From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 55/59] vlan: fix memory leak in vlan_dev_set_egress_priority
Date: Sat, 11 Jan 2020 10:50:04 +0100 [thread overview]
Message-ID: <20200111094852.370151428@linuxfoundation.org> (raw)
In-Reply-To: <20200111094835.417654274@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ]
There are few cases where the ndo_uninit() handler might be not
called if an error happens while device is initialized.
Since vlan_newlink() calls vlan_changelink() before
trying to register the netdevice, we need to make sure
vlan_dev_uninit() has been called at least once,
or we might leak allocated memory.
BUG: memory leak
unreferenced object 0xffff888122a206c0 (size 32):
comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s)
hex dump (first 32 bytes):
00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
[<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline]
[<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
[<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline]
[<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194
[<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126
[<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181
[<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305
[<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363
[<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
[<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
[<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
[<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
[<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
[<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
[<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline]
[<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659
[<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
[<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
[<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
[<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline]
[<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline]
[<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424
Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/8021q/vlan.h | 1 +
net/8021q/vlan_dev.c | 3 ++-
net/8021q/vlan_netlink.c | 9 +++++----
3 files changed, 8 insertions(+), 5 deletions(-)
--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -109,6 +109,7 @@ int vlan_check_real_dev(struct net_devic
void vlan_setup(struct net_device *dev);
int register_vlan_dev(struct net_device *dev);
void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
+void vlan_dev_uninit(struct net_device *dev);
bool vlan_dev_inherit_address(struct net_device *dev,
struct net_device *real_dev);
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -606,7 +606,8 @@ static int vlan_dev_init(struct net_devi
return 0;
}
-static void vlan_dev_uninit(struct net_device *dev)
+/* Note: this function might be called multiple times for the same device. */
+void vlan_dev_uninit(struct net_device *dev)
{
struct vlan_priority_tci_mapping *pm;
struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
--- a/net/8021q/vlan_netlink.c
+++ b/net/8021q/vlan_netlink.c
@@ -154,10 +154,11 @@ static int vlan_newlink(struct net *src_
return -EINVAL;
err = vlan_changelink(dev, tb, data);
- if (err < 0)
- return err;
-
- return register_vlan_dev(dev);
+ if (!err)
+ err = register_vlan_dev(dev);
+ if (err)
+ vlan_dev_uninit(dev);
+ return err;
}
static inline size_t vlan_qos_map_size(unsigned int n)
next prev parent reply other threads:[~2020-01-11 9:58 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-11 9:49 [PATCH 4.4 00/59] 4.4.209-stable review Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 01/59] PM / devfreq: Dont fail devfreq_dev_release if not in list Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 02/59] RDMA/cma: add missed unregister_pernet_subsys in init failure Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 03/59] scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 04/59] scsi: qla2xxx: Dont call qlt_async_event twice Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 05/59] scsi: iscsi: qla4xxx: fix double free in probe Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 06/59] scsi: libsas: stop discovering if oob mode is disconnected Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 07/59] usb: gadget: fix wrong endpoint desc Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 08/59] md: raid1: check rdev before reference in raid1_sync_request func Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 09/59] s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 10/59] s390/cpum_sf: Avoid SBD overflow condition in irq handler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 11/59] xen/balloon: fix ballooned page accounting without hotplug enabled Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 12/59] xfs: fix mount failure crash on invalid iclog memory access Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 13/59] taskstats: fix data-race Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 14/59] Revert "perf report: Add warning when libunwind not compiled in" Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 15/59] ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 16/59] MIPS: Avoid VDSO ABI breakage due to global register variable Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 17/59] locks: print unsigned ino in /proc/locks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 18/59] dmaengine: Fix access to uninitialized dma_slave_caps Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 19/59] compat_ioctl: block: handle Persistent Reservations Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 20/59] gpiolib: fix up emulated open drain outputs Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 21/59] ALSA: cs4236: fix error return comparison of an unsigned integer Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 22/59] ftrace: Avoid potential division by zero in function profiler Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 23/59] Bluetooth: btusb: fix PM leak in error case of setup Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 24/59] Bluetooth: delete a stray unlock Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 25/59] tty: serial: msm_serial: Fix lockup for sysrq and oops Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 26/59] drm/mst: Fix MST sideband up-reply failure handling Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 27/59] powerpc/pseries/hvconsole: Fix stack overread via udbg Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 28/59] ath9k_htc: Modify byte order for an error message Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 29/59] ath9k_htc: Discard undersized packets Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 30/59] net: add annotations on hh->hh_len lockless accesses Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 31/59] s390/smp: fix physical to logical CPU map for SMT Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 32/59] locking/x86: Remove the unused atomic_inc_short() methd Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 33/59] pstore/ram: Write new dumps to start of recycled zones Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 34/59] locking/spinlock/debug: Fix various data races Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 35/59] netfilter: ctnetlink: netns exit must wait for callbacks Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 36/59] ARM: vexpress: Set-up shared OPP table instead of individual for each CPU Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 37/59] netfilter: uapi: Avoid undefined left-shift in xt_sctp.h Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 38/59] ARM: dts: am437x-gp/epos-evm: fix panel compatible Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 39/59] powerpc: Ensure that swiotlb buffer is allocated from low memory Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 40/59] bnx2x: Do not handle requests from VFs after parity Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 41/59] bnx2x: Fix logic to get total no. of PFs per engine Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 42/59] net: usb: lan78xx: Fix error message format specifier Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 43/59] rfkill: Fix incorrect check to avoid NULL pointer dereference Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 44/59] ASoC: wm8962: fix lambda value Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 45/59] regulator: rn5t618: fix module aliases Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 46/59] kconfig: dont crash on NULL expressions in expr_eq() Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 47/59] parisc: Fix compiler warnings in debug_core.c Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 48/59] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 49/59] net: stmmac: dwmac-sunxi: Allow all RGMII modes Greg Kroah-Hartman
2020-01-11 9:49 ` [PATCH 4.4 50/59] net: usb: lan78xx: fix possible skb leak Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 51/59] pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 52/59] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 53/59] tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 54/59] vlan: vlan_changelink() should propagate errors Greg Kroah-Hartman
2020-01-11 9:50 ` Greg Kroah-Hartman [this message]
2020-01-11 9:50 ` [PATCH 4.4 56/59] vxlan: fix tos value before xmit Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 57/59] macvlan: do not assume mac_header is set in macvlan_broadcast() Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 58/59] USB: core: fix check for duplicate endpoints Greg Kroah-Hartman
2020-01-11 9:50 ` [PATCH 4.4 59/59] USB: serial: option: add Telit ME910G1 0x110a composition Greg Kroah-Hartman
2020-01-11 14:51 ` [PATCH 4.4 00/59] 4.4.209-stable review Guenter Roeck
2020-01-11 18:39 ` Naresh Kamboju
2020-01-13 15:41 ` Jon Hunter
2020-01-13 15:41 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200111094852.370151428@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.