oHyYvSksLylZQ41Zsmsr+3850 PqCdTtzWnLR2MPoSgNtf0N1SpfAYeSKc6Ah9eXpHJ5HRHxYe37H02529Dti6w4+vvv 9AovqiaJ26NffNEsN2DhIunxAl8OHtHtXv/oJMUip0qpznhoXDdKppkVLfe33SnmZb bCY/dY+uc158VGv6K/VPQYGHSbsFoLbzFFtGovYPGx2iHfbeOV5rB5vUIJoiCT0Mvo Be8EpnRMRulGlDEIS3ERiyGbsNZA0o9oWoqh7PXS6ZL2FHrXHZv8//jFxPL5Ac+SeD 8SZTGI6ZFZtlw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Yang Yingliang , Hulk Robot , "David S . Miller" , Sasha Levin , netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.13 01/19] net/802/mrp: fix memleak in mrp_request_join() Date: Thu, 22 Jul 2021 23:57:02 -0400 Message-Id: <20210723035721.531372-1-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 996af62167d0e0ec69b938a3561e96f84ffff1aa ] I got kmemleak report when doing fuzz test: BUG: memory leak unreferenced object 0xffff88810c239500 (size 64): comm "syz-executor940", pid 882, jiffies 4294712870 (age 14.631s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 01 00 00 00 01 02 00 04 ................ backtrace: [<00000000a323afa4>] slab_alloc_node mm/slub.c:2972 [inline] [<00000000a323afa4>] slab_alloc mm/slub.c:2980 [inline] [<00000000a323afa4>] __kmalloc+0x167/0x340 mm/slub.c:4130 [<000000005034ca11>] kmalloc include/linux/slab.h:595 [inline] [<000000005034ca11>] mrp_attr_create net/802/mrp.c:276 [inline] [<000000005034ca11>] mrp_request_join+0x265/0x550 net/802/mrp.c:530 [<00000000fcfd81f3>] vlan_mvrp_request_join+0x145/0x170 net/8021q/vlan_mvrp.c:40 [<000000009258546e>] vlan_dev_open+0x477/0x890 net/8021q/vlan_dev.c:292 [<0000000059acd82b>] __dev_open+0x281/0x410 net/core/dev.c:1609 [<000000004e6dc695>] __dev_change_flags+0x424/0x560 net/core/dev.c:8767 [<00000000471a09af>] rtnl_configure_link+0xd9/0x210 net/core/rtnetlink.c:3122 [<0000000037a4672b>] __rtnl_newlink+0xe08/0x13e0 net/core/rtnetlink.c:3448 [<000000008d5d0fda>] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488 [<000000004882fe39>] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5552 [<00000000907e6c54>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 [<00000000e7d7a8c4>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] [<00000000e7d7a8c4>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 [<00000000e0645d50>] netlink_sendmsg+0x78e/0xc90 net/netlink/af_netlink.c:1929 [<00000000c24559b7>] sock_sendmsg_nosec net/socket.c:654 [inline] [<00000000c24559b7>] sock_sendmsg+0x139/0x170 net/socket.c:674 [<00000000fc210bc2>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 [<00000000be4577b5>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 Calling mrp_request_leave() after mrp_request_join(), the attr->state is set to MRP_APPLICANT_VO, mrp_attr_destroy() won't be called in last TX event in mrp_uninit_applicant(), the attr of applicant will be leaked. To fix this leak, iterate and free each attr of applicant before rerturning from mrp_uninit_applicant(). Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/802/mrp.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/net/802/mrp.c b/net/802/mrp.c index bea6e43d45a0..35e04cc5390c 100644 --- a/net/802/mrp.c +++ b/net/802/mrp.c @@ -292,6 +292,19 @@ static void mrp_attr_destroy(struct mrp_applicant *app, struct mrp_attr *attr) kfree(attr); } +static void mrp_attr_destroy_all(struct mrp_applicant *app) +{ + struct rb_node *node, *next; + struct mrp_attr *attr; + + for (node = rb_first(&app->mad); + next = node ? rb_next(node) : NULL, node != NULL; + node = next) { + attr = rb_entry(node, struct mrp_attr, node); + mrp_attr_destroy(app, attr); + } +} + static int mrp_pdu_init(struct mrp_applicant *app) { struct sk_buff *skb; @@ -895,6 +908,7 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl) spin_lock_bh(&app->lock); mrp_mad_event(app, MRP_EVENT_TX); + mrp_attr_destroy_all(app); mrp_pdu_queue(app); spin_unlock_bh(&app->lock); -- 2.30.2