From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
Gengming Liu <l.dmxcsnsbh@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 47/64] atm: fix a memory leak of vcc->user_back
Date: Thu, 17 Sep 2020 22:16:26 -0400 [thread overview]
Message-ID: <20200918021643.2067895-47-sashal@kernel.org> (raw)
In-Reply-To: <20200918021643.2067895-1-sashal@kernel.org>
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 8d9f73c0ad2f20e9fed5380de0a3097825859d03 ]
In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
could be installed on entry->recv_vcc too in lec_vcc_added().
This fixes the following memory leak:
unreferenced object 0xffff8880d9266b90 (size 16):
comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
hex dump (first 16 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5 ............kkk.
backtrace:
[<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
[<(____ptrval____)>] lane_ioctl+0x4b3/0x569
[<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
[<(____ptrval____)>] svc_ioctl+0x17d/0x198
[<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
[<(____ptrval____)>] sock_ioctl+0x2f9/0x322
[<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
[<(____ptrval____)>] ksys_ioctl+0x61/0x80
[<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
[<(____ptrval____)>] do_syscall_64+0x57/0x65
[<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/lec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index e4afac94ff158..a38680e194436 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -1290,6 +1290,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry)
entry->vcc = NULL;
}
if (entry->recv_vcc) {
+ struct atm_vcc *vcc = entry->recv_vcc;
+ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
+
+ kfree(vpriv);
+ vcc->user_back = NULL;
+
entry->recv_vcc->push = entry->old_recv_push;
vcc_release_async(entry->recv_vcc, -EPIPE);
entry->recv_vcc = NULL;
--
2.25.1
next prev parent reply other threads:[~2020-09-18 2:19 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-18 2:15 [PATCH AUTOSEL 4.4 01/64] scsi: aacraid: fix illegal IO beyond last LBA Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 02/64] m68k: q40: Fix info-leak in rtc_ioctl Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 03/64] gma/gma500: fix a memory disclosure bug due to uninitialized bytes Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 04/64] ASoC: kirkwood: fix IRQ error handling Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 05/64] ata: sata_mv, avoid trigerrable BUG_ON Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 06/64] PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 07/64] mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup() Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 08/64] mfd: mfd-core: Protect against NULL call-back function pointer Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 09/64] tracing: Adding NULL checks for trace_array descriptor pointer Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 10/64] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 11/64] xfs: fix attr leaf header freemap.size underflow Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 12/64] kernel/sys.c: avoid copying possible padding bytes in copy_to_user Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 13/64] neigh_stat_seq_next() should increase position index Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 14/64] rt_cpu_seq_next " Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 15/64] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 16/64] ACPI: EC: Reference count query handlers under lock Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 17/64] tracing: Set kernel_stack's caller size properly Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 18/64] ext4: make dioread_nolock the default Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 19/64] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Sasha Levin
2020-09-18 2:15 ` [PATCH AUTOSEL 4.4 20/64] Bluetooth: Fix refcount use-after-free issue Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 21/64] mm: pagewalk: fix termination condition in walk_pte_range() Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 22/64] Bluetooth: prefetch channel before killing sock Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 23/64] skbuff: fix a data race in skb_queue_len() Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 24/64] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 25/64] selinux: sel_avc_get_stat_idx should increase position index Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 26/64] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 27/64] drm/omap: fix possible object reference leak Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 28/64] dmaengine: tegra-apb: Prevent race conditions on channel's freeing Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 29/64] media: go7007: Fix URB type for interrupt handling Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 30/64] Bluetooth: guard against controllers sending zero'd events Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 31/64] drm/amdgpu: increase atombios cmd timeout Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 32/64] Bluetooth: L2CAP: handle l2cap config request during open state Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 33/64] media: tda10071: fix unsigned sign extension overflow Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 34/64] tpm: ibmvtpm: Wait for buffer to be set before proceeding Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 35/64] tracing: Use address-of operator on section symbols Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 36/64] serial: 8250_omap: Fix sleeping function called from invalid context during probe Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 37/64] SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 38/64] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 39/64] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 40/64] mm/filemap.c: clear page error before actual read Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 41/64] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 42/64] serial: uartps: Wait for tx_empty in console setup Sasha Levin
2020-09-28 20:16 ` Naresh Kamboju
2020-09-28 22:00 ` Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 43/64] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 44/64] bdev: Reduce time holding bd_mutex in sync in blkdev_close() Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 45/64] drivers: char: tlclk.c: Avoid data race between init and interrupt handler Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 46/64] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion Sasha Levin
2020-09-18 2:16 ` Sasha Levin [this message]
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 48/64] phy: samsung: s5pv210-usb2: Add delay after reset Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 49/64] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 50/64] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 51/64] tty: serial: samsung: Correct clock selection logic Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 52/64] ALSA: hda: Fix potential race in unsol event handler Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 53/64] fuse: don't check refcount after stealing page Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 54/64] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 55/64] e1000: Do not perform reset in reset_task if we are already down Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 56/64] printk: handle blank console arguments passed in Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 57/64] vfio/pci: fix memory leaks of eventfd ctx Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 58/64] perf kcore_copy: Fix module map when there are no modules loaded Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 59/64] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 60/64] ceph: fix potential race in ceph_check_caps Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 61/64] mtd: parser: cmdline: Support MTD names containing one or more colons Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 62/64] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 63/64] vfio/pci: Clear error and request eventfd ctx after releasing Sasha Levin
2020-09-18 2:16 ` [PATCH AUTOSEL 4.4 64/64] vfio/pci: fix racy on error and request eventfd ctx Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200918021643.2067895-47-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=l.dmxcsnsbh@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox