From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: [PATCH net] rtnetlink: invoke 'cb->done' destructor before 'cb->args' reset Date: Wed, 31 Oct 2018 10:55:35 -0600 Message-ID: <104f12e4-866b-b986-cb9d-28c40d5c5e84@gmail.com> References: <1540968178-18894-1-git-send-email-alexey.kodanev@oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: David Miller To: Alexey Kodanev , netdev@vger.kernel.org Return-path: Received: from mail-pl1-f194.google.com ([209.85.214.194]:35249 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727991AbeKABy2 (ORCPT ); Wed, 31 Oct 2018 21:54:28 -0400 Received: by mail-pl1-f194.google.com with SMTP id n4-v6so6997040plp.2 for ; Wed, 31 Oct 2018 09:55:38 -0700 (PDT) In-Reply-To: <1540968178-18894-1-git-send-email-alexey.kodanev@oracle.com> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 10/31/18 12:42 AM, Alexey Kodanev wrote: > cb->args[2] can store the pointer to the struct fib6_walker, > allocated in inet6_dump_fib(). On the next loop iteration in > rtnl_dump_all(), 'memset(&cb, 0, sizeof(cb->args))' can reset > that pointer, leaking the memory [1]. > > Fix it by calling cb->done, if it is set, before filling 'cb->args' > with zeros. > > Looks like the recent changes in rtnl_dump_all() contributed to > the appearance of this kmemleak [1], commit c63586dc9b3e ("net: > rtnl_dump_all needs to propagate error from dumpit function") > breaks the loop only on an error now. > ... It is more efficient to keep going. I think the simplest fix for 4.20 is to break the loop if ret is non-0 - restore the previous behavior. For net-next I think the done callback is not needed for ipv6; I think there is a simpler way to do it.